Amazon VPC Concepts

From NovaOrdis Knowledge Base
Revision as of 01:40, 17 January 2023 by Ovidiu (talk | contribs) (→‎VPC Endpoints)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

External

Internal

Overview

Amazon VPC provides a logically isolated section of the AWS Cloud where AWS resources run in a private virtual network.

AmazonVPC.png

VPCs are essential to EC2-VPC, which is an Amazon Elastic Compute Cloud platform that is aimed at launching AWS resources into a VPC.

Virtual Private Cloud (VPC)

VPC IP Addressing

A VPC is a virtual network dedicated to an AWS account and logically isolated from other virtual networks in the AWS Cloud. It can be thought of as an isolated portion of the AWS Cloud populated with private AWS resources, such as Fargate tasks. VPC allows direct control over the networking environment: selecting IP address ranges, creating subnets, configuring routing and access control lists.

The VPC has a primary IP address range, specified as a CIDR Block, such as 10.0.0.0/16 or 10.7.0.0/16. Block sizes must be between /16 netmask and /28 netmask. More details about the CIDR.

A VPC uses subnets, route tables and security groups to segregate and route IP traffic. Each VPN has a default router configured based on the main route table.

A VPC spans all availability zones in a region. A VPC cannot span multiple regions. A subnet can belong to one and only one availability zone.

External access to internet can be provided by configuring an internet gateway. The VPC can be connected to a VPN with a virtual private gateway.

The full list of resources that are associated (internal) to a VPC and that get deleted if the VPC containing them is deleted is:

  • Subnets
  • Security Groups
  • Network ACLs
  • Internet Gateways
  • Egress Only Internet Gateways
  • Route Tables
  • Network Interfaces
  • Peering Connections
  • Endpoints

VPC ID

VPC Name

The name of the VPC can be specified by setting the "Name" tag, as shown here.

Primary IP Address Range (CIDR Block)

When the VPC is created, a range of IPv4 addresses in the form of a Classless Inter-Domain Routing (CIDR) block must be provided for the VPC. This is the primary CIDR block for the VPC. Example: 10.0.0.0/16.

Default VPC

Only one VPC per account is the default VPC.

Tenancy

The instance tenancy can be "default" or "dedicated". The default behavior is that instances can be launched with any tenancy. If the tenancy is configured as "dedicated", any instance launched into the VPC automatically has dedicated tenancy, unless it was explicitly launched with the default tenancy. Note that updating instance tenancy from "default" to "dedicated" requires replacement of the VPC.

Elastic Network Interface (ENI)

Elastic Network Interfaces

A VPC cannot be deleted if a network interface attached to it is in use.

Elastic IP Address

Elastic IP Addresses
IP Addressing in Your VPC

An Elastic IP address is a public IPv4 address, which is reachable from the internet. If an EC2 instance is associated with an Elastic IP, that instance can communicate with the internet. With an Elastic IP address, the failure of an instance or a service can be masked by rapidly remapping the address to another instance in the same account. An elastic IP address seems to be a public routable address from Amazon's pool and logic to adjust VPC routing dynamically: the elastic IPv4 address is accessed through the internet gateway of your VPC. An elastic IP address can be associated with only one resource at a time, so if it is associated with another resource, it must first disassociate it: think of elastic IP addresses as resources that have to be provisioned and must be released, reused and deleted when they're not needed anymore.

Elastic IP addresses are used by:

Publicly Routable IP Address

Scope

"vpc" for VPC elastic IP addresses.

Allocation ID

The allocation ID is an attribute of an elastic IP address assigned by AWS, representing the allocation of the address for use a VPC. This attribute has values only for VPC elastic IP addresses. The allocation ID can be obtained from the elastic IP address in CloudFormation templates with:

AllocationId: !GetAtt MyElasticIP.AllocationId

Association ID

Private IP Address

Network Interface ID

Network Interface Owner ID

Elastic IP Address Operations

DNS

A VPC has the capability to resolve DNS addresses. This capability is configured when the VPC is created, and can be updated without interruption after that. If the option to resolve DNS names is turned on, the Amazon DNS server resolves DNS hostnames for instances deployed in the VPC.

DNS Hostname Generation

Instances launched in a VPC may get hostnames, if the capability is explicitly configured (by default, it is not). The capability can be turned on only if DNS support is enabled.

