AWS Networking and Content Delivery: Amazon VPC
Amazon Virtual Private Cloud (VPC) is the foundational networking layer for AWS. It allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
Core Concepts
1. IPv4 CIDR Blocks & Subnets
When you create a VPC, you assign it an IPv4 CIDR block (e.g., 10.0.0.0/16). You then divide this into Subnets. Subnets are tied to a specific Availability Zone (AZ).
- Public Subnet: Includes a route to an Internet Gateway (IGW).
- Private Subnet: Does not have a direct route to the IGW; usually uses a NAT Gateway for outbound traffic.
- Reserved IPs: AWS reserves 5 IP addresses in every subnet (the first 4 and the last 1).
2. Internet Gateway (IGW) vs. NAT Gateway
An Internet Gateway allows resources in your VPC to connect to the internet. It is horizontally scaled, redundant, and highly available. A NAT Gateway allows instances in a private subnet to connect to the internet (e.g., for software updates) but prevents the internet from initiating a connection with those instances.
3. Security: SGs vs. NACLs
This is a high-probability exam topic. Understanding the difference between stateful and stateless filtering is crucial.
| Feature | Security Group (SG) | Network ACL (NACL) |
|---|---|---|
| Level | Instance level (ENI) | Subnet level |
| Statefulness | Stateful (Return traffic allowed) | Stateless (Return traffic must be explicitly allowed) |
| Rules | Allow rules only | Allow and Deny rules |
| Evaluation | All rules evaluated | Processed in number order |
VPC Connectivity Options
- VPC Peering: Connects two VPCs using AWS’s private network. Traffic is encrypted. Note: No transitive routing (VPC A to B to C does not allow A to C).
- VPC Endpoints: Connect to AWS services privately without an IGW or NAT.
- Interface Endpoints: Uses PrivateLink (ENI with private IP). Costs money.
- Gateway Endpoints: Only for S3 and DynamoDB. Free.
- Transit Gateway: A hub-and-spoke model to connect thousands of VPCs and on-premises networks.
Decision Matrix: If-Then Guide
| If the requirement is… | Then choose… |
|---|---|
| Private access to S3/DynamoDB cost-effectively | Gateway VPC Endpoint |
| Outbound-only IPv6 traffic from private subnet | Egress-only Internet Gateway |
| Scale networking across hundreds of accounts/VPCs | AWS Transit Gateway |
| Monitoring IP traffic flow in the VPC | VPC Flow Logs |
Exam Tips and Gotchas
- NAT Gateway High Availability: NAT Gateways are redundant within an AZ, but not across AZs. If an AZ goes down, the NAT Gateway in it goes down. Architecture tip: Create one NAT Gateway per AZ for fault tolerance.
- Bastion Hosts: Used to SSH/RDP into private instances. Must be in a Public Subnet. Exam Distractor: AWS Systems Manager (SSM) Session Manager is now the preferred “modern” way to access instances without a Bastion.
- DNS Resolution: Ensure
enableDnsSupportandenableDnsHostnamesare set to true if you need AWS-provided hostnames for your instances. - CIDR Overlap: You cannot peer two VPCs if their CIDR blocks overlap.
Topics covered:
Summary of key subtopics covered in this guide:
- VPC Fundamentals (CIDR, Subnets, AZs)
- Internet Connectivity (IGW, NAT Gateway, NAT Instance)
- VPC Security (Security Groups vs. NACLs)
- VPC Peering and Transit Gateway
- VPC Endpoints (Interface vs. Gateway)
- VPC Flow Logs and Monitoring
Amazon VPC Architecture Overview
Integration
CloudWatch: Monitor VPC Flow Logs for rejected traffic.
IAM: Control who can create subnets or modify route tables.
Route 53: Resolver for hybrid cloud DNS queries.
Scaling
Enhanced Networking: Use ENA for higher bandwidth and lower latency.
Global Accelerator: Improve availability by routing traffic over the AWS global network.
Optimization
Data Transfer: Same-AZ transfer is free. Inter-AZ transfer incurs costs.
Endpoints: S3 Gateway Endpoints are free; Interface Endpoints have hourly/processing fees.