Amazon virtual private cloud (vpc)

Amazon VPCEncored Technologies, Inc.

Jonghan Seo (jhseo@encoredtech.com)

About Amazon VPC● Virtual Private Cloud● Virtual network dedicated to an AWS account● Price

○ No additional charge for VPC itself

VPC● Logically isolated from other VPCs in AWS● to ‘configure’ VPC

○ selecting IP address range○ creating subnets○ configuring network gateways○ configuring route tables○ configuring security settings

Subnet● a range of IP addresses in VPC● public/private subnet

○ Internet Gateway (IGW)○ public subnet

■ routed to IGW○ private subnet

■ not routed to IGW■ can send requests to the internet through Network Access

Translation (NAT)

Security● Security Group● Network Access Control List (ACL)

VPC Example

Configuring VPC● CIDR (Classless InterDomain Routing)● examples

○ 192.168.123.123 → 192.168.123.123/32○ 192.168.10.* → 192.168.10.0/24○ *.*.*.* → 0.0.0.0/0

Configuring VPC● Creating VPC in an AWS region

○ Selecting IP address ranges for the VPC

Configuring VPC● Creating Subnets

○ Selecting IP address range for each subnet

Configuring VPC ● Configuring network gateways

○ IGW, VGW

Configuring VPC● Configuring route tables (a public subnet)

Configuring VPC● Configuring route tables (a private subnet)

Configuring VPC● Configuring network settings (ACL)

Security in VPC● Specifying allow/deny rules in terms of IPs and ports for

inbound/outbound traffics● Two Features

○ Security Group(SG)○ network Access Control Lists (ACL)

Security in VPC● SG vs. ACL

Security in VPC

Security in VPC (ACL)

Security in VPC (ACL)● ACL recommendations

○ Scenario 1■ single subnet■ receives and sends internet traffics

○ Scenario 2■ public and private subnets■ public subnet: receives and send internet traffics■ private subnet: only initiates traffics to the internet through NAT

Networking in VPC● IP address

○ private IP■ all instances have a primary private IP■ an instance can have multiple secondary private IP

addresses○ public IP

■ an instance optionally has a public IP■ assigned from Amazon’s pool of IPs (not from a amazon

account’s) so it is not persistent.■ to assign a persistent public IP: EIP(Elastic IP addresses)

Networking in VPC● Elastic IP Addresses (EIP)

○ a static public IP address○ can be associated with any instance or network interface for VPC○ a sort of my pool of public IPs○ allocating an EIP in VPC → associating an EIP with a running instance

in VPC → disassociating an EIP → releasing an EIP

Networking in VPC● Elastic Network Interface (ENI)

○ a sort of a (virtual) ethernet card○ attributes:

■ a primary private IP■ one or more secondary private IP■ one EIP per private IP■ one public IP■ one or more SG■ a MAC address■ a source/destination check flag■ a description

Networking in VPC● route table

○ subnet : route table = n : 1○ main/custom route table○ http://docs.aws.amazon.

com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html

Networking in VPC● Adding an IGW

○ Creating a Subnet○ Attaching an IGW○ Creating a Custom Route Table

■ adding a custom route ruleex) 0.0.0.0/0 igw-b71902dd

■ Associating the route table to the subnet

Networking in VPC○ Updating the SG rules (default SG for VPC)

■ 80(HTTP) 0.0.0.0/0■ 443(HTTPS) 0.0.0.0/0

○ Adding EIP to instances

Networking in VPC● NAT Instance

○ Creating a VPC with two subnets○ Creating the NATSG security group○ Launching an instance (AMI: ami-vpc-nat)

■ SG = NATSG■ selecting Public IP options (assigning EIP after launching)

Networking in VPC○ Configuring the NATSG

■ http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html#NATSG

○ Disabling Source/Destination Checks■ NAT must send/receive traffic when the source or destination is

not itself■ Disable the SrcDestCheck attribute

○ Updating the route table for the private subnet■ 0.0.0.0/0 nat-instance-id

AWS VPC - other AWS products● EC2-VPC● ElastiCache-VPC● RDS-VPC● AS-VPC● ELB-VPC● EMR-VPC● Elastic Beanstalk-VPC