VPC CIDR Blocks - Amazon Virtual Private Cloud

Amazon Web Service allows users to securely host applications and scale to millions of users without worrying about infrastructure provision and maintenance. VPC is probably the most crucial part of AWS networking and is essential for securing applications from outside bad actors. However not knowing about the VPC networking can cause internal issues. In this article, we are going to learn about VPC CIDR blocks.

What is AWS VPC?

A Virtual Private Cloud (VPC) is a customizable, isolated network environment for deploying cloud resources. A default VPC is configured and ready for you to use when you create your account. You can also create your Custom VPC.

Virtual Private Cloud can be created and managed through:

• AWS management console
• AWS CLI
• AWS SDKs
• Query APIs

Key Components Of AWS VPC

Subnets

• A subnet is a segment of a VPC's IP address range, designed to isolate or organize resources within a virtual network. You can connect a subnet to the internet, and other VPCs, and route traffic to and from your subnets using route tables.

Route Tables

• A route table is a key component of Virtual Private Cloud (VPC) networking that determines how network traffic is directed within your VPC. Each route table contains a set of rules, called routes, that define the paths for outbound traffic leaving the subnet to reach different network destinations.

IP Addressing

• Each application inside a VPC has a private IPv4 address. You can optionally assign a public IPv4 address through ElasticIP.
• If IPv6 CIDR block is assigned to your VPC, you can assign IPv6 addresses to your instances.

Gateways

• You can enable internet access for an instance launched into a nondefault subnet by attaching an internet gateway to VPC.
• To enable outbound connections from your VPC to the internet and block inbound connections, use a NAT device.

Peering

• VPC peering can be used to route traffic between resources in two VPCs.
• You can also create a transit gateway and use it to interconnect your VPCs and on-premises networks.

Flow Logs

• VPC Flow Logs captures information going though network interfaces into VPC.

What are VPC CIDR Blocks in AWS?

A CIDR block (Classless Inter-Domain Routing) is a notation used to define IP address ranges. When you create a VPC, you must specify an IP address range for the VPC in the form of a CIDR block.

What Are IPv4 VPC CIDR Blocks?

In AWS, allowed prefix length/netmask block size is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses). You can associate additional IPv4 CIDR blocks with the VPC.

What is CIDR Notation?

A typical CIDR notation is written as IP-address/prefix-length.

• IP address: The starting point of the IP range.
• Prefix length: A number between 0 and 32 that indicates how many bits of the IP address are used for the network portion. The remaining bits are used for the host portion.

Example:

10.0.0.0/16 provides a range of 10.0.0.0 to 10.255.255.255(65,356 IPs).

AWS provides a set of IP address ranges designated for private use, which are specified by RFC 1918 and are not routable over the internet. These CIDR ranges are:

• 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
• 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
• 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

Note: 172.17.0.0/16 CIDR range is user by some AWS services like Cloud9 and SageMaker. So, it is recommended to not use these CIDR ranges.

IPv6 VPC CIDR Blocks Overview

When creating a new Virtual Private Cloud (VPC) on AWS, you have the option to associate an IPv6 CIDR block. You can either assign a single IPv6 CIDR block during VPC creation or up to five IPv6 CIDR blocks later. These blocks can range from /44 to /60, in increments of /4.

Key Points About IPv6:

• IPv6 Address Structure: IPv6 addresses are 128 bits long and are typically written in hexadecimal, divided into eight 16-bit groups separated by colons. For example:
  • 2001:db8:0000:0000:0000:0000:0000:0000
  • This is often abbreviated as 2001:db8:: to make it more readable.
• Prefix Length: In IPv6, the prefix length indicates how many bits are dedicated to the network portion of the address, similar to IPv4. The prefix length for IPv6 ranges from /0 to /128. For example:
  • 2001:db8::/32: This block includes IP addresses from 2001:db8:0000:0000:0000:0000:0000:0000 to 2001:db8:ffff:ffff:ffff:ffff:ffff.

CIDR Block Association Guidelines for IPv6 in AWS:

• You can assign up to 5 IPv6 CIDR blocks per VPC.
• The IPv6 CIDR blocks you associate must range from /44 to /60.
• Non-overlapping requirement: Each IPv6 CIDR block associated with a VPC must not overlap with any other existing CIDR blocks in that VPC.
• Block size adjustment: Once a CIDR block is associated with a VPC, its size cannot be changed (increased or decreased).
• How to Manage CIDR Blocks of VPC?

How to Create Custom VPC?

Step 1: Login to your AWS account and go to VPC.

Step 2: In VPC console, click on your VPCs and the Create VPC.

Step 3: In create VPC page, give a name to your VPC. Make sure IPv4 CIDR manual input is selected.

Step 4: Now give the IPv4 CIDR you want for your custom VPC. For this demo, I am using 10.16.0.0/16.

Step 5: For IPv6 CIDR block, select Amazon-provided IPv6 CIDR block to assign IPv6 addresses to your VPC.

Step 6: Leave everything else to default and click on Create VPC button.

After the VPC is created, you should a page like below which mentions private IPv4 and IPv6 addressees.

