AWS 2-03 Networking in the AWS Cloud

1.What is Amazon VPC :

The diagram compares the components of a traditional on-premises data center with
equivalent components in AWS (Amazon Web Services). Here's a breakdown:

1. Security:
On-Premises:
Firewall: Protects internal networks from unauthorized access.
Administrators: Manage access control and security policies.
AWS:
Security Group: Acts like a virtual firewall for controlling traffic to AWS instances.
Network ACLs: Stateless firewalls that control inbound and outbound traffic at the
subnet level.
IAM (Identity and Access Management): Provides granular permissions and user
authentication to control access to AWS resources.
2. Networking:
On-Premises:
Router and Switch: Network devices that manage data routing and connectivity.
Network Pipeline: Represents the physical and logical infrastructure for data transfer
within the network.
AWS:
Elastic Load Balancing (ELB): Automatically distributes incoming traffic across multiple
instances, ensuring high availability and scalability.
Amazon VPC (Virtual Private Cloud): Allows users to create isolated networks within
AWS, providing control over networking components.
3. Compute:
On-Premises:
Servers: Physical machines hosting applications, databases, and services.
 AWS:
AMI (Amazon Machine Image): Pre-configured virtual machine templates used to
create EC2 instances.
Instances: Virtual machines running on AWS infrastructure, which can scale on-demand.
4. Storage and Database:
On-Premises:
DAS (Direct Attached Storage), NAS (Network Attached Storage), and SAN (Storage
Area Network): Traditional storage systems for hosting data.
AWS:
Amazon Elastic Block Store (EBS): Provides block-level storage for EC2 instances.
Amazon Elastic File System (EFS): Scalable file storage for use with AWS services.
Amazon S3 (Simple Storage Service): Object storage service offering scalable, durable
storage for files and media.
Amazon RDS (Relational Database Service): Managed database service supporting
multiple database engines.

What is Amazon VPC?

Amazon Virtual Private Cloud (Amazon VPC) allows you to create a virtual network for launching
AWS resources in an isolated environment that functions similarly to a traditional network in a
data center but utilizes AWS's scalable infrastructure. The example VPC in the diagram illustrates
a setup with subnets in different Availability Zones within a Region, EC2 instances deployed in
each subnet, and an internet gateway enabling communication between the VPC resources and
the internet.

VPC Features and Usage

Amazon VPC Features

The following features help you configure a VPC to provide the connectivity that your
applications need:

Subnets
A subnet is a range of IP addresses in your VPC. A subnet must reside in a single Availability
Zone. After you add subnets, you can deploy AWS resources in your VPC.
IP addressing
 You can assign IP addresses, both IPv4 and IPv6, to your VPCs and subnets. You can also
bring your public IPv4 addresses and IPv6 GUA addresses to AWS and allocate them to
resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers.
Routing
Use route tables to determine where network traffic from your subnet or gateway is
directed.
Gateways and endpoints
A gateway connects your VPC to another network. For example, use an internet gateway to
connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately,
without the use of an internet gateway or NAT device.
Peering connections
Use a VPC peering connection to route traffic between the resources in two VPCs.
Traffic Mirroring
Copy network traffic from network interfaces and send it to security and monitoring
appliances for deep packet inspection.
Transit gateways
Use a transit gateway, which acts as a central hub, to route traffic between your VPCs, VPN
connections, and AWS Direct Connect connections.
VPC Flow Logs
A flow log captures information about the IP traffic going to and from network interfaces in
your VPC.
VPN connections
Connect your VPCs to your on-premises networks using AWS Virtual Private Network (AWS
VPN).

Why use an Amazon VPC?

You can spin up a logical environment of what was previously in a data center within
minutes in the cloud.
It is more cost-effective than maintaining equipment in a company data center; you pay for
only the resources that you use.
It is designed so that companies can migrate and use AWS Cloud services easily.
It’s secure, scalable, and reliable.
It works with many innovative AWS and third-party services.
You can create multiple Amazon VPCs and create test environments before they go live.

Summary

Amazon VPC Overview: A customizable virtual network in AWS, functioning like a data
center, with scalable infrastructure and high security.
Amazon VPC Features: Subnets, IP assignment, route tables, gateways, traffic mirroring,
and transit gateways offer robust, configurable networking.
Benefits of VPC: Fast setup, cost-effective, secure, scalable, integrates with AWS and third-
party services, suitable for staging environments before production.

