1.
AWS Virtual Private Cloud
Jemy Samuel

2.
Virtual Private Cloud
• Amazon Virtual Private Cloud (Amazon VPC) lets you provision a
logically isolated section of the AWS Cloud where you can launch AWS
resources in a virtual network that you define.
• In other words, VPC is a Master subnet in the Amazon Cloud which
can then be split into smaller subnets.

3.
VPC Elements1) Subnets: a range of IP addresses in your VPC
2) Route tables: a set of rules, called routes, that are used to determine where network traffic is directed.
3) Internet Gateways: VPC component that allows communication between instances in your VPC and the internet
4) Elastic IPs: is a public IPv4 address, which is reachable from the internet and can be assigned to your instance
5) Endpoints: enables you to privately connect your VPC to supported AWS services which reside outside your VPC
6) NAT(Network Address Translation): enable instances in a private subnet to connect to the internet or other
AWS services, but prevent the internet from initiating a connection with those instances

4.
7) VPC Peering: is a networking connection between two VPCs that enables you to route traffic
between them using private IPv4 addresses or IPv6 addresses.
8) Network ACLs: is an optional layer of security for your VPC that acts as a firewall for controlling
traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your
security groups in order to add an additional layer of security to your VPC
9) Security Groups: acts as a virtual firewall for your instance to control inbound and outbound traffic
10) VPN: AWS Virtual Private Network solutions establish secure connections between your on-
premises networks, remote offices, client devices, and the AWS global network
11) Elastic Network Interfaces (ENI): like a Network card attached to an instance
12) DHCP (Dynamic Host Configuration Protocol): set configuration params related to IP address
protocol for machines

5.
13) ClassicLink: Allows you to link EC2-Classic instances (instances which were created initially and would
reside outside VPC) to a VPC in your account, within the same Region. Only associate the VPC security
groups with a EC2-Classic instance, this enables communication between your EC2-Classic instance and
instances in your VPC using private IPv4 addresses.
ClassicLink is available to all users with accounts that support the EC2-Classic platform, and can be used
with any EC2-Classic instance.

6.
Difference between NAT &
Internet Gateway
Attaching a IGW to a VPC allows instances with public IPs to access the internet,
while NAT(s) Gateway allow instances with no public IPs to access the internet.

7.
Difference between NAT instance and NAT Gateway
NAT Instance NAT Gateway
Associate Security Group with your NAT instance and the resources
behind your NAT instance to control inbound and outbound traffic.
Security Group cannot be associated with a NAT gateway. You can
associate security groups with your resources behind the NAT gateway to
control inbound and outbound traffic.
Managed by user Managed by AWS
Will become obsolete Created to replace NAT instances
NAT instances can achieve high availability but you’ll have to write a
script to handle the failover when it occurs. This increases the
complexity compared to simply creating multiple NAT gateways across
AZs.
NAT gateways are highly available. If you create NAT gateways across
multiple availability zones then your instances will continue to be served
even if one gateway fails
Use similar to bastion server Not supported
Use an Elastic IP address or a public IP address with a NAT instance. You
can change the public IP address at any time by associating a new Elastic
IP address with the instance.
Choose the Elastic IP address to associate with a NAT gateway at
creation.
Assign a specific private IP address from the subnet's IP address range
when you launch the instance.
Automatically selected from the subnet's IP address range when you
create the gateway.

8.
Terms
Bastion Server: A bastion host acts as a jump host, or a reverse proxy, and a jump host will generally be an
instance running in a public subnet within your VPC, and has ingress rules for SSH or RDP protocols. And it will
then allow you to jump to another instance within your VPC.
This means we can connect to the bastion host using one of these secure protocols, and then if we're
authenticated correctly, and assuming the bastion host has the correct routes enabled, we will then be able to
connect to other resources within the VPC from that bastion host. So a bastion host allows secure connections
into your VPC.
Fig: Bastion server
Fig: NAT instance

9.
ENI: A virtual network interface attached to an instance. Additional ENIs can be attached.
Allows dual-homing i.e. a single EC2 instance can now be attached to two ENIs, each one on a distinct subnet. 1
ENI is connected to public subnet while 2nd is connected to private subnet.
Each ENI lives within a particular subnet of the VPC (and hence within a particular Availability Zone) and has the
following attributes:
• a primary private IPv4 address
• one or more secondary private IPv4 addresses
• one Elastic IP address per private IPv4 address
• one public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an
instance
• one or more IPv6 addresses
• one or more security groups
• a MAC address
• a source/destination check flag
• a description

10.
DHCP: The Dynamic Host Configuration Host (DHCP) provides a standard for passing configuration information to hosts on a
TCP/IP network. The options field of a DHCP message contains configuration parameters, including the domain name, domain
name server and the netbios-node-type.
VPC Peering: VPC peering uses the existing AWS infrastructure and does not have to use the internet for access between the
two regions. This gives you the best throughput, security, and infrastructure redundancy since its using the AWS internal
infrastructure. Using the AWS backbone is inherently more secure as it is not internet accessible.

11.
Virtual Private Network
AWS Site-to-Site VPN: You can create an IPsec VPN
connection between your VPC and your remote network. On
the AWS side of the Site-to-Site VPN connection, a virtual
private gateway provides two VPN endpoints (tunnels) for
automatic failover. You configure your customer gateway on
the remote side of the Site-to-Site VPN connection.
AWS Client VPN: AWS Client VPN is a managed client-based
VPN service that enables you to securely access your AWS
resources or your on-premises network. With AWS Client VPN,
you configure an endpoint to which your users can connect to
establish a secure TLS VPN session. This enables clients to
access resources in AWS or an on-premises from any location
using an OpenVPN-based VPN client. For more information

12.
AWS VPN Cloudhub: If you have more than one remote
network (for example, multiple branch offices), you can
create multiple AWS Site-to-Site VPN connections via
your virtual private gateway to enable communication
between these networks
Third Party Software VPN appliance: You can create a
VPN connection to your remote network by using an
Amazon EC2 instance in your VPC that's running a third
party software VPN appliance. AWS does not provide or
maintain third party software VPN appliances

13.
VPN Direct Connect: AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard Ethernet
fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct Connect router. With this connection,
you can create virtual interfaces directly to public AWS services (for example, to Amazon S3) or to Amazon VPC, bypassing internet
service providers in your network path. An AWS Direct Connect location provides access to AWS in the Region with which it is
associated.

14.
https://aws.amazon.com/blogs/aws/new-elastic-network-interfaces-in-the-virtual-private-cloud/
https://www3.linuxacademy.com/community/posts/show/topic/28114-difference-between-vpn-connectivity-vs-
vpc-peering-regons
https://docs.aws.amazon.com/directconnect/latest/UserGuide/Welcome.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPN_CloudHub.html
https://networkingcontrol.wordpress.com/2019/01/26/vpn-connectivity-vs-vpc-peering/
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-comparison.html
https://medium.com/awesome-cloud/aws-vpc-difference-between-internet-gateway-and-nat-gateway-
c9177e710af6
https://www.coresite.com/blog/vpn-or-direct-connect-aws-compared
References