Virtual Private Cloud

(VPC)
By Bhupinder Rajput
Virtual Private Cloud (VPC)
• A VPC is a virtual network that closely resembles a traditional networking that we
operate in our own Data Centre, with the benefits of using the scalable
infrastructure of AWS.
• To Simply say VPC is a Virtual Network or Data Center inside AWS for one client.
• It is logically isolated from other virtual n/w in the AWS Cloud.
• Max 5 VPC can be created inside one region and 200 subnets in 1 VPC.
• We can allocate max 5 elastic IPs.
• Once we created a VPC, DHCP, NACL and Security Group will be automatically
created.
• A VPC is confined to an AWS region and does not extend between regions.
• Once the VPC is created, we cannot change its CIDR, Block Range.
• If you need a different CIDR Size, Create a New VPC.
• The different subnets within a VPC can't overlap.
• We can however expand our VPC CIDR by adding new /extra IP Address Ranges
(Except American Gov Cloud & AWS China). 2
Components of VPC

CIDR & IP Implied Virtual

Internet Security Peering
Address router & Network ACL private Elastic IP
gateway groups connections
Subnets, routing table gateway

4
Types of VPC

Default VPC Custom VPC

Created in each AWS Region when an AWS Is an AWS Account Admin creates.
Account is created.

AWS user creating custom vpc can decide the

CIDR.
Has Default CIDR, Security Group, NACL and
Route Table Settings.
Has its own Default Security group, NACL
and Route Table.

Has an Internet Gateway by Default. Does not have an Internet Gateway by

Default, one needs to be created when
needed.

5
Steps to Create VPC

Create Internet Route

Subnet
VPC Gateway Table

6
Components of VPC
Public Subnet

• If a subnets traffic is routed to an Internet Gateway, the Subnet is known as Public Subnet.
• If we want our instance in a public subnet to communicate with the internet over IPv4, it must
have a Public IPv4 Address or an Elastic IP address.

Private Subnet

• If a subnet does not have a route to the Internet Gateway, the Subnet is Known as a Private
Subnet.
• Note : When we create a VPC, We must specify an IPv4 CIDR Block for the VPC.
The allowed block size is between /16 to /28 and the first four & last IP Address of a subnet
cannot be assigned
• Eg: 10.0.0.0/24 address following are reserved as follows:
• 10.0.0.0 --->Network Address
• 10.0.0.1--->Reserved by AWS for the VPC Router.
• 10.0.0.2--->Reserved by AWS, The IP Address of DNS Server.
• 10.0.0.3--->Reserved for future use.
• 10.0.0.255--->Broadcast Address.
• Aws does not support broadcast in a VPC, but reserves the address. 7
Components of VPC
Implied Router & Route Table Internet Gateway (IGW)

• It is the central routing function. • An IGW is virtual router that connects a VPC to
• It connects the different AZ together and the internet.
connects the vpc to the internet gateway. • Default vpc is already attached with an IGW.
• We can have upto 200 route tables per vpc. • If we create a new VPC then we must attach the
• We can have upto 50 route entries per route IGW in order to access the internet.
table. • Ensure that our subnet's route table points to the
• Each subnet must be associated with only one internet gateway.
route table at any given time. • It performs nat between our private and public
• If we do not specify a subnet to route IPv4 address.
table association,the subnet will be associated • It supports both ipv4 and IPv6.
with the default vpc route table.
• We can also edit the main route table if we need,
but we cannot delete main route table.
• However we can make a custom route table
manually, make it the main route table then we
can delete the former main, as it is no longer a
main route table.
• We can associate multiple subnets with the
same route table 8
Components of VPC
NAT Gateway : Also does PAT(Port Address translation) Security Groups

• We can use a network address translation gateway to • It is a virtual firewall works at ENI (Elastic Network Interface)
enable instances in a private subnet to connect to the level.
internet or other AWS Services, but prevent the internet • Upto 5 security gropus per EC2 instances interface can be
from initiating a connection with those instances. applied.
• We are charged for creating and using nat gateway in • Can only have permit rules, cannot have deny rule.
our account.NAT gateway hourly usage and data purchase • Stateful (If inbound allowed then automatically outbound is
rates apply. Amazon ec2 charges for data transfer also also allowed and vice versa) : return traffic is allowed
apply. then inbound traffic is also allowed, even if there are no
• To create a NAT Gateway, we must specify the public rules to allow it.
subnet in which NAT gateway reside.
• We must also specify an elastic IP Address to associate
with NAT Gateway when we create it.
• No need to assign public IPs to our private instances.
• After we have created a NAT gateway we must update the
route table associated with one or more of our private
subnets to point internet bound traffic to the NAT Gateway.
• This enables instances in your private subnets to
communicate with the internet.
• Deleting a NAT Gateway, disassociates its Elastic IP
address, but does not releases the address from your
account.
9
Components of VPC

10
Components of VPC
Network ACL

•It is a function performed on the implied router.

