Educative | Virtual Private Clouds (VPCs)

November 7th, 2023

##What is a VPC?

A Virtual Private Cloud (VPC) is a fundamental component of Amazon Web Services (AWS) that offers a logically isolated section within the AWS cloud, providing you with complete control over your virtual networking environment. Key features of VPC include:

Custom IP Address Ranges

You have the flexibility to choose and define the IP address ranges for your VPC, making it possible to create a network structure that suits your specific needs.

VPN Connectivity

VPC allows you to establish a hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC, essentially extending your on-premises network into the cloud.

CIDR Notation

CIDR (Classless Inter-Domain Routing) notation is a standard used for describing blocks of IP addresses. In IPv4, IP addresses consist of 32 bits, grouped into four 8-bit octets, represented in decimal form. IPv6, on the other hand, uses 128-bit addresses, with each segment represented as 8-bit octets. CIDR notation simplifies the specification of address ranges, making it easier to manage IP address allocation.

NAT Gateways

NAT (Network Address Translation) gateways are an essential component of VPC. They serve as intermediaries for private subnet instances to access external services while maintaining security. There are two types of NAT gateways:

Public NAT Gateway

Instances in private subnets can access the internet through a public NAT gateway, but they cannot receive unsolicited inbound connections from the internet. Public NAT gateways are placed in a public subnet and require an associated elastic IP address. Traffic from these gateways is routed to the internet gateway of the VPC.

Private NAT Gateway

Private NAT gateways enable private subnet instances to access other VPCs or the on-premises network. They don’t require an elastic IP address, and routing traffic from these gateways can be achieved through transit gateways or virtual private gateways. Private NAT gateways do not route traffic to the internet.

NAT gateways replace the source IP address of instances with the IP address of the gateway, ensuring that responses are sent back to the correct source.

Network Access Control List (NACL’s)

Network Access Control Lists (NACLs) are a critical part of VPC’s security infrastructure:

  • Association with Subnets: Each subnet in your VPC must be associated with a NACL. A subnet can be associated with only one NACL, but multiple subnets can share a single NACL.

  • Numbered Rules: NACLs contain numbered rules for both inbound and outbound traffic. These rules are evaluated in numerical order, starting with the lowest numbered rule.

  • Stateless: NACLs operate in a stateless manner. This means that the rules for inbound traffic apply to outbound traffic and vice versa. Each rule in a NACL can either allow or deny traffic based on specified conditions.

VPC Flow Logs

VPC Flow Logs is a feature that captures information about the IP traffic going to and from the network interfaces in your VPC. This data is stored using Amazon CloudWatch Logs, providing visibility into network activities and helping with troubleshooting and security monitoring.

Bastion Hosts

Bastion hosts are instances located in the public subnet of a VPC and act as secure gateways to access private instances in the private subnets. They are essential for remote connectivity with private instances over the public internet.

Creating a Bastion Host

Creating a bastion host involves several steps:

  1. Launch an EC2 instance as you would for any other instance.
  2. Apply necessary OS hardening measures to enhance security.
  3. Configure security groups (SG) to control inbound and outbound traffic.
  4. Implement either SSH-agent forwarding for Linux connectivity or Remote Desktop Gateway for Windows connectivity.
  5. Deploy an AWS bastion host in each of the Availability Zones being used.

Jump Boxes

Jump boxes, similar to bastion hosts, facilitate secure access to EC2 instances in private subnets. They act as intermediaries for end-users to connect to private instances, enhancing security by limiting direct external access to private resources.

Service Gateway

Service gateways enable instances in private subnets to access public endpoints without traversing the public internet, enhancing security and performance for certain types of traffic.

Efficient API Development

AWS API Gateway allows you to run multiple versions of the same API simultaneously, providing flexibility for testing and releasing new versions. You pay for the API calls made to your APIs and data transfer out, with no minimum fees or upfront commitments. It is a scalable solution that ensures low-latency performance for API requests and responses.