DevOps

VPC

Virtual Private Cloud: your private cloud

FAQs |

Overview

  • logically isolated virtual network.

  • An AWS account comes with a default VPC network.

Features

VPC Peering

  • a network connection between 2 VPCs.

  • Non-onverlapping CIDR, non-transitive.

  • 1 VPC can accept maximum 125 peering connection.

Benefits

  • Support peering between multiple accounts.

  • Inter-region: help connect cross-region.

  • do NOT support transitive communication

    • A peering B, B peering C -> A can not talk to C.

  • It prevents:

    • Single Point of Failure.

    • Bandwidth bottleneck.

Establishing VPC peering

  1. The Requester send peering request to Accepter.

  2. The Accepter accepts peering request. If the peering is cross-account, both accounts must accept to activate it.

  3. Manually add routes (IPv4 CIDR of the peering VPC) in each VPC.

Step to peering

Egress-only internet gateway (like a Nat gateway for IPv6)

  • Allow output communication over IPv6 from instances in VPC to the internet.

  • Only use for IPv6, if you want to enable outbound-only internet over IPv4, use NAT gateway.

AWS PrivateLink

  • sharing services between different VPCs across AWS account

  • does NOT need VPC peering, public Internet, NAT gateway, Route tables.

  • help you securely, privately communicate with other AWS services.

VPC Endpoint

Privately connect to AWS service

  • Provide private access to AWS Services (S3, DynamoDB, CloudFormation, SSM) within VPC.

  • VPC endpoint is a network gateway that allows communication between instances in a VPC and a service, such as Amazon S3, without requiring an Internet gateway or a NAT device.

  • Data transfer between the VPC and the service through a gateway VPC endpoint is free of charge.

  • There 2 types

    • VPC Interface endpoints: An ENI with a private IP address that serves as an entry point for traffic destined to services powered by AWS PrivateLink.

      • Link to one or several subnets (for multi-AZ HA)

      • Link to a security group

      • Communicate with the service using an endpoint-specific private DNS hostname.

      • By default, the standard DNS names for SQS and SNS will use the public endpoint and not the interface endpoint. You need to use the private endpoint DNS.

    • VPC Gateway endpoints: A gateway that is a target for a specified route in your route table. This type of endpoint is used for traffic destined to a supported AWS service, currently only Amazon S3 or Amazon DynamoDB.

      • Free of charge.

Traffic Mirroring

Copy network traffic from ENIs for further analysis.

VPC Flow logs

  • Capture traffic going to & from ENIs.

  • Export logs to CloudWatch or S3, or Kinesis Data Firehose

  • 3 types of flow logs: Accept, Deny, All

  • Using Athena to analyze logs.

After you create a flow log, you CANNOT change its configuration or the flow log record format. For example, you can't associate a different IAM role with the flow log, or add or remove fields in the flow log record. Instead, you can delete the flow log and create a new one with the required configuration.

Read flow logs

2 123456789010 eni-1235b8ca123456789 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK
#Field NameExample ValueDescription

1

version

2

The log stream version. If you see a value other than 2, check the VPC Flow Logs documentation.

2

account-id

123456789010

The AWS account ID of the account that owns the source network interface for the flow log.

3

interface-id

eni-1235b8ca123456789

The ID of the network interface for which the log records.

4

srcaddr

172.31.16.139

The source IP address of the traffic.

5

dstaddr

172.31.16.21

The destination IP address of the traffic.

6

srcport

20641

The source port of the traffic.

7

dstport

22

The destination port of the traffic.

8

protocol

6

The IANA protocol number of the traffic. For example, TCP is 6 and UDP is 17.

9

packets

20

The number of packets transferred during the capture window.

10

bytes

4249

The number of bytes transferred during the capture window.

11

start

1418530010

The start time of the capture window in Unix seconds.

12

end

1418530070

The end time of the capture window in Unix seconds.

13

action

ACCEPT

The action that is applied to the traffic. Possible values are ACCEPT, REJECT.

14

log-status

OK

The status of the delivery of the log events to CloudWatch Logs. Possible values are OK, NODATA, and SKIPDATA.

Security

Cost

  • Free

  • But other feature such as NAT Gateway, VPC...will be charged.

Best practice

Trivia

  • CIDR blocks of subnets can not be overlaped.

  • The peering connection id has prefix pcx-

  • Default VPC has Internet connectivity, so all EC2 instances inside it have public IPv4 addresses.

  • 1 AWS account has up to 5 VPC / region. Need more? Go to Service quota to call AWS support.

  • IPv4 is a default support, you can not turn it off. In other hand, IPv6 setting is optional, so you need to turn it ON if needed.

  • The allowed block size in VPC is between a /16 netmask (65,536 IP addresses) and /28 netmask (16 IP addresses).

  • VPC Flow Logs do not perform deep packet inspection. They only provide metadata about the traffic such as the source, destination, and protocol.

Concepts

  • Deep Package Inspection (DPI): Traditional firewalls inspect basic data packet details such as sender, recipient, and data type, akin to checking a letter's address. Deep Packet Inspection (DPI), however, examines the packet's actual content, like opening the letter, enabling more precise control and filtering based on the contents, beyond merely the surface information.

PreviousTransit GatewayNextVPC Lattice

Last updated