VPC Operations

CIDR Block

Aside from the primary CIDR block, VPCs can have additional CIDR blocks associated with them. The CIDR blocks associated with a VPC can be obtained describing the VPC:

{
  "VpcId": "vpc-09999999999999999",
  "CidrBlock": "10.2.0.0/16",
  [...]
  "CidrBlockAssociationSet": [
  {
     "AssociationId": "vpc-cidr-assoc-09999999999999999",
     "CidrBlock": "10.2.0.0/16",
     "CidrBlockState": {
        "State": "associated"
     }
  },
  {
     "AssociationId": "vpc-cidr-assoc-08888888888888888",
     "CidrBlock": "10.20.0.0/16",
     "CidrBlockState": {
        "State": "associated"
      }
  }
 ],
...
}

CIDR Block Operations

Subnet

A subnet is a range of IP addresses in the Virtual Private Cloud (VPC) that can be used to isolate different EC2 resources or ECS services from each other, within the same VPC, or from the Internet. Subnets enable you to group instances based on security and operational needs. Each subnet can belong to one and only one VPC. Each subnet can belong to one and only one availability zone, and it cannot span zones. The availability zone can be specified when the subnet is created, but it is not required. If not specified, AWS will select an availability zone. The documentation says this is the recommended behavior. However, we found that if we let AWS pick the availability zone, two subnets might end in the same availability zone, and if there's an application load balancer that uses those subnets, the application load balancer will fail to start. For this reason, we prefer to explicitly select availability zones. Each subnet has a subnet ID: subnet-53993c24: 172.31.16.0/20.

The range of IP addresses in the subnet must be a subset of the VPC primary IP range, otherwise it is said that the subnet is not within range of the VPC CIDR. Block sizes must be between /16 netmask and /28 netmask. The size of the subnet can equal the size of the VPC.

To enable instances in a subnet to reach the Internet and AWS services, you must add an Internet gateway to the VPC and a route table with a route to the Internet to the subnet. It is also possible to allow an instance hosted in the VPC to initiate outbound connections to the internet over IPv4 but prevent unsolicited inbound connection from the internet, by using a NAT gateway. The IPv6 equivalent is an Egress-only internet gateway.

A subnet has a route table.

Relationship between VPC and Subnets

How Does a Subnet Work?
VPC and Subnets

VPC Main route table and any custom route table contain an unremovable route that allows any subnet to route to any other subnet with the same VPC. The route maps the primary VPC address range to "local".

Subnet ID

Each subnet has a unique ID.

Subnet Types

Regardless of the type of subnet, the internal IPv4 address range of the subnet is always private, it is not routed.

Public Subnet

If a subnet's explicit or implicit route table contain a route, usually 0.0.0.0/0, to an internet gateway, the subnet is known as a public subnet. A subnet can auto-assign public IPv4 address. Does that make it a public subnet?

Private Subnet

If a subnet does not have a route in its explicitly associated route table or, if not implicitly associated, in the VPC main route table to an internet gateway, it is known as a private subnet. Usually the route to the gateway is 0.0.0.0/0. Subnets that have routes to NAT gateways are still considered private subnets. An instance in a private subnet is not publicly accessible even if it has an Elastic IP address or a public IP address associated with it, because the IP address is not routed to the subnet.

VPN-Only Subnet

If a subnet does not have a route to an internet gateway, but has its traffic routed to a virtual private gateway for a site-to-site VPN connection, it is known as a VPN-only subnet.

Subnet Security

VPC Security

AWS provides two features that can be used to secure the VPC:

Security Groups

Security groups control inbound and outbound traffic for instances.

Network ACLs

Network ACLs

Network ACLs control inbound and outbound traffic for subnets. Each subnet must be associated with a network ACL.

Mapping Public IP Addressed on Launch

A subnet can be configured so instances that are launched in this subnet receive a public IP address. By default, the behavior is turned off.

Subnet Operations

Route Table

Route Tables

A route table is a set of rules, called routes, that are used to determine where network traffic is directed. Each route specifies a destination CIDR and a target - the most specific routes that match are used to determine how to route the traffic. This is called "the longest prefix match" rule. Every route table contains a local route for communication within the VPC over IPv4. If the VPC has more than one IPv4 CIDR block, the route tables contain a local route for each IPv4 CIDR block.

A subnet must be associated with one and only one route table, but one route table can be associated with multiple subnets. If no route table is explicitly associated with the subnet, the subnet is implicitly associated with the VPC main route table. It is said to be implicitly associated because the VPC main route table does not list the subnet amongst those subnets it was explicitly associated with. It does show it in a separated list, with the following caption "the following subnets have not been explicitly associated with any route tables and are therefore associated with the main route table".

The subnet's route table, whichever it is, controls routing for the subnet.

Any route table comes with the a rule similar to:

10.7.0.0/16 -> local

The rule lists the primary IP address range of the VPC, as a CIDR block, with a "local" target. This rule cannot be deleted. This rule means that any subnet will be routed by default to any subnet within the VPC.

CIDR blocks for IPv4 and IPv6 are treated separately. For example, a route with a destination CIDR of 0.0.0.0/0 (all IPv4 addresses) does not automatically include all IPv6 addresses. You must create a route with a destination CIDR of ::/0 for all IPv6 addresses.

