AWS Cheat Sheet – VPC

Amazon VPC is the main networking service of AWS, make sure you know as much as you can about it with this cheat sheet.

General:

• VPC gives you total control of your virtual networking environment: selection of your IP ranges, creation of subnets, the configuration of route tables, virtual gateways, and it supports both IPv4 and IPv6.
• AWS accounts have a default VPC created in each region with a default subnet created in each Availability Zone. The assigned CIDR block of the VPC will be 172.31.0.0/16.
• You can create multiple VPCs within a region end each VPC is logically isolated from the other.
• You can have 100s of VPCs per Region for your needs even though the default quota is 5 VPCs per Region.

---

Subnets:

• A subnet is a segment of a VPC that resides entirely within a single Availability Zone.
• A subnet cannot span more than one Availability Zone. and you may create zero, one, or more subnets in each Availability Zone.
• All subnets in default VPC have an Internet gateway attached.
• Default VPCs contain one public subnet in every Availability Zone within the region, with a netmask of /20.
• The maximum size of a subnet is determined by the size of the VPC IPv4 CIDR range. The smallest subnet that you can create is a /28  (16 IPv4 addresses) and the largest will be a /16.
• A subnet is private when the associated route table does not contain a route entry targeting an Internet gateway.
• An IPv4/IPv6 subnet is public when the associated route table contains a route entry targeting an Internet gateway.

---

Route Tables:

• Your VPC automatically comes with the main route table that you can modify.
• You can create additional route tables for your VPC.
• Each subnet is associated with only one route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet uses the main route table.
• Each route in a table specifies a destination CIDR and a target for example traffic destined or 172.16.0.0/12 is targeted for the VGW.
• By default, the main route table doesn’t contain a route to an internet gateway.
• You can have 200 Route tables per VPC.

---

Security Groups (SG):

• Security groups act like a firewall at the instance level.
• Security groups support Allow rules only.
• With Security Groups AWS checks all rules to decide whether to allow traffic.
• Security groups are stateful. This means that responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules and vice versa.
• By default, no inbound traffic is allowed until you add inbound rules to the security group.
• By default, new security groups have an outbound rule that allows all outbound traffic.
• Instances associated with the same security group cannot communicate with each other unless you add rules to the security group allowing the security group to communicate within itself.
• You can change which security groups an instance is associated with after launch, and the changes will take effect in seconds.
• LIMITS :
  • You can create up to 500 security groups for each VPC.
  • You can add up to 50 inbound and 50 outbound rules to each security group.
  • You can associate up to five security groups with each network interface.

---

Network Access Control Lists (NACLs):

• NACLs act like a firewall at the subnet level.
• NACLs support both Allow and deny rules.
• NACLs are stateless this means that return traffic must be explicitly allowed by rules.
• With NACLs AWS Evaluates rules in number order to decide whether to allow traffic, starting from the lowest number (The highest rule number is 32766).
• Each network ACL has a final deny all rule that you cannot change.
• The default network ACL allows all inbound and outbound traffic for IPv4.
• VPCs are created with a modifiable default network ACL associated with every subnet.
• You can block IP addresses using NACLs not Security Groups
• You can have 200 Network ACLs per VPC, 20 Rules per network ACL.

---

SGs VS NACLs:

It’s important that you know the differences between these two security elements for that we have written an entire article, Check it out!

---

Internet Gateways:

• Internet Gateway is a VPC component that allows communication between instances in your VPC and the Internet. It’s highly available, redundant and horizontally scaled.
• VPC can have only one IGW in your VPC.
• The Internet gateway translates any private source IPv4 address to the associated public IPv4 address.
• You can have 5 Internet gateways per Region.

---

(NAT) Instances and NAT Gateways:

(NAT) Instances:

• AWS provides NAT instances to allow IPv4 instances deployed in private subnets to gain outbound Internet access in order to apply security patches, update application software, or make Application Programming Interface (API) calls to Internet endpoints.
• A NAT instance is an Amazon Linux AMI designed to accept traffic from instances within a private subnet and translate the source IPv4 addresses to the private IPv4 address of the NAT instance and forward the traffic to the internet gateway.
• A NAT instance should be placed in a public subnet.
• To allow instances within a private subnet to access Internet resources through the Internet gateway via a NAT instance:
  • Create a security group for the NAT instance with outbound rules that specify the needed Internet resources by port, protocol, and IP address. 
  • Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the NAT security group. If you did not launch your NAT instance with a public IPv4 address, allocate an Elastic IP address and associate it with the NAT instance. 
  • Disable the Source/Destination Check attribute of the NAT instance (it’s important)
  • Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT instance.

