VPC
Imagine an on-prem network with routers, sub-netting, routing tables, and computing resources… except in the cloud. Yep, that is what a Virtual Private Clouds is… a foundational infrastructure components much like IAM and EC2.
VPC Networking Components
- Elastic IP Addresses - A static IP address that can easily be allocated and remapped to another computer resource; 5 per AWS account by default.
- Internet Gateway - one gateway per VPC; detached upon creation.
- Elastic Networks Interfaces - a virtual network interface that you can remap and assign to other instances; includes a non-changing MAC address
- Elastic IP addresses - a public IP address you can map to an ENI; costs money if it is allocated yet not used or more than one is attached to an instance
- Routing Tables - each subnet has only one routing table but one routing table can be shared by many subnets; creating a custom routing table
- Customer Gateway - a vpn endpoint inside a VPC that allows computers in the corporate network access the VPC resources
- DHCP options set - change the VPC DHCP settings; might change to use internal on-prem DNS
enableDnsHostname
enables DNS entries for public IP addresses on EC2 instances givenenableDnsSupport
is enabled for the VPC.- Secondary CIDR blocks - as of Aug of 2017 you can add additional CIDR blocks to your VPC…
VPC Limits
Limits per Region:
- 5 VPC per Region
- 200 subnets per VPC
- 50 customer gateways
- 5 internet gateways
- 5 Elastic IP
- 50 VPN connections
- 500 Security Groups
Types of VPC
-
Default VPC - A default VPC gives users easy access to computing resources with now configuration at all. The default VPC has a default internet gateway, a default private IP and a default public IP. A default VPC
can be deleted and can only be restored by contacting AWScan be created and deleted - in fact, there isn’t a default VPC in new accounts. -
Non-Default VPC - By default, an instance in a non-default VPC is not assigned a public IP addresses; no internet gateway is attached by default
Features
VPC Tenancy
When creating a new VPC and using the default options, all hardware is uses shared tenancy; using the “dedicated” option makes everything, including EC2 instances, on dedicated hardware - think more expensive.
Subnets
Subnets cannot span availability zones and can use a block size between /28 and /16 and can’t overlap. 5 IP addresses per subnet are reserved:
- 10.0.0.0 - network address
- 10.0.0.1 - router
- 10.0.0.2 - DNS
- 10.0.0.3 - Future use
- 10.0.0.255 - VPC don’t support IP broadcast or multicast; so AWS reserved it
Network Address Translation (NAT)
NAT solves a basic problem: say an EC2 instances in a private subnet can’t access the Internet therefore can not access updates via a package manager. Both a NAT instance and NAT gateway can solve this problem. There are two ways to implement NAT in a VPC:
NAT Instance
A NAT instance, which is a special purpose EC2 instances, is one solution but a bit old school (in a bad way). NAT instances can only be scaled vertically. You have to disable source/destination checks on the instance to make it work and modify the route table for the private subnets.
An instance needs an public IP address in addition to having a route in order to access the Internet. For a NAT instance to route properly you need to disable the “Source/Destination Check” option AND there needs to be a route from the private subnet to the NAT instance.
NAT Gateway
A NAT Gateway is a fully managed AWS service that is way more practical and easier to implement. The service enables from 5 Gbps to 45 Gbps per gateway and many gateways can be used; a HA configuration requires creating a NAT in each AZ. Assign an Elastic IP to modify the source IP from traffic traversing the IGW. You cannot route traffic to a NAT gateway through a VPC peering connection, a Site-to-Site VPN connection, or AWS Direct Connect. For each AZ using a NATGW, configure the route table to use it.
DHCP Option Sets
The pool of IP address a client can request is also called a scope; usually a CIDR block. A reservation is for fixed addresses, and, if screwed up, can cause IP conflicts.
DHCP option sets include DNS servers, VOIP servers, leases, subnets, and other configuration information and are associated with a VPC. You can’t modify an options set; you must create a new one and attach it.
VPC Peering
VPC peering - allow you the ability to directly route between two VPC using private IP addresses - this might also be configured to share VPC between AWS accounts and inter-region. There are no single points of failure, bandwidth limitations, and does not require any hardware. VPC peering is NOT transitive. Peering requires changes to VPC route tables to communicate; the longest prefix (the most specific route) is selected.
Limitations and issues with peering include:
- 50 peers per VPC soft limit; 125 by request
- Placement groups CAN span peered VPC, but you won’t get full bandwidth
- Private DNS values cannot be resolved between instances in peered VPCs
- Routes must be established for peering to work, and SG must cooperate too
Invalid Peering Configurations include:
- Overlapping CIDR blocks will not work
- Transitive Peering
- Edge-to-Edge Routing scenarios through a IGW, VPN, Direct Connect, private connection, S3/DynamoDB end-points, NAT
VPC Peering Setup Process
- Requester sends request to accepter
- Accepter accepts
- Both Accepter and Requester must setup routes using private IP address ranges
- Both Accepter and Requester must enable SG ingress rules referencing the peered network SG
VPC Security
-
Security Groups - firewall port filtering at the instance level renamed; allows filtering inbound and outbound; return traffic is allowed so it is state-ful; supports allow rules only. Sort of obvious: you can’t explicitly block a port; you can only allow ports with SG. By default all custom outbound traffic is allowed but all inbound traffic is blocked; in the default security group all traffic is enabled.
-
Network Access Control List - firewall port filtering at the subnet level renamed; allows filtering inbound and outbound; return traffic is not specifically allowed so it is stateless; Each ACL rule has a number and rules are evaluated ascending; Best practice is to create rule numbers by
5100 so other rules can be added later; once rules are added all other traffic is denied by default. A network ACL are evaluated before security groups. Only 1 ACL per subnet and they encompass and over-write the permissions defined there. Rules are evaluated ascending; deny rules should appear before allow rules.
Network Access Control Lists vs Security Groups
-
Security Groups - firewall port filtering at the ENI level; return traffic is allowed so it is state-ful; supports allow rules only. SG can reference other SG across-account or peering connection with another VPC.
-
Network Access Control List - firewall port filtering at the subnet level renamed; allows filtering inbound and outbound using both deny and allow rules; return traffic is not specifically allowed so it is stateless. Each ACL rule has a number and rules are evaluated ascending; once rules are added all other traffic is denied by default.. best practice is to create rule numbers by 5 so other rules can be added later. A network ACL overrides security groups. Only 1 ACL per subnet and each subnet MUST have an ACL. Unlike IAM or Security groups in a Network ACL an explicit allow overrides an explicit deny if allow is a higher rule number.
IPV6 Support
Easy to implement with some support in AWS services. Steps:
- Create IPv6 CIDR for VPC and add IGW (which support IPv6)
- Add route from public subnets routing to IGW using
::/0
which is short hand for all traffic - Create Egress-only Internet Gateway in public subnet and add route to it from private subnets
Networking Costs
- Within AZ, private IP? Free
- Cross AZ, private more? costs cheap.
- Cross AZ, public IP? costs more (because it accesses Internet & also goes through IGW)
- Cross regions? costs even more.
Triage
- Need to provide access to Internet from private subnet? NAT Gateway
- Need to provide RDP/SSH Agent forwarding? Bastion (or simply use SSM Session Manager)
- Need a HA bastion? NLB (or Classic but NOT ALB) on a static IP, bastion in each AZ (sort of expensive) OR Bastion in single AZ with an EIP that can be moved using a user data script (less expensive but will result in downtime)
- Add additional IP address space to VPC? Add secondary CIDR block