•NACL is an optional layer of security for our VPC that acts as a firewall for controlling traffic in and
out of one or more subnets.
•Our VPC automatically comes with a modifiable default NACL. By default, it allows all inbound and
outbound IPv4 traffic and if applicable, IPv6 traffic.
•We can create a custom NACL and associate it with a subnet.
•By default each custom NACL denies all inbound and outbound traffic untill we add rules.
•Each subnet in your VPC must be associated with a NACL. If we dont explicitly associate a subnet
with a NACL, the subnet is automatically associated with the default NACL.
•We can associate NACL with multiple subnet, however a subnet can be associated with only one
NACL at a time. When we associate a NACL with a subnet, the previous association is removed.
•A NACL contains a numbered list of rules that we evaluate in order, starting with the lowest
numbered rule.
•The highest number that we can use for a rule is 32766. Recommended that we start by creating
rules with rule numbered that are multiples of 100,so that we can insert new rules where you need
later.
•It functions at the subnet level.
•NACl are stateless,outbound traffic for an allowed inbound traffic, must be explicitly allowed too.
•We can have permit and deny rules in a NACL.
11
Components of VPC
Diff between Security Groups & NACL

• Security group Operate at instance level

and NACL operates at subnet level.
• SG support allows rules only
and NACl permits allow as well as deny
rules.
• SG is stateful,return traffic is
automatically allowed
and NACl is stateless,return traffic must
be explicitly allowed by rules.
• SG applies to an instance only
and NACL applies to all instances in this
subnet.
12
Components of VPC
VPC Peering

• A VPC Peering connection is a networking connection between two VPC that

enables us to route traffic between them using private IPv4 Addresses or IPv6
Addresses.
• Instances in either vpc can communicate with each other as if they are within
the same network.
• We can create a vpc peering connection between our own vpc, or with a vpc in
another aws account.The vpc can be in diff region.
• Transitive peering is not possible i.e if vpc-A peers with vpc-B and vpc-B peers
with Vpc-C, but by default vpc-A is not peered with vpc-C.

VPC Endpoint

• A VPC Endpoint enables us to privately connect our vpc to

supported aws services.Instances in our vpc do not require public ip address to
communicate with resources in the services.
• Endpoint is a virtual device. 13
Components of VPC
Virtual Private Gateway, Customer Gateway & Site-
to-Site VPN connection
• By default,instances that we launch into an Amazon
VPC cant communicate with our own(our corporate or home
network) Network. To enable the communication we have to establish
site to site VPN connection.
• VPN Connection : A secure connection between our on-premises
equipment and our VPC's.
• VPN Tunnel : An encrypted link where data can pass from the
customer network to or from AWS. Each VPN connection include two
VPN tunnels which we can simultaneously use for high availability.
• Customer Gateway : An AWS resource which provides information to
AWS about our customer gateway device.
• Customer Gateway Device : A physical or software app on customer
side.
14
Configuring NAT instance
✓ Configuring NAT instance for Private Subnets & Internet Access:-
▪ We can use a NAT instance in a public subnet in our VPC to enable instances in the
private subnet to initiate outbound IPv4 traffic to the internet or other AWS services,
but prevent the instances from receiving inbound traffic initiated by someone on
the internet.

▪ Note : NAT is not supported for ipv6 traffic -use an egress only internet gateway

15
Steps to Make Connection
Create two VPC's-One in Mumbai and another in Singapore(customer end).

Create one linux machine in both the VPC, take RDP of it(Security Group-SSH,TCP,ICMP).

Now go to mumbai region --Create Virtual Private Gateway.

Now Create customer gateway---Enter Public IP of Singapore EC2 instance.

Create Site to site VPN Connection,Add subnet of customer end.

Now go to route tables ----Route Propagation.

Site to site VPN----Download Configuration.

Now go to Singapore region take access of ec2 using putty. 16

Thanks!
Any questions?

Technical Guftgu
[email protected]

17