VPC
Amazon Virtual Private Cloud provides virtual networks and subnets that can be used to mimic on-premises networking.
New accounts are created with a default VPC and a default subnet in each AZ. Additional VPCs are called non-default.
Features
Concepts
- VPCs are isolated sections of the AWS cloud associated with a CIDR block.
- They contain Subnets, each with a non-overlapping IP address range. Optionally, they can also have their own route tables and network gateway.
- Route tables define routing rules.
- Internet gateways attached to VPCs allow connectivity between resources in the VPC and the Internet.
- VPC endpoints allow private connectivity between a VPC
- Peering and transit gateway
Subnets
A subnet is a range of IP addresses within a VPC which may be assigned to AWS resources. Subnets are constrained to a single AZ.
Subnets can be either:
- Public, where traffic is routed to an IGW.
- Private, where traffic isn't routed to an IGW or egress-only IGW and can't reach the Internet.
- VPN-only, where there's no route to the IGW but traffic is routed to a VPN or site-to-site VPN.
Security
Two mechanisms are provided for securing subnets.
Security groups
Security groups control inbound and outbound traffic, acting as virtual firewalls. Up to five security groups can be associated to each instance.
There are separate rule sets for inbound and outbound rules.
Network ACLs
Network ACLs allow specifying rules at the VPC layer. They're sometimes used shadow the security group rules
Subnet groups
Subnet groups are used by some AWS services to allow assigning IP addresses to resources which can be configured for high high availability across multiple availability zones.
Flow logs
VPC flow logs capture traffic that flows to and from all network interfaces in a VPC or subnet, or an individual network interface. These logs are published to Logs or S3.
Children
Backlinks