AWS – Understanding Amazon Virtual Privat Cloud (VPC)

What is Amazon VPC?

VPC (Virtual Privat Cloud) is a virtual network, which is logically isolated from other virtual networks in the AWS Cloud. It is dedicated to you AWS account. It is master subnet, which you can use to create smaller subnets. VPC is created per region and it spans all Availability Zones in this region. You must specify an IP address range for the VPC (Classless Inter-Domain Routing (CIDR) block, for example Then you can add subnets (example, associate security groups, and configure route tables.

What is Amazon Subnet?

A subnet is a range of IP addresses in your VPC. When creating new subnet, you need to take into account CIDR block of this VPC. So for VPC CIDR, your subnets must be 192.168.x.y/z, where z > 16. Example:  In your /16 VPC you create  10 subnets with /20 (4094 IPs each). Now you have 40940 “used” in those subnet and 65536 – 40940 = 24596 IP addresses available to create new subnets. Now you won’t be able to create subnet with /17, because it needs 32766 IP addresses for it. But you still will be able to create subnets between /18 and /28 (/28 is the smallest subnet you can deploy within VPC – /28 contains 16 IP addresses).
With subnets
you can create public subnet, with Internet access for your Web servers and private subnets for you database servers. With security groups and network access control lists (ACL) you can allow Web servers to communicate with DB servers, but you DB servers won’t be accessible from Internet and they won’t have Internet access. Subnets are created per Availability Zone.

What are public and private subnets?

If subnet has a route to the internet gateway, then it is public subnet. It must have a public address or an Elastic IP address (Elastic IP Address is just a public IP you configure on  your AWS console). If subnet’s traffic isn’t routed to an internet gateway, then it is private subnet. Still EC2 Instances in private subnets can have Internet access.  You can route their traffic through a NAT gateway or a NAT instance to access Internet. Those NATs allows outbound communication to Internet, but doesn’t allow objects on the Internet to initiate a connection with Instances in private subnets.

There is also a VPN-only subnet –  it is subnet without a route to internet gateway, but has traffic routed to a virtual private gateway for a VPN connection.


Amazon Virtual Private Cloud

What is VPC Peering?

If you have multiple AWS accounts or you are AWS consultant, you can create a VPC peering connection between you VPC and VPC in another AWS account. VPCs can be in different regions. Thanks to it instances in both VPC can communicate with each other as if they are within the same network (after you configure routing). For more information check:

What are Security groups?

You can think about security groups as a virtual firewall for your instances to control both outbound and inbound traffic. Security groups don’t act on subnet level, they act at instance level, so you can have different security groups for each instance (example EC2 instance, max you can assign 5 different security groups per instance). By default instance will get default security group for the VPC. A security group defines what traffic can flow inside and outside a particular instance.
Security groups are stateful (return traffic is allowed).

What is  network ACL (network access control list)?

Network access control list (ACL) is an additional (and optional) level of security acting on subnet level (a subnet level traffic firewall). You can assign only one network ACL to subnet. ACLs are stateless (traffic is strictly filtered).


Security groups and network ACL in AWS VPC

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.