12. Amazon VPC

정의

: a virtual networking environment that gives you full control, which includes resource placement, connectivity, and security
(A logically isolated virtual network dedicated to your AWS account)

• Cloud providers offer you the option to bring your network centers into the cloud
  → can build own cloud networks(VPC) inside cloud
• A virtual private cloud (VPC) provides you with a cloud within the cloud
  • With a VPC, you control the network and security configurations so that access is granted only according to your specifications
• Amazon VPC is an affordable, flexible, and reliable environment to launch compute and database instances

---

VPC architecture

• region specific
  • confined on one region. can’t span multiple regions
  • can have multiple VPCs in one region
    • VPC Quotas: limits you to 5 VPCs per region
    • if need more, can submit ticket to increase the number
• choose which AZ to place your subnets in and whether those subnets should be public or private
  • can place multiple subnets within an AZ
• Then you can launch your resources such as EC2, RDS into appropriate subnets

VPC architectural patterns

How you architect your VPC networks will depend on your networking needs

single VPC pattern

• Small, single application managed by one person or a very small team
• High-performance computing

multi-VPC pattern

• Single team or single organization, such as managed service providers
• single account, many VPCs

multi-account pattern

• Large organizations and organizations with multiple IT teams
• 사용 이유: Managing access and standards can be more challenging in more complex organizations

---

Default VPCs

• When you set up your AWS account, you will automatically be provided with a default VPC in each AWS Region
  • Default VPCs have a public subnet for every AZ in the Region
• As a best practice, it is recommended that you don’t use or delete your default VPC (customize VPC!!)
• 장점
  • quick start
  • good for testing/prototyping applications

---

Use Case

• host multi-tier web applications
  • multi-tier architecture consists of
    • Presentation tier: where users will interact with the website or app.
    • Logic tier: where the computing processes occur (ex. Machine learning application)
    • Data tier: where the data is stored, typically protected in private subnets
      • don’t want presentation tier to directly communicate with data tier due to security reasons
  • ex) instragram-like photo-based social media service
    • EC2: for webpage delivery(front-end)
    • S3 bucket: to store photos
    • RDS table: to store user profiles, friendship, and likes
    • router: pass incoming traffics to local when they are for the VPC, and to the internet gateway otherwise
    • an internet gateway: to connect the VPC to the internet
      

---

VPC components

• network gateway
• route table
• network access control list( ACL) → subnet-level firewall
• inside network ACL, have subnets
• inside subnets, has security groups
• each security group comes with multiple instances

VPC(network gateway) → AZ , route tables → subnet(network ACLs) → instance (security group)

VPC default components

the following will be created automatically when creating your VPC:

• main route table
• network ACL
• security group

---

13. Creating/deleting VPCs

1. VPC CIDR block 정하기

• specify an IPv4 CIDR block for the VPC
  • Remember that your VPC’s netmask must be large enough to contain all of the required subnet IP addresses in your network
  • 변경 불가능
• VPC CIDR block considerations

  • VPCs that will be communicating with each other cannot have identical CIDR blocks because it can cause networking issues

    

2. VPC ID and Tages

• VPC IDs and tags are used to associate VPC components to the correct VPC
• VPC ID
  – When you create a VPC, it will be auto-assigned a VPC ID, which cannot be edited
  – It is a string of random numbers and letters that identify your VPC
  – Example: vpc-0476e890abedg995f
• VPC tags
  – Because VPC ID can be difficult to remember, you have the option to tag your VPC
  with a more identifiable name
  – Tagged VPC ID examples:
  ▪ vpc-0476e890abedg995f (Development VPC)
  ▪ vpc-s897fsf9afs09h3jk30 (Production VPC)
  ▪ vpc-nj789sedjna0halje30 (Testing VPC)

3. subnets in VPC

• AWS subnets are smaller network inside a VPC, where you can place your AWS resources
• Routing can be configured at the subnet level
  – In this way, subnets provide a way to bound resources that require public or private routing configurations