VPC Features
 A VPC is associated with your AWS account, allowing you to create and manage isolated
virtual networks within the AWS Cloud. Through your AWS account, you can configure and
control resources within your VPC, such as subnets, security groups, and routing tables.
It belongs to a single AWS Region.
A VPC can span multiple Availability Zones, allowing you to create subnets in each zone. This
provides higher availability and fault tolerance for your applications by distributing
resources across different zones within the same VPC.

Multiple Amazon VPCs can span different Availability Zones within the same AWS Region. This
allows you to set up isolated networks across multiple zones, enhancing redundancy, scalability,
and fault tolerance within that Region. However, VPCs are isolated from each other by default,
though you can enable communication between them using VPC peering or AWS Transit
Gateway.

IP addressing in Amazon VPC

VPC CIDR Block

When creating a VPC, you assign a CIDR block (e.g., 10.0.0.0/16). This defines the range of IP
addresses available within your VPC.
The CIDR block you choose determines the number of IP addresses available. For instance, a
/16 block provides 65,536 IP addresses.
Private IP ranges should be used according to RFC 1918.

Subnet CIDR Blocks

Within a VPC, you create subnets to organize resources logically. Each subnet is assigned a
smaller CIDR block, carved out of the VPC's main CIDR block.
Subnets can be placed in different Availability Zones to enhance fault tolerance.
Example: If your VPC CIDR block is 10.0.0.0/16, you could create two subnets:
Subnet 1: 10.0.0.0/24 (256 IP addresses)
Subnet 2: 10.0.1.0/24 (256 IP addresses)

IP Address Types

Private IP Addresses: Assigned to instances within your VPC. These are not routable to the
public internet.
Public IP Addresses: Can be assigned to instances to allow them to communicate with the
internet. These can be static (Elastic IP addresses) or dynamic.

Private IP address range

When an Amazon VPC is created, choose from a CIDR block from the following private IPv4
address ranges (specified in RFC 1918)
 RFC 1918 range Example Amazon VPC CIDR block

10.0.0.0–10.255.255.255 10.0.0.0/16

172.16.0.0–172.31.255.255 172.31.0.0/16

192.168.0.0–192.168.255.255 192.168.0.0/16

Key Considerations:

IP Address Range: Choose a CIDR block that accommodates your future growth needs.
Subnet Design: Plan your subnets based on your application requirements and security
needs.
IP Address Allocation: Efficiently allocate IP addresses to avoid wastage.
Network Address Translation (NAT): Use NAT gateways or instances to enable instances
without public IP addresses to access the internet.

Amazon VPC components:

1.Internet Gateway
What is an internet gateway?

An internet gateway permits communication from VPC to the internet. It is horizontally

scaled to meet traffic needs, be redundant, and be highly available.
Public subnet:

It is associated with a route table that has a route to the internet gateway.
It will have the route as 0.0.0.0/0 and the target as IGW-xxxxx.

Public IP address:

For an EC2 instance to communicate over the internet, it must have a public IPv4 or an
Elastic IP address.

NAT gateway

What is a NAT gateway?

A NAT gateway permits instances in the private subnet to connect outside the VPC.
However, anything outside the VPC cannot initiate a connection. It will be sent a RESET flag.

Public subnet:

The NAT gateway is assigned an Elastic IP address, which is a public IP address and is
located in the public subnet.

Private subnet:

It will have the route as 0.0.0.0/0 and the target as nat-xxxxx in the associated route table
for the private subnet.

Private IP address:

Due to the NAT gateway, the instances in the private subnet do not need a public IP address.

A NAT gateway is a fully managed AWS service that scales automatically and requires no
maintenance. It needs an Elastic IP (EIP) and must be in a public subnet for Internet access.
AWS assigns it a private IP from the subnet. For redundancy, deploy NAT gateways in multiple
availability zones.

To route Internet-bound traffic, create a default route pointing to the NAT gateway. Unlike
ENIs, NAT gateways don’t support security groups, but NACLs can be applied at the subnet
level.

2.NAT Instance
A NAT instance is an EC2 instance using a preconfigured Linux AMI. It works like a NAT gateway
but with key differences. It doesn’t auto-scale, so you must manually select and upgrade the
instance type.

Unlike NAT gateways, NAT instances have ENIs and require security groups and public IPs. You
must also disable the source/destination check for traffic forwarding.

A NAT instance can act as a bastion host, unlike a NAT gateway. To route traffic, create a
default route pointing to the instance ID. However, failover is complex, making NAT gateways
a better choice for high availability.

3.Route Tables
What is a route table?

