UNIT 6

AWS Fundamentals: Amazon Virtual Private cloud and networking UNIT 6: AMAZON VIRTUAL PRIVATE CLOUD AND NETWORKING Structure 6.1 Learning Objectives 6.2 Introduction To VPC 6.3 Subnet types 6.4 Internet Gateways 6.5 Route tables 6.6 NAT Gateway 6.7 Security Groups 6.8 Network ACLs 6.9 VPC Best Practices 6.10 VPC Security 6.11 Cost 6.12 Summary 6.13 Glossary 6.14 References 6.1 Learning Objectives After studying this unit, you will be able to: • Get an understanding on Amazon VPC. • Define on AWS Subnet types • Create a subnet types for VPC • Descibe about Internet gateways • Define about NAT Gateway • Explain about route tables • Describe on Network ACL • Understand VPC best practices 6.2AMAZON VIRTUAL PRIVATE CLOUD Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center with the benefits using the scalable infrastructure of AWS. Amazon Virtual Private Cloud lets you create your own logically isolated set of Amazon EC2 instances and connect it to your existing network using an Page 1 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking IPsec VPN connection. Enterprise customers are able to access the Amazon Elastic Compute Cloud (EC2) over an IPsec based virtual private network. This new offering lets you take advantage of the low cost and flexibility of AWS while leveraging the investment you have already made in your IT infrastructure. When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example, 10.0.0.0/16. This is the primary CIDR block for your VPC. A VPC spans all of the Availability Zones in the Region. The following diagram shows a new VPC with an IPv4 CIDR block. Page 2 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking After you create a VPC, you can add one or more subnets in each Availability Zone. 6.3AMAZON SUBNET TYPES When you create a subnet, depending on the configurations set for the VPC and the configurations you set for the subnet, you have the following IPv4 and IPv6 options. Depending on how you configure your VPC, subnets can be considered public, private, or VPN-only:  Public subnet: The subnet's IPv4 or IPv6 traffic is routed to an internet gateway or an egress-only internet gateway and can reach the public internet.  Private subnet: The subnet’s IPv4 or IPv6 traffic is not routed to an internet gateway or egress-only internet gateway and cannot reach the public internet.  VPN-only subnet: The subnet doesn't have a route to the internet gateway, but it has its traffic routed to a virtual private gateway for a Site-to-Site VPN connection. Currently, we do not support IPv6 traffic over a Site-to-Site VPN connection. 6.4GATEWAYS Gateways allow communication between your VPC and the internet. It is a horizontally scaled, redundant, and highly available VPC component. An internet gateway supports IPv4 and IPv6 traffic. An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. It does not cause availability risks or bandwidth constraints on your network traffic. There's no additional charge for having an internet gateway in your account. Create a subnet To add a subnet to your VPC 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. 2. In the navigation pane, choose Subnets, Create subnet. 3. Specify the subnet details as needed: • Name tag: Optionally provide a name for your subnet. Doing so creates a tag with a key of Name and the value that you specify. • VPC: Choose the VPC for which you're creating the subnet. • Availability Zone: Optionally choose an Availability Zone or Local Zone in which your subnet will reside, or leave the default No Preference to let AWS choose an Availability Zone for you. Page 3 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking • IPv4 CIDR block: Specify an IPv4 CIDR block for your subnet, for example, 10.0.1.0/24. • IPv6 CIDR block: (Optional) If you've associated an IPv6 CIDR block with your VPC, choose Specify a custom IPv6 CIDR. Specify the hexadecimal pair value for the subnet, or leave the default value. • Choose Create. 4. Create and attach an internet gateway 5. After you create an internet gateway, attach it to your VPC. 6. To create an internet gateway and attach it to your VPC 1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/. 2. In the navigation pane, choose Internet Gateways, and then choose Create internet gateway. 3. Optionally name your internet gateway. 4. Optionally add or remove a tag. 7. Choose Add tag and do the following: • For Key, enter the key name. • For Value, enter the key value. 8. Choose Remove to the right of the tag’s Key and Value. 5. Choose Create internet gateway. 6. Select the internet gateway that you just created, and then choose Actions, Attach to VPC. 7. Select your VPC from the list, and then choose Attach internet gateway. 