Subnet placement

▪ VPC subnets are mapped to specific Availability Zones
▪ Create your subnets in at lease two different AZs, which helps to keep
your network highly available

subnetting

▪ When you create a subnet, it requires its own CIDR block, which is a
subset of the VPC CIDR block
▪ AWS reserves five IP addresses within the block (per subnet), and these addresses are not available for use

subnet size

• cannot change after setting up subnet
• recommended: create larger subnets
  • not recommended to create small subnets
  • because you can’t increase subnet size

subnet ID (subnet and VPC association)

As soon as the subnet is created, it will be given a subnet ID, which works like a VPC ID to attach components

• can detach subnet and add it to another VPC

3. Network gateways

: determines the traffic that will be given access to your network

→ theres also NAT gateway

internet gateway (IG)

A horizontally scaled, and highly available VPC component that enables communication between your VPC and the internet

→ only public subnet can access

virtual private gateway

• The VPN connector on the Amazon side of site-to-site VPN connection
• you can connect your on-premises site to your VPC

4. route tables

• Route tables are the mechanism that directs traffic in a VPC
• 구성

  • contain a set of rules, called routes, that direct network traffic from
    your subnet

  • route
    - each route specifies a destination and a target
    - destination: the range of IP addresses where you want traffic to go (destination CIDR)
    - target: connection that the destination traffic is sent through
    - igw-0123456789abcdef0(the ID of an internet gateway):
    This route sends all traffic with a destination of "0.0.0.0/0" (meaning all traffic not matching the previous routes) to the internet gateway, allowing instances in the associated subnets to access the internet.
    - local: allows communication within subnet

    

  • route table associations

    • Each subnet in your VPC must be associated with a route table

    • When you create subnets, they will be associated with the main route
      table

    • Subnets and route tables follow a many-to-one rule
      – A subnet can be associated with only one route table at a time, but you can
      associate many subnets to the same route table

      

5. Security Groups

• instance level firewall (❌ subnet-level: network ACLs)
  • Therefore, each instance in a subnet in your VPC can be assigned to a different set
    of security groups
  • every EC2 and RDS instance must have a security group
  • instance can have multiple security groups
  • security groups can be associated with multiple instances
• It is a way for you to filter inbound and outbound traffic that is allowed to your instances

security group rules

• Security groups have rules that control the inbound and outbound traffic
• When you customize a security group, you can specify allow rules, but not deny rules
• Inbound rules (들어오는 것)
  • By default, a security group has no inbound rules (= all inbound traffic will be denied in default)
    
• outbound rules (나가는 것)
  • by default, allows all outbound traffic
    
• security groups are stateful
  • For every inbound rule, an outbound response is allowed even if you don’t
    configure one
  • Conversely, for every outbound rule, an inbound response is allowed

---

6. network ACLs

• subnet level firewall
• controls traffic that is allowed in and out of your subnets
• stateless characteristic
  • An inbound rule allows certain traffic to enter the subnet, it does not automatically
    allow an outbound response
  • Therefore, you must specify which traffic is allowed for inbound and outbound rules

subnet and network ACL association

• Each subnet in your VPC must be associated with a network ACL
  • If you don’t explicitly associate a subnet with a network ACL, the subnet is
    automatically associated with the default network ACL
• You can associate a network ACL with multiple subnets
  • the same network ACL can apply to multiple subnets across different Availability Zones.
  • However, a subnet can be associated with only one network ACL at a time

Network ACL rules

• define both inbound and outbound rules (can both deny & allow)
• outbound rules
  • prevent traffic from leaving a subnet (deny outbound traffic)
• inbound rules
  • can set deny rules (deny inbound traffic)
    • deny traffic types or specific IP addresses
• default network ACL
  • by default, all inbound and outbound traffic are allowed
• custom network ACL

  • by default, each custom network ACL denies all inbound and outbound traffic until you add rules