It holds routes and targets that direct the network traffic within the VPC.

Destination Target

10.0.0.0/16 local

0.0.0.0/0 igw-id

Destination:

The destination is an IP address and CIDR range (for example, 0.0.0.0/0, which is the
internet).

Target:

A target is either a gateway or network interface. It is for the destined traffic.

Route table association:

Each route table must be associated to a subnet. A route table associates the subnet and
gateways together.
Main Route Table
After setting up a VPC, decide resource accessibility—whether they connect to the internet,
corporate networks, or other VPCs. Each VPC includes a main route table that directs
internal traffic using the CIDR block, allowing all resources to communicate.

VPCs are divided into subnets, each within a single Availability Zone and following separate
routing rules. Subnets use a portion of the VPC's IP range and must not overlap. AWS
reserves five IP addresses per subnet for network functions like routing, DNS, and future
use.

AWS reserves the first four IP addresses and the last IP address in each subnet CIDR block. For
example, in a subnet with CIDR block 10.0.0.0/20, AWS reserves the following five IP addresses
for:

10.0.0.0: Network address

10.0.0.1: VPC local router
10.0.0.2: DNS resolution
10.0.0.3: Future use
10.0.15.254: Network broadcast address

When designing subnets, it's important to allocate enough IP addresses to support your
resource needs.

Subnets
Public and private subnet

What is a subnet?

It is a range of IP addresses within the VPC.

Availability Zones:

There is one subnet per Availability Zone because a subnet cannot span zones.

Public subnet:

Traffic is routed to an internet gateway by having a route table that is associated with an
internet gateway as a route.

Private subnet:

Traffic is not routed to the internet.

Subnet sizing:

If more than one subnet of a VPC is created, the CIDR blocks of the subnets cannot overlap.
Public subnets

To isolate resources by routing needs, place them in public or private subnets. Resources
needing internet access should be in a public subnet with an internet gateway attached.

An internet gateway enables VPC-to-internet communication, supporting IPv4 and IPv6. It

acts as a route table target for outbound traffic and provides NAT for public IP instances. It is
scalable and redundant.

To enable internet access for a public subnet:

1. Attach an internet gateway to the VPC (one per VPC).

2. Launch an EC2 instance with a public IP in the subnet.
3. Update the subnet's route table to send all traffic (0.0.0.0/0) to the internet gateway.

Public IPs are temporary and released when unused.

Private subnets

Private subnet: Blocks direct internet access for resources.

Custom route tables: Best practice to create a separate route table per subnet.
Default behavior: If no route table is assigned, the main VPC route table is used.
Route table rules: One subnet can have only one route table, but a route table can be
shared

NAT IP mapping

NAT device function: Hides the private IP of internal servers by replacing it with a public
IP.
Process steps:
1. Server sends request (source: 10.0.0.17) → NAT device.
2. NAT replaces source IP (to 89.89.0.100) →forwards to destination.
3. Destination responds (destination: 89.89.0.100) → NAT device.
4. NAT maps back to server (destination: 10.0.0.17) → forwards response.

This allows internal servers to communicate externally while keeping their private IPs hidden.

Connecting private subnets to the internet

Use Case: Private subnets need internet access (e.g., for downloading patches) but must
remain unreachable from external networks.
Solution: Use a NAT gateway (AWS-managed) or NAT instance (self-managed on EC2).
NAT gateway: Managed by AWS, higher availability, and better performance but incurs
hourly costs.
NAT instance: Requires manual setup and maintenance, incurring EC2 costs.

How NAT Works in the Diagram

 1. Instance 1 (private subnet)→ Sends request →
NAT gateway replaces source IP → Routes
to internet gateway →
Response returns via NAT gateway (IP translated back).
2. Instance 2 (private subnet)→ Sends request →
NAT instance replaces source IP → Routes
to internet gateway →
Response returns via NAT instance (IP translated back).

Key Recommendations

Use NAT gateways over NAT instances for better performance and availability.
Deploy one NAT gateway per Availability Zone for redundancy.
For IPv6 private subnets, use an egress-only internet gateway to allow outbound traffic
while blocking inbound connections.

Securing networks in Amazon VPC

In this section you will learn how to secure AWS resources in Amazon VPCs, and the security
services that work in this regard.

Security layers of defense

Challenge: Public subnets alone don't provide sufficient security for VPC resources.
Best Practice: Use multiple layers of defense to isolate applications and workloads.
Secure Protocols: Use TLS/HTTPS to encrypt data in transit, preventing interception or
impersonation.