6.5ROUTE TABLES A route table contains a set of rules, called routes that are used to determine where network traffic from your subnet or gateway is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet (subnet route table). You can explicitly associate a subnet with a particular route table. Each route in a table specifies a destination and a target. For example, to enable your subnet to access the internet through an internet gateway, add the following route to your subnet route table. A gateway route table associated with a virtual private gateway supports routes with the following targets: Page 4 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking  The default local route  A network interface for a middlebox appliance  In the following gateway route table, traffic destined for a subnet with the 172.31.0.0/20 CIDR block is routed to a specific network interface. Traffic destined for all other subnets in the VPC uses the local route. Destination Target 172.31.0.0/16 Local 172.31.0.0/20 eni-id 6.6NAT GATEWAY A NAT gateway is a Network Address Translation (NAT) service. A NAT gateway in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. A NAT device allows resources in private subnets to connect to the internet, other VPCs, or on-premises networks. These instances can communicate with services outside the VPC, but they cannot receive unsolicited connection requests. The NAT device replaces the source IPv4 address of the instances with the address of the NAT device. When sending response traffic to the instances, the NAT device translates the addresses back to the original source IPv4 addresses. A managed NAT device offered by AWS, called a NAT gateway, or you can create your own NAT device on an EC2 instance, called a NAT instance. NAT devices are not supported for IPv6 traffic. We use the term NAT in this documentation to follow common IT practice, though the actual role of a NAT device is both address translation and port address translation (PAT). 6.7SECURITY GROUPS A security group is just a group of instances that shares a common set of rules that determine what traffic is allowed in and out of the instances.To use security groups, you create a group, add the inbound and outbound rules you want the group to use, and then launch instances into the group.We can add and remove rules from the group, and those changes automatically apply to the instances in the group.The instances in a security group don't have to be in the same subnet in your VPC. Conversely, instances in the same subnet don't have to belong to the same security group.The following diagram illustrateshow a subnet can have instances in more than one security Page 5 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking group: two of the instances in the subnet arein group A, whereas the other two instances in that same subnet are in group B. API Version 2011-07-1511Amazon Virtual Private Cloud Getting Started Guide 6.8NETWORK ACLS A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it's associated with. The following are the parts of a network ACL rule:  Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.  Type. The type of traffic; for example, SSH. We can specify all traffic or a custom range. Page 6 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking  Protocol. We can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.  Port range. The listening port or port range for the traffic. For example, 80 for HTTP traffic.  Source. [Inbound rules only] The source of the traffic (CIDR range).  Destination. [Outbound rules only] The destination for the traffic (CIDR range).  Allow/Deny. Whether to allow or deny the specified traffic. If you add a rule using a command line tool or the Amazon EC2 API, the CIDR range is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR range, we create a rule with a 100.68.0.0/18 CIDR range. 6.9VPC BEST PRACTICES The following are the best practices might not be sufficient for your environment.So treat them as helpful considerations rather than prescriptions. The following are general best practices:  Use multiple Availability Zone deployments so you have high availability.  Use security groups and network ACLs.  Use IAM policies to control access.  Use Amazon CloudWatch to monitor your VPC components and VPN connections.  Use flow logs to capture information about IP traffic going to and from network interfaces in your VPC. 6.10 AMAZON VPC COST Amazon VPC provision a logically isolated section of the Amazon Web Services (AWS) cloud where we can launch AWS resources in a virtual network. We have complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways. We can also create a hardware Virtual Private Network (VPN) connection between your corporate data center and our VPC and leverage the AWS cloud as an extension of our corporate datacenter. 6.11 SUMMARY • Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. Page 7 of 8 All Rights Reserved. Vol. TLE001/03-2022

AWS Fundamentals: Amazon Virtual Private cloud and networking • Depending on the configurations set for the VPC and the configurations you set for the subnet, we have the following IPv4 and IPv6 options. • An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses. • A route table contains a set of rules, called routes that are used to determine where network traffic from your subnet or gateway is directed. • A NAT gateway is a Network Address Translation (NAT) service. A NAT gateway in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. • A security group is just a group of instances that shares a common set of rules that determine what traffic is allowed in and out of the instances. • A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. • Amazon VPC provision a logically isolated section of the Amazon Web Services (AWS) cloud where we can launch AWS resources in a virtual network. 6.12 GLOSSARY 1. Scalable: able to be scaled or climbed. 2. Leverage: the act of using a lever to lift or open something 3. Bandwidth: a band of frequencies used for sending electronic signals 4. Unsolicited: not asked for 6.13 REFERENCE • Amazon Referral Link: https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html • Wikipedia Referral Link: https://en.wikipedia.org/wiki/Amazon_S3 Back to top Page 8 of 8 All Rights Reserved. Vol. TLE001/03-2022