VPC
Virtual Private Cloud: your private cloud
Last updated
Virtual Private Cloud: your private cloud
Last updated
FAQs |
logically isolated virtual network.
An AWS account comes with a default VPC network.
a network connection between 2 VPCs.
Non-onverlapping CIDR, non-transitive.
1 VPC can accept maximum 125 peering connection.
Support peering between multiple accounts.
Inter-region: help connect cross-region.
do NOT support transitive communication
A peering B, B peering C -> A can not talk to C.
It prevents:
Single Point of Failure.
Bandwidth bottleneck.
The Requester send peering request to Accepter.
The Accepter accepts peering request. If the peering is cross-account, both accounts must accept to activate it.
Manually add routes (IPv4 CIDR of the peering VPC) in each VPC.
Allow output communication over IPv6 from instances in VPC to the internet.
Only use for IPv6, if you want to enable outbound-only internet over IPv4, use NAT gateway.
sharing services between different VPCs across AWS account
does NOT need VPC peering, public Internet, NAT gateway, Route tables.
help you securely, privately communicate with other AWS services.
Provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within VPC.
VPC endpoint is a network gateway that allows communication between instances in a VPC and a service, such as Amazon S3, without requiring an Internet gateway or a NAT device.
Data transfer between the VPC and the service through a gateway VPC endpoint is free of charge.
There 2 types
VPC Interface endpoints: An ENI with a private IP address that serves as an entry point for traffic destined to services powered by AWS PrivateLink.
Link to one or several subnets (for multi-AZ HA)
Link to a security group
Communicate with the service using an endpoint-specific private DNS hostname.
By default, the standard DNS names for SQS and SNS will use the public endpoint and not the interface endpoint. You need to use the private endpoint DNS.
VPC Gateway endpoints: A gateway that is a target for a specified route in your route table. This type of endpoint is used for traffic destined to a supported AWS service, currently only Amazon S3 or Amazon DynamoDB.
Free of charge.
Copy network traffic from ENIs for further analysis.
Capture traffic going to & from ENIs.
Export logs to CloudWatch or S3, or Kinesis Data Firehose
3 types of flow logs: Accept, Deny, All
Using Athena to analyze logs.
After you create a flow log, you CANNOT change its configuration or the flow log record format. For example, you can't associate a different IAM role with the flow log, or add or remove fields in the flow log record. Instead, you can delete the flow log and create a new one with the required configuration.
| # | Field Name | Example Value | Description |
|---|---|---|---|
1 | version | 2 | The log stream version. If you see a value other than |
2 | account-id | 123456789010 | The AWS account ID of the account that owns the source network interface for the flow log. |
3 | interface-id | eni-1235b8ca123456789 | The ID of the network interface for which the log records. |
4 | srcaddr | 172.31.16.139 | The source IP address of the traffic. |
5 | dstaddr | 172.31.16.21 | The destination IP address of the traffic. |
6 | srcport | 20641 | The source port of the traffic. |
7 | dstport | 22 | The destination port of the traffic. |
8 | protocol | 6 | The IANA protocol number of the traffic. For example, TCP is 6 and UDP is 17. |
9 | packets | 20 | The number of packets transferred during the capture window. |
10 | bytes | 4249 | The number of bytes transferred during the capture window. |
11 | start | 1418530010 | The start time of the capture window in Unix seconds. |
12 | end | 1418530070 | The end time of the capture window in Unix seconds. |
13 | action | ACCEPT | The action that is applied to the traffic. Possible values are |
14 | log-status | OK | The status of the delivery of the log events to CloudWatch Logs. Possible values are |
Free
But other feature such as NAT Gateway, VPC...will be charged.
CIDR blocks of subnets can not be overlaped.
The peering connection id has prefix pcx-
Default VPC has Internet connectivity, so all EC2 instances inside it have public IPv4 addresses.
1 AWS account has up to 5 VPC / region. Need more? Go to Service quota to call AWS support.
IPv4 is a default support, you can not turn it off. In other hand, IPv6 setting is optional, so you need to turn it ON if needed.
The allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).
VPC Flow Logs do not perform deep packet inspection. They only provide metadata about the traffic such as the source, destination, and protocol.
Deep Package Inspection (DPI): Traditional firewalls inspect basic data packet details such as sender, recipient, and data type, akin to checking a letter's address. Deep Packet Inspection (DPI), however, examines the packet's actual content, like opening the letter, enabling more precise control and filtering based on the contents, beyond merely the surface information.