    

    since inbound rule for security group, traffic will be allowed. also, because sg is stateful, outbound is automatically allowed. but network ACL denies outbound traffic with outbound rule

• network ACL rule evaluation
  • A network ACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rules
  • Traffic is allowed or denied based on the first rule regarding that traffic

even though other rules allow, since first rule denies, other traffic also denies

Security group vs network ACLs

• network ACL 이 outer firewall → if traffic not allowed to pass network ACL, it can’t reach the inner firewalls (the security groups)

deleting VPCs

▪ Before you can delete a VPC, you must first manually terminate or delete
some resources that were created in the VPC
▪ Some VPC components will be deleted automatically

---

14. Additional features of VPC

NAT Gateway

• 필요성
  • With a NAT gateway, instances in a private subnet can connect to the internet or other AWS services
• creating NAT gateway
  • To create a NAT gateway, you must specify the public subnet in which the
    NAT gateway should reside (bc it needs to connect to internet)
    - You must also specify an Elastic IP address for the NAT gateway
    - After creating a NAT gateway, you update the route table associated with one or
    more of your private subnets to point internet-bound traffic to the NAT gateway

    ![Untitled](https://prod-files-secure.s3.us-west-2.amazonaws.com/e31a257a-43bc-4671-9d8f-f262f5f4ed0c/5984ca1c-77ac-421b-aa44-aeb810443b97/Untitled.png)

---

VPC peering

• a networking connection between two VPCs that you can use to route traffic between them privately
  • Instances in either VPC can communicate with each other as if they were within the
    same network
• Create VPC peering connections with the following:
  • Your own VPCs, VPCs in other accounts, VPCs in different Regions
• You create rules in your route table to allow the VPCs to communicate with each other through the peering resource
  
• VPC peering restrictions
  • IP address ranges cannot overlap
  • transitive peering is not supported

    • peering connection이 직접 존재하지 않는 한, 건너 건너 연결할 수 없음

      

---

15. other networking services of AWS

Elastic IP address

• 정의
  • When you create a VPC, every instance that is launched in that VPC is assigned a private IP address automatically
    – You can also request a public IP address to be assigned
  • An Elastic IP address is a static public IPv4 address that is designed for dynamic cloud computing
    – When you associate an Elastic IP address with an EC2 instance, it replaces the
    default public IP address
    – With an Elastic IP address, you can mask the failure of an instance by rapidly
    remapping the address to another instance in your VPC

    (즉, when instance failure, elastic IP will be detached and rapidly be assigned to another instance in VPC)

• Flexibility
  • Elastic IP addresses operate at the Region level
  • You can use an Elastic IP address in any VPC within the Region where it was created
• costs
  • when elastic IP address is detached from an instance and not in use, it will create costs
  • never let it afloat

---

AWS VPN

To connect your VPC to your remote network through a VPN connection, you need to set it up

• virtual private gateway and customer gateway connected through VPN connection
• needs
  • private subnet route table
  • virtual private gateway
  • customer gateway
  • site-to-site VPN connection
• VPN connection의 한계: network performance
  

---

AWS direct connect

• With Direct Connect, your network traffic remains on the AWS global network and never touches the public internet
  • 장점: can keep VPC private and still connect to on-premise site
• You can use Direct Connect to establish a dedicated, private network connection between your network and one of the Direct Connect locations

---

VPC endpoints

• A VPC endpoint provides connections between a VPC and supported AWS services
  • It doesn’t require that you use an internet gateway, NAT device, VPN connection, or
    Direct Connect connection
  • Therefore, your VPC is not exposed to the public internet
• Interface VPC endpoints

  • AWS PrivateLink is a technology that provides private connectivity between VPCs,
    AWS services, and your on-promises networks without exposing your traffic to the
    public internet

    

• gateway VPC endpoints → for storage, database services
  • Provide reliable connectivity to Amazon S3 and Amazon DynamoDB without
    requiring an internet gateway or a NAT device for your VPC