Security Layers in the Diagram

1. Route Table Layer: Directs traffic through the internet gateway.

2. Network ACL (NACL) Layer: Stateless firewall that filters traffic at the subnet level.
3. Subnet Layer: Defines resource placement and segmentation.
4. Security Group Layer: Stateful firewall that controls inbound/outbound traffic at the
instance level.

Key Takeaway

Using both NACLs and security groups adds redundancy. If one is misconfigured, the other still
provides protection, reducing exposure to unwanted traffic..

Security groups and network ACL scope

Both are network traffic filters that define rules for allowing or denying traffic.
 They can be used together or independently for layered security.

Analogy: Apartment Security

Network ACLs (NACLs) →Building Doorman

Controls who enters/exits the entire building (subnet).
Acts as a stateless firewall for subnets in a VPC.
Security Groups →Apartment Door Lock
Controls who can enter/exit a specific apartment (EC2 instance).
Acts as a stateful firewall for individual resources.

Key Difference

NACLs filter traffic at the subnet level (applies to all resources inside).
Security Groups filter traffic at the resource level (specific to instances).

Security group
What is a security group?

It is a firewall at the EC2 instance level that controls incoming traffic.

Security Groups Overview

Function: Stateful firewalls for instances or network interfaces across multiple AZs.
Rules: Separate inbound & outbound rules; only "allow" rules (no "deny").

How Security Groups Work

Allow traffic based on protocols & ports (e.g., HTTPS on port 443).
Can reference other security groups to control traffic flow (e.g., app instances can access
DB instances only).
Stateful nature: If inbound traffic is allowed, the response is automatically permitted.

Default Behavior

Inbound traffic: Blocked by default (until rules are added).

Outbound traffic: Allowed by default (can be restrict

Network ACL
What is a network ACL?

A network access control list (network ACL) is an optional security layer for controlling traffic in
and out of subnets in your VPC. It acts like a firewall, providing an extra layer of protection
beyond security groups.

Stateless:

Traffic that is let out must be let back in.

Default ACL allows all traffic by default:

It allows all traffic by default; you can create rules to allow or deny traffic.

Custom ACL denies all traffic by default:

It blocks or denies all traffic (inbound and outbound) until rules are added.
Rules:

Network ACLs have separate inbound and outbound rules. Each rule can either allow or
deny traffic by increments of 10 or 100.

Let’s have a look at this real life example and discuss it below:

Network ACLs Overview

Subnet Association: Each subnet must be linked to a network ACL. If none is assigned, it
defaults to the VPC's default NACL.
Rules: Allow/Deny rules for both inbound and outbound traffic (unlike security groups,
which are stateful).
Stateless: If inbound traffic is allowed, the outbound response must have an explicit rule.
Default vs. Custom ACLs:
Default: Allows all inbound/outbound traffic.
Custom: Starts with a deny-all rule; rules must be added to allow traffic.

Rule Evaluation & Asterisk (*) Rule

Rules are processed in order (lowest to highest number).

Asterisk rule: The final, implicit rule that blocks all traffic unless explicitly allowed.
Acts as a fail-safe, ensuring unintended traffic is denied.

Example Scenario:

Inbound Rule 90: Denies all traffic from 12.5.88.205/32.

Inbound Rule 100: Allows all traffic from anyone else.
Outbound Rule: Allows all traffic to anyone
Asterisk Rule: Denies all other traffic as a security measure.

AWS Network Firewall

AWS Network Firewall Overview

AWS Network Firewall is a stateful, managed firewall that enhances security by filtering traffic
before it reaches VPC resources.

Key Features & Implementation

1. Stateful Protection
Tracks active connections.
Automatically allows return traffic for established connections.
2. Deployment in Firewall Subnets
Placed between external sources (e.g., Internet Gateway) and application subnets.
Ensures traffic is inspected before reaching VPC resources.
 3. Route Table Configuration
Route Table 1: Directs inbound traffic to the firewall for inspection.
Route Table 2: Ensures only filtered traffic from the firewall reaches private subnets.
4. Traffic Filtering & Security
Custom rules inspect and block malicious traffic.
Adds an extra security layer alongside security groups and NACLs.

Why It Matters?

Prevents threats before they enter the VPC.

Supports compliance for sensitive workloads.
Improves security posture by enforcing controlled access.

Summary

Secure AWS infrastructure with multiple layers of defense.