VPC Main Route Table

The VPC main route table is the default route table for the VPC - all VPC subnets are implicitly associated with it, unless they are explicitly associated with other route tables. The routes in the main route table can be modified. One way to protect a VPC is to leave the main route table in its original default state, with only the local route, and explicitly associate each new subnet with custom route tables. This gives control over how each subnet routes outbound traffic.


Main Router

The VPC has an implicit, main router configured based on the VPC main route table

Gateways

When an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint is added in the VPC, the route table for any subnet that uses these gateways or connections must be updated.

Internet Gateway

Route Tables for an Internet Gateway
Internet Gateways

An internet gateway enables communication over the internet. An internet gateway is attached to the VPC.

To give a subnet access to internet, add a route with a destination of 0.0.0.0/0 for IPv4 traffic or ::/0 for IPv6 traffic, and a target of the Internet gateway ID (igw-xxxxxxxx).

VPC-Gateway Attachment

An internet gateway is not attached with any VPC after creation, an AWS::EC2::VPCGatewayAttachment resource must be created to attach the internet gateway to a VPC.

Internet Gateway Operations

NAT Gateway

Route Tables for a NAT Device
NAT Gateways

NAT Gateways provide external access for private subnets. For example, if ECS tasks are running in private subnets, external access needs to be added so the task can pull the associated container images from their corresponding ECR repositories. One way to enable external access, without allowing unsolicited inbound connections is to create and use a NAT gateway. To enable instances in a private subnet to connect to the Internet, you can create a NAT gateway or launch a NAT instance in a public subnet, and then add to the route table associated with the private subnet a route that routes IPv4 Internet traffic (0.0.0.0/0) to the NAT device.

Elastic IP

A NAT gateway must be associated an elastic IP address, which is routable on the Internet. Even if the NAT gateway gets its elastic IP address, it still needs to be deployed behind an internet gateway so that public IP address is routed. That means the NAT must be deployed in a public subnet, has the routing configured to route the elastic IP of the NAT gateway externally to the internet. The private subnets that want unidirectional outbound internet connectivity will route to the NAT gateway. The NAT gateway is reachable over its private IP address, which is routed - and reachable - inside the VPC.

The NAT is associated with the elastic IP in CloudFormation using the "AllocationId" attribute, as follows:

Resources:
 NATGateway:
   Type: AWS::EC2::NatGateway
   Properties: 
      ...
      AllocationId: !Ref ElasticIP

NAT Gateway Operations

Egress Only Internet Gateway

The IPv6 equivalent of NAT gateway.

Virtual Private Gateway

Virtual Private Network (VPN) Connection

A VPN connection enables communication between cooperating networks, such as a VPC and a corporate network.

Security

VPC Security

Security Group

A security group acts as a virtual firewall for instances. The security group controls inbound and outbound traffic. You can specify one or more security groups when you launch an instance. A security group contains a set of rules that control the inbound traffic and a different set of rules that control the outbound traffic. All other traffic is discarded.

The rules can be modify at any time; the new rules are automatically enforced - it is sufficient to add a new rule with the CLI or via the management interface and the rule takes effect immediately, without requiring instance reboots.

Security group.png

There is an upper limit for both inbound rules (60) and outbound rules per security group. The limit can be changed through the Service Quotas service by navigating to Service Quotas → AWS services → Amazon Virtual Private Cloud (Amazon VPC) → Inbound or outbound rules per security group.

Security Group ID

Security Group Operations

Network Access Control List (ACL)

VPC and DNS

VPC and DNS

Instances executing in a default VPC are provided with a public and private DNS name, which correspond to the private and public IPv4 addresses of the instance.

Instances executing in a non-default VPC are provided with private DNS names, which correspond to the private IPv4 address of the instance. The instances may be provided with public DNS names, which correspond to the public IPv4 of the instance, if the following configuration attributes are set to true:

enableDnsHostnames

If set to true, the instances launched in this VPC get public DNS names (but only if enableDnsSupport is set to true.

enableDnsSupport

If set to true, the VPC supports DNS resolution.

Private Hosted Zones for VPC

To use private hosted zones, set enableDnsHostnames and enableDnsSupport to true when creating the VPC. Also see:

Private Hosted Zone

VPC Quotas and Limits

https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html

PrivateLink

https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html
https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/aws-privatelink.html

AWS PrivateLink provides secure, private connectivity between Amazon VPCs, AWS services, and on-premises applications, using the the private AWS network.

VPC Endpoints

https://docs.aws.amazon.com/whitepapers/latest/aws-privatelink/what-are-vpc-endpoints.html

A VPC endpoint enables customers to privately connect to supported AWS services and VPC endpoint services relying on AWS PrivateLink. Amazon VPC instances do not require public IP addresses to communicate with resources of the service. Traffic between an Amazon VPC and a service does not leave the Amazon network.

Relationship between Direct Connect and PrivateLink

AWS Direct Connect Concepts | Relationship between Direct Connect and PrivateLink