Amazon AWS Certified Developer Associate – Virtual Private Cloud (VPC)

1. VPC Overview

Okay, so how does Amazon define what a VPC is? Well, Amazon Virtual Private Cloud, or Amazon VPC lets you provision a logically isolated section of the Amazon Web Services Cloud, where you can launch your AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnet, and configuration of root tables and network gateways.

Now, if you don’t know what any of this is, don’t worry. As soon as we get a bit more hands on, you’re going to learn all about this in a very practical fashion. You can easily customize the network configuration of your Amazon Virtual Private Cloud. For example, you can create public facing subnets for your web servers that have access to the Internet. And then you can place your back end systems such as databases or application servers in a private facing subnet that have no Internet access.

So you can protect your DB servers, your application servers, from attackers by putting them in private subnets. You can leverage multiple layers of security, including security groups and network access control lists to help control access to Amazon EC, two instances in each subnet. And additionally, you can create hardware VPN connections between your corporate data center and your VPC and basically leverage the AWS cloud as an extension of your corporate data center.

And really what they’re talking about there is hybrid cloud. So you connect up your corporate data center with your Amazon VPC and you can extend your data center up into AWS. So this all sounds a little bit complicated. Let’s have a look at a network diagram to make our lives a little bit easier. And don’t worry, as we go through in the next lecture and build out our own VPCs, we’ll keep referring back to this diagram as to what it is we’re actually doing. So the red line on the outside, we’ve got our region. In this example, I’m using US East one, and then we have our VPC. So our VPC we’re going to define. In this particular example, we’re going to define the IP address range as ten 00:16.

Now that network address range is basically a private network address and there’s a document called RFC 1918 and it defines three different private IP address ranges that’s commonly used all around the world. So we have our eights, which is 100, and almost everyone in the enterprise, and almost all companies use that as their internal network address. Then we’ve got a slash twelve, which is one 72160, and that can go up to one 7231 and then 255255, et cetera.

And then we have our slash 16. And this is the most common that we actually use for our home networking. So it’s 192168 and then O and you can change any of the numbers after that. Now, when we’re using VPCs, we can only ever the maximum addressable size that Amazon gives us is 16. So you’re always going to use a 16 network. And most commonly throughout the rest of this course, we’re just going to use 100. And as I just said, the largest network size that you can have is a slash 16.

So we’re always going to use a 16 network address. So let’s have a look at how it all actually works. So we have two routes of entry into our VPC. We’ve got our Internet gateway, which is how we connect to the Internet, or how the Internet connects to us, depending on which way you want to look at it. And then we have our virtual private gateway. And this is basically where we’re going to terminate our VPN connections. So we might have a site to site VPN between our VPC and our data center. And that will go through our virtual private gateway. Once the traffic comes in, either through our Internet gateway or virtual private gateway, it’s then going to be routed. And how it’s routed depends on what we define in our route tables. We then basically it goes through what’s called a network Access control list. And this is actually sometimes referred to as the second line of defense. And you’ll see why in the next lecture. And then we basically go through from the network ACL. We’re going into our different subnets now. So our subnets can be public or private. Public just means that they are internet accessible. Private means that they’re not internet accessible. So the internet cannot directly access anything in our private subnets where it can in our public subnets.

So typically in your public subnets, you might put either your web servers or you might put what’s called a bastion host or jump box. And I’ll go through what that is in another lecture. And then in our private subnets, we would typically put our database servers or our application servers, anything we want to protect from the Internet. So once we got our subnets, we then have our security groups. Important thing to remember is security groups and network ACLs can span subnets. So you can have a security group stretched across two, three, four different subnets. And then of course you can do the same with network ACLs that again, they can span subnets. And then finally we have our instances. So I want you to think of our subnet. We’re always going to have different address ranges, so we’re going to have 100, 10, 210, 30, et cetera. It just makes it really easy. Each subnet is always mapped directly to an Availability Zone. And I cannot stress this enough, the number of times this type of question comes up on the exam. Whichever associate exam you’re doing, it is so important going into the exam remembering that one subnet always equals one Availability Zone. You cannot span subnets across multiple Availability Zones. And so just remember, subnets by their addresses.

So you’re going to have 123040, et cetera. And again, guys, if this is all sounding a bit confusing. As we go into the labs and we start creating our own custom VPCs, this gets easier. But the one thing you must remember is things like security groups can span multiple subnets, multiple availability zones. Obviously. Same with network ACLs, same with root tables. But what cannot span multiple availability zones is subnets. So when you define a subnet, when you define a network address range for that subnet, it is locked down to an individual availability zone. And that’s definitely worth a few questions in the exam, no matter what exam you’re doing. So what can you do with the VPC? Or you can launch instances into a subnet of your choosing. They could be public or private.

