Amazon VPC Concepts
External
Internal
Overview
Amazon VPC provides a logically isolated section of the AWS Cloud where AWS resources run in a private virtual network.
Virtual Private Cloud (VPC)
A VPC is a virtual network dedicated to an AWS account and logically isolated from other virtual networks in the AWS Cloud. It can be thought of as an isolated portion of the AWS Cloud populated by AWS objects, such as Fargate tasks. The VPC has a primary IP address range, specified as a CIDR Block. A VPN uses subnets, security groups and route tables. Each VPN has a main route table.
VPC ID
Primary IP Address Range (CIDR Block)
When the VPC is created, a range of IPv4 addresses in the form of a Classless Inter-Domain Routing (CIDR) block must be provided for the VPC. This is the primary CIDR block for the VPC. Example: 10.0.0.0/16.
Default VPC
Only one VPC per account is the default VPC.
CIDR Block
10.0.0.0/16
Block sizes must be between /16 netmask and /28 netmask.
VPC and Availability Zones
A VPC spans all the availability zones in the region. subnets can be added within an availability zone.
Tenancy
Elastic Network Interface (ENI)
A VPC cannot be deleted if a network interface attached to it is in use.
Elastic IP Address
Elastic IP addresses are used by:
Availability Zone
An availability zone is a distinct location that is engineered to be isolated from failures in other availability zones.
Subnet
A subnet is a range of IP addresses in the Virtual Private Cloud (VPC) that can be used to isolate different EC2 resources or ECS services from each other, within the same VPC, or from the Internet. The range of IP addresses in the subnet must be a subset of the IP address in the VPC (otherwise it is said that the subnet is not within range of the VPC CIDR). Block sizes must be between /16 netmask and /28 netmask. The size of the subnet can equal the size of the VPC. Each subnet resides in one Availability Zone. Subnets enable you to group instances based on security and operational needs.
To enable instances in a subnet to reach the Internet and AWS services, you must add an Internet gateway to the VPC and a route table with a route to the Internet to the subnet.
Example:
subnet-53993c24: 172.31.16.0/20
A subnet has a route table.
Subnet ID
Each subnet has an unique ID.
Public Subnet
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet.
Private Subnet
If a subnet does not have a route to an internet gateway, it is known as a private subnet.
VPN-Only Subnet
If a subnet does not have a route to an internet gateway, but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet.
Route Table
Each subnet must be associated with a route table (rtb-06b77e9d9e4f73f50), which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet is automatically associated with the VPC's main route table.
VPC Main Route Table
Gateways
Internet Gateway
An internet gateway enables communication over the internet. An internet gateway is attached to the VPC.
Egress Only Internet Gateway
NAT Gateway
NAT Gateways provide external access for private subnets. For example, if ECS tasks are running in private subnets, external access needs to be added so the task can pull the associated container images from their corresponding ECR repositories. To enable external access, the NAT Gateway needs to be created. Important, the NAT must be part of a publicly routed subnet.
NAT Gateway Operations
Virtual Private Gateway
Virtual Private Network (VPN) Connection
A VPN connection enables communication between cooperating networks, such as a VPC and a corporate network.
Security
Security Group
Network Access Control List (ACL)
VPC and DNS
Instances executing in a default VPC are provided with a public and private DNS name, which correspond to the private and public IPv4 addresses of the instance.
Instances executing in a non-default VPC are provided with private DNS names, which correspond to the private IPv4 address of the instance. The instances may be provided with public DNS names, which correspond to the public IPv4 of the instance, if the following configuration attributes are set to true:
enableDnsHostnames
If set to true, the instances launched in this VPC get public DNS names (but only if enableDnsSupport is set to true.
enableDnsSupport
If set to true, the VPC supports DNS resolution.
Private Hosted Zones for VPC
To use private hosted zones, set enableDnsHostnames and enableDnsSupport to true when creating the VPC. Also see: