Amazon VPC (Virtual Private Cloud) is a service that allows users to launch AWS resources in the virtual network that has been defined by the user. Logically, it is in isolation from other virtual networks that could be present in the AWS cloud. VPC can be used to launch other AWS resources such as Amazon EC2 instances. This virtual network is similar to a traditional network which the user would use in their own data centre. But VPC provides the benefits of provisioning a scalable infrastructure to use the AWS resources.
IP address range, subnets, associated security groups and route tables can be specified while working with Amazon VPC.
Terminologies of Amazon VPC
VPC can be visualized as a networking layer for Amazon EC2 that is dedicated to the user’s AWS account.
- Subnet: It is a range of IP addresses meant to be used by VPC. AWS resources can be launched in specific subnets. Public subnets are used with resources which need to remain connected to the Internet, and private subnets are used with resources which wouldn’t be connected to the internet. To ensure protection for the AWS resources which are present in every subnet, multiple layers of security can be provided. This includes security groups and network access control lists (NACL).
- Route table: It contains a set of protocols (rules), known as ‘routes’, which are used to determine the location to which network traffic is directed.
- Internet gateway: It is a horizontally scaled, redundant, and highly-available component of the VPC that helps in the communication between instances of the VPC and the internet.
- VPC endpoint: It enables the user to connect the VPC privately to the AWS resources (which support it) and to VPC endpoint services, which is powered by PrivateLink that enables this connection to occur without requiring an internet gateway or a NAT device or a VPN connection or an AWS Direct Connection. The VPC instances don’t need a public IP address to communicate with the resources present in the service. The traffic present between the VPC and the other services wouldn’t leave the Amazon network.
Features of Amazon VPC
- IPV4 static addresses can be assigned to user’s instances which are present in between a start and a stop.
- An IPV6 CIDR block can be optionally associated with the user’s VPC.
- An IPV6 address can be associated with the user’s instance.
- Multiple IP addresses can be assigned to the user’s instance.
- Network interfaces can be defined, and these (single or multiple interfaces) can be attached to the user’s instance.
- Security group membership of the user’s instance can be changed when it is in the running state.
- The outgoing traffic from the user’s instance can be controlled with the help of egress filtering, in addition to controlling the inbound traffic to the instances (which is known as ingress filtering).
- The user’s instances can be made to run on single-tenant hardware.
- An additional layer of access control can be added to the instances in the form of NACLs (network access control lists).
Accessing Amazon VPC
Amazon VPC can be created, accessed, and managed with the help of any of the below-mentioned interfaces:
- AWS Management Console: It provides a web interface which can be used to access the VPCs.
- AWS Command Line Interface (AWS CLI): It helps in the provisioning of commands for many AWS services, which include AWS VPC. It comes with the support of Windows, MacOS and Linux.
- AWS SDK: It also provides APIs, which are language specific, thereby taking care of granular connection details, which include (but not limited to) calculating signatures, request retries handling, and error handling.
- Query API: It provides low-level API actions, which can be called by the user with the help of HTTPS requests. The Query API is a direct way to access Amazon VPC, but this requires the application to have the ability to handle low-level details including generation of hash which is needed to sign the request, and error handling.
No additional charges are incurred by the usage of Amazon VPC. The charges are incurred for the usage of instances and Amazon EC2 features which are used by the user. A site-on-site VPN connection and a NAT gateway are chargeable.
PCI DSS Compliance
VPC provisions the processing, storage and transmission of credit card data which belongs to a merchant or a service provider. This is validated as being in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).
- Default VPC: If the user account supports EC2-VPC platform, it comes with a default VPC, which comes with a default subnet is every Availability Zone. A default VPC has advanced features which are provisioned by EC2-VPC and is ready-to-use. If the user doesn’t provision a default VPC, and a subnet is not specified when an instance is launched, the instance gets launched in the default VPC itself. Instances can be launched in the default VPC without the user knowing about Amazon VPC.
- Non default VPC: Irrespective of the platform which the user account supports, the user can create their own VPC and configure them according to their own requirements. These are known as non-default VPCs. Subnets created by users in this non default VPC are known as non-default subnets.
In this post, we understood about Amazon VPC, and how it can be used to launch AWS resources that are defined by user in a private network.