How to Edit CIDR blocks?

• You can add more both IPv4 and IPv6 CIDR blocks. You can also remove CIDR blocks.
• In your custom VPC page, click on the action tab and it will open a modal. Click on the Edit CIDRs option. This will open the page from which you can add CIDR blocks just like the way we did it in creation page and also can remove them.

Key Features of AWS VPC (Virtual Private Cloud)

1. VPC is a Regional Service

• Region-specific infrastructure: AWS VPC operates on a regional level, meaning each VPC is created within a specific AWS region (such as US-East-1 or EU-West-1). Resources and services within the VPC are confined to that region, but you can set up cross-region communication through services like AWS Transit Gateway or VPN connections.
• High availability: By leveraging multiple Availability Zones (AZs) within a region, you can design a highly available and fault-tolerant architecture. Each AZ functions as a separate data center, so distributing your resources across multiple AZs ensures resilience in case of a failure in one zone.

2. Default Isolation from the Internet

• Secure by design: When you create a VPC, all resources inside are completely isolated from the internet by default. This allows you to have full control over what services are exposed to the public internet and what remains private. By isolating resources initially, AWS ensures that no external traffic can access your resources unless explicitly permitted.
• Custom internet access: You can create a public subnet by attaching an Internet Gateway (IGW) to the VPC. Only resources within the public subnet can interact with the internet. For private subnets, you can configure NAT gateways or instances to allow outbound internet access without making the resources publicly accessible.

3. Customizable IP Address Ranges

• Flexible IP allocation: AWS allows users to define custom IP address ranges for their VPC using Classless Inter-Domain Routing (CIDR). This gives you the flexibility to set the range of IP addresses for your VPC based on your network architecture. You can choose the size of the CIDR block, ranging from /16 to /28 for IPv4, giving you between 65,536 to 16 IP addresses.
• Multiple CIDR blocks: If your VPC grows and requires more IP addresses, you can associate additional CIDR blocks (up to 5 for both IPv4 and IPv6) to expand your network’s IP range. However, overlapping IP ranges are not allowed.

4. Security Features

• Security Groups: AWS VPC provides stateful firewalls called Security Groups to control inbound and outbound traffic at the instance level. Security Groups act as virtual firewalls, allowing or denying traffic based on defined rules. They can be applied to EC2 instances, RDS databases, and other services.
• Network Access Control Lists (NACLs): VPCs also support stateless NACLs that provide an additional layer of security at the subnet level. You can define rules for inbound and outbound traffic for entire subnets, offering another layer of protection beyond Security Groups.
• Flow logs: You can capture detailed information about the traffic going in and out of network interfaces within your VPC using VPC Flow Logs. These logs are useful for monitoring, troubleshooting, and security audits.

5. Subnet Segmentation

• Public and private subnets: VPCs allow the division of resources into public and private subnets. Public subnets are accessible to the internet (via Internet Gateway), while private subnets are isolated and used for internal services. This architecture allows you to run public-facing applications and internal services like databases or application servers securely.
• Subnet creation in multiple AZs: You can create subnets in different Availability Zones to increase redundancy and availability.

6. Route Tables for Custom Routing

• Custom routing: AWS VPC allows you to define custom routes using route tables, which control where network traffic is directed. You can create custom routes to direct traffic between subnets, internet gateways, NAT gateways, and other AWS services like VPNs or VPC peering connections.
• Private connectivity: VPC enables secure, private communication with AWS services through VPC Endpoints, allowing you to access services like S3 and DynamoDB without going over the internet.

7. Elastic IPs

• Static public IPs: With AWS VPC, you can assign Elastic IP addresses to your resources, which provide a static public IP. These IPs can be reassigned in case of instance failure, ensuring high availability for applications.

8. Integration with Other AWS Services

• Seamless integration: AWS VPC integrates easily with other AWS services, such as EC2 for virtual servers, RDS for managed databases, ELB for load balancing, and Auto Scaling. You can design a complete cloud infrastructure within your VPC that supports both compute and storage services.
• Hybrid connectivity: VPC allows you to connect your on-premises networks to AWS via VPN or AWS Direct Connect, enabling hybrid cloud architectures.

9. VPC Peering and Transit Gateway

• VPC Peering: You can connect two VPCs together through VPC peering, allowing them to communicate with each other as if they were on the same network. This is useful for connecting multiple applications or environments across different VPCs.
• Transit Gateway: For more complex networks, you can use AWS Transit Gateway, which simplifies connecting multiple VPCs and on-premises networks through a single gateway.

10. High Availability and Fault Tolerance

• Multi-AZ deployment: By leveraging multiple Availability Zones (AZs), you can design highly available applications. Distributing your resources across multiple AZs ensures that your applications remain available even if one zone experiences a failure.
• Backup and Disaster Recovery: VPC integrates with AWS services like Amazon S3 and Amazon EBS to provide backup solutions for data storage and disaster recovery strategies.

Conclusion

In this article, we have learnt about AWS VPC, its components, CIDR blocks of a VPC. We have also created a custom VPC and assigned IPv4 and IPv6 CIDR blocks to it.