NAT Gateways:

• t’s recommended to use a NAT gateway rather than a nat instance because they provide better availability, higher bandwidth and acquire less management.
• A Nat Gateway is an AWS resource that is like a NAT instance in terms of functionality but it’s a lot easier to manage and highly available within an Availability Zone.
• To allow instances within a private subnet to access Internet resources via a NAT gateway, you must do the following:
  • Create a NAT gateway in a public subnet.
  • Allocate and associate an IPv4 Elastic IP address with a NAT gateway. 
  • Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway.
• You can have 5 NAT gateways per Availability Zone

---

Egress-Only Internet Gateways (EIGWs):

• The EIGW is a horizontally scaled, redundant, and highly available VPC component that allows outbound communication over IPv6 from your instances to the Internet.
• It prevents traffic originating on the Internet from connecting to your instances
• Unlike a NAT instance or a NAT gateway, the EIGW performs no address translation function. The instance IPv6 address is visible end to end.
• You can have 5 Egress-only internet gateways per Region.

---

Virtual Private Gateways (VGWs), Customer Gateways, and Virtual Private Networks (VPN):

• The virtual private gateway (VGW) is a logical construct in your VPC that provides edge routing for AWS managed VPN connections and AWS Direct Connect.
• the VGW manages edge routing information that is separate from your VPC route tables.
• A customer gateway represents the physical device or software application on the remote end of the VPN connection. The customer gateway must have a static IPv4 address
• Once the VGW and the customer gateway have been created, the last step is to create a VPN connection.

---

VPC Endpoints:

• Allows internal resources such as EC2 instances to reach various AWS services without having to traverse the public internet to get to the service.
• When you use an endpoint, the source IP address from your instances in your affected subnets for access to the AWS service in the same region will use private IP addresses instead of public IP addresses.
• When configuring VPC endpoints, existing connections from your affected subnets to the AWS service that use public IP addresses may be dropped.
• There are two types of VPC Endpoints:
  • Interface Endpoints:
    • Interface endpoints use an elastic network interface in your VPC with a private IP address that serves as an entry point for traffic destined to a supported service.
  • Gateway Endpoints:
    • Gateway endpoints use a route table target for a specified route in your route table for supported services.

---

VPC Peering:

• The connection between two VPCs that enables you to route traffic between them using private IP addresses via a direct network route.
• Instances in either VPC can communicate with each other as if they are within the same network.
• There is no transitive peering between VPC peers (Can’t go through 1 VPC to get to another).

• Be mindful of IPs in each VPC, if multiple VPCs have the same IP blocks, they will not be able to communicate!
• You can peer VPC’s with other AWS accounts as well as with other VPCs in the same account.
• You can establish peering relationships between VPCs across different AWS Regions (also called Inter-Region VPC Peering).
• There is NO single point of failure for communication nor any bandwidth bottleneck.

---

Elastic Network Interfaces:

• a default ENI, eth0, is attached to an instance which cannot be detached with one or more secondary detachable ENIs.
• has primary private, one or more secondary private, public, Elastic IP address, security groups, MAC address and source/destination check flag attributes associated.
• AN ENI in one subnet can be attached to an instance in the same or another subnet, in the same AZ and the same VPC.

---

Elastic IP addresses:

• An Elastic IP address is a static, public IPv4 address that you can allocate to your account (pull from the pool) and release from your account (return to the pool).
• You must first allocate an Elastic IP address within a VPC and then assign it to an instance.
• Elastic IP addresses are specific to a region. An Elastic IP address in one region cannot be assigned to an instance within a VPC in a different region.
• Elastic IP addresses remain associated with your AWS account until you explicitly release them.
• all AWS accounts are limited to five (5) Elastic IP addresses per region.

---

VPC Flow Logs:

• VPC Flow Logs is a feature that enables the user to capture information about the IP traffic going to and from network interfaces in your VPC.
• You cannot enable flow logs for VPC’s that are peered with your VPC unless the peer VPC is in your account.
• After you have created a flow log, you cannot change its configuration, for example, you can not associate a different role with the flow log.
• Flow log data is stored using Cloudwatch Logs.
• VPC Flow Logs can be set at 3 levels: VPC-Subnet-Network interface.
• Not all traffic is monitored.

---

VPC Pricing:

• You will be charged on the three components below:
  • NAT Gateways (per hour)
  • VPC Endpoints
  • VPN Connection (per hour)
• Be aware that if you do not use the Elastic IP you will be charged the inactivity fee.

---

VPC video from AWS:

---

VPC practice questions:

VPC practice questions (Associate level).

---

Notice: we keep updating this material.

AWSBOY Cheat sheets:

AWS Cheat sheet – S3

AWS Cheat sheet – RDS

AWS Cheat sheet – EC2

AWS Cheat sheet – IAM

AWS Cheat sheet – Route53

You can report a mistake or suggest new points to add to this VPC cheat sheet…let us know in the comment section!