You can assign custom IP address ranges in each subnet. You can configure the root table for those subnets. And that root table is basically going to define whether or not a subnet is going to be public or whether or not it’s going to be private. We can create an Internet gateway and attach it to our VPC. It’s also very important to remember going into any of the exams that you can only have one internet gateway per VPC. You might be throwing some troubleshooting questions saying that your internet connection is running slow, how do you boost this? And one of the answers might be something like you’ve got to add an additional internet gateway to double the speed to your VPC. It just doesn’t work like that. One internet gateway can only be attached to one VPC.

You can’t attach multiple internet gateways. We also have much better security over your AWS resources. And it also allows us to create instance security groups. So those are security groups that you are used to using from previous lectures. The thing to note about security groups is that they’re stateful. So basically if you create a rule allowing Http into your security group, by default Http is allowed out of the security group. Whereas with subnet access control list they’re called stateless.

And basically if you create a rule allowing a rule allowing Http traffic into your access control list, your network access control list, you also have to then create a rule allowing it back out again. And that’s called stateless. And again we’re going to have a lecture just on VPC security because it is quite important to understand the difference between your security groups versus your network access control lists. Okay, so quickly just want to talk about default VPCs versus custom VPCs. Basically when you create your AWS account, you’re going to have default VPCs in every single region around the world. And the reason for that is they just want to make it easy for you to deploy EC.

Two instances immediately you don’t have to worry about configuring or setting up a VPC. Amazon want to make it as simple as possible. So with the default VPC it’s important to remember that all subnets in the default VPC have a route out to the internet automatically. So that is to say they’re all public. There’s no such thing as a private subnet inside a default VPC automatically.

You have to go in and create it. Each EC two instance that you deploy into your default VPCs is always going to have a public and a private IP address by default. And of course you can tell Amazon to just keep it as a private IP address if you want, but by default it’s always going to have a public one. And then if you delete the default VPC, the only way to get it back is to contact AWS and you have to go in and raise a ticket and they then restore it. So don’t delete your default VPCs if you can. And finally, I just wanted to talk about VPC Peering. We are going to have a lecture dedicated to this, just showing you how to do it. But basically you can have multiple VPCs in a region.

VPC Peering allows you to connect one VPC with another viral direct network route using private IP addresses. So that is to say it’s not going to go back out over the Internet. You can have a VPC that you have your monitoring servers in, that you have active directory in that you have your antivirus servers in almost like an administration VPC and then you can connect that up to perhaps your production VPC. You might have a test VPC, you might have a dev V PC and you can connect them all together. And that’s called VPC Peering and it’s done via direct network connection over private IP addresses. Instances behave as if they’re on the same private network and you can peer VPCs with other AWS accounts as well as other VPCs in the same account.

So you might have a separate AWS account for your production environment than you do from your test and dev environment. You can still have peer those VPCs together using private IP addresses. Peering is always done in a star configuration and this means that there’s one central VPC peers with others. You cannot do Transitive Peering. And again, this comes up so often in any of the associate exams. They’ll talk about VPC peering, especially in the Systops administrator and the solutions Architect associate. You just have to remember that there’s no such thing as Transitive peering. So what do I actually mean by transitive peering? Well, let’s start with this example.

So here we’ve got basically five VPCs. So we’ve got VPC, ABCD and E. Vpca is in the middle and it is pairing with VPCC. It’s also paired with VCP, it’s also paired with Vpcb, Vpcd and Vpce. So if we want Vpcb to talk to VPCC, basically we have to create a peer between those VPCs. Vpcb cannot talk to VPCC via Vpca. So that’s what we mean by Transitive peering. And basically if you want all your VPCs to have the ability to talk to each other. You have to set up all the links individually. You cannot talk to one VPC via another VPC, so hopefully that makes sense. You cannot do transitive peering with Amazon VPC currently, and that is definitely a very popular exam topic. Okay, so you guys have been very patient. We are at the end of this lecture, let’s just have a look at my exam tips.

So think of a VPC as a logical data center. In AWS. It consists of Internet gateways or virtual private gateways. If you’ve got a VPN connection coming in, route tables, network Access Control lists, subnets, and security groups. One subnet always equals one availability zone. I cannot stress that enough. One subnet equals one availability zones. You cannot span your subnets across multiple Availability Zones. Security groups are stateful, and Network Access Control lists are stateless.

And we’re going to have a whole lecture on basically the difference between the two, as well as just general VPC security. And last but not least, you cannot do transitive peering. So you cannot peer one VPC to another via a third VPC. But you can peer VPCs with each other directly, and they can be in the same AWS account, or they can be in different AWS accounts. It does not matter. So don’t worry if this has been a little too technical or a little too heavy for you. It does get easier.

You will learn heaps in the next lecture when we go out and build our own custom VPC. By the end of this section of the course, I really want you to be able to build out your own VPCs from memory, and that will really, really help you in the exam. And then you should be really, really set to absolutely smash any networking questions in the exams. And we will obviously, at the end of this section of the course, have an exam tips roundup of everything you need to know about VPCs. So that’s it from me, guys. If you’ve got the time, please join me in the next lecture. Thank you.

• Category: Uncategorized