A security group in a VPC specifies which traffic is allowed to or from AWS resources. It is
stateful.
A network ACL allows or denies specific inbound or outbound traffic at the subnet level. It is
stateless.
Route external VPC traffic through AWS Network Firewall to add an additional layer of traffic
security.

How to connect to managed AWS services

Here is a diagram of an AWS VPC with an EC2 instance in the private subnet. An Amazon S3
bucket using separate Gateway VPC endpoint. The EC2 instance can access other AWS managed
services

Your EC2 instance in a private subnet needs access to an Amazon S3 bucket in the same Region,
but S3 is outside the VPC. Direct internet access increases costs and exposure.

A better solution is using an S3 VPC Endpoint (Gateway or Interface):

Gateway Endpoint (recommended for S3): Routes traffic directly via AWS backbone,
avoiding the internet.
Interface Endpoint (ENI-based): Uses private IPs but incurs additional costs.

This approach enhances security, reduces data transfer costs, and ensures private connectivity
within AWS.

Interface VPC endpoints

Below is a diagram of an AWS VPC with an interface VPC endpoint. The VPC contains a private
subnet with an elastic network interface. The EC2 instance inside the private subnet can access
other AWS managed services and Amazon S3 using the elastic network interface belonging to
the interface VPC endpoint. The interface VPC endpoint has an IAM policy attached.A more
secure and direct way to connect an EC2 instance to an S3 bucket is by using a VPC endpoint.

Types of VPC Endpoints:

1. Gateway VPC Endpoint (Recommended for S3 & DynamoDB)

Routes traffic within AWS without needing an ENI.
No additional cost.
Defined in the route table.
2. Interface VPC Endpoint (AWS PrivateLink)
Creates an Elastic Network Interface (ENI) with a private IP in the subnet.
Supports IAM policies for fine-grained access control.
Incur hourly and data processing charges.

Best practice: Use a Gateway Endpoint for S3 to reduce costs and improve security. Use
Interface Endpoints when connecting to services requiring private IP-based access.

How to set up an interface VPC endpoint

To set up an interface VPC endpoint through the Amazon VPC console, follow these steps:

1. Select the AWS Service – Choose the service (e.g., S3, DynamoDB, etc.) in the Amazon VPC
console.
2. Choose the VPC – Pick the VPC where the endpoint will be deployed.
3. Pick the Subnet – Select a subnet for the Elastic Network Interface (ENI). Each AZ needs
its own ENI.
4. Set Security Groups – Assign security groups to control inbound and outbound traffic.

Key Considerations:

The service cannot initiate connections to your VPC, only respond to requests.
Use IAM policies to manage access control.
Interface endpoints incur hourly and data processing charges.
For S3 and DynamoDB, a Gateway VPC Endpoint is often preferred as it is cost-free and scales
automatically.

Differences between VPC Interface Endpoint and VPC

Gateway Endpoint

Feature Interface Gateway

Endpoint Endpoint

Connection PrivateLink (ENI) Gateway (Route

Type Table)

Supported Many AWS & S3, DynamoDB

Services 3rd-party

Implementatio Creates ENI in Modifies route

n subnets tables

Security Security groups, Endpoint

Control endpoint policies
policies

Cost Charged for Free

usage & data

Use Case Broad service S3, DynamoDB

access access

VPC endpoints
Gateway VPC Endpoints for S3 & DynamoDB

Direct connectivity via route tables (not AWS PrivateLink).

Supported only for Amazon S3 & DynamoDB.
No additional cost, no throughput or packet processing limits.
Uses prefix lists to group CIDR blocks for routing.

Example Breakdown

1. EC2 instance in a private subnet needs access to S3 & DynamoDB.

2. Private subnet route table routes traffic via Gateway VPC Endpoints:
S3 traffic→ Gateway VPC Endpoint 1
DynamoDB traffic → Gateway VPC Endpoint 2
3. No need for NAT Gateway or Internet Gateway for these AWS services.

For other AWS services, use an Interface VPC Endpoint instead

Gateway Load Balancer endpoint

Gateway Load Balancer Endpoint

Provides private connectivity for security appliances across VPCs.

Uses AWS PrivateLink to forward traffic between Customer VPC (VPC 1) and Security
Service VPC (VPC 2).

Traffic Flow (Steps)

1. Inbound traffic enters VPC 1 via the Internet Gateway, then routes to the Gateway Load
Balancer Endpoint.
2. Traffic is sent to the Gateway Load Balancer in VPC 2, which forwards it to security
appliances for inspection.
3. The inspected traffic is returned and routed to the EC2 application instance in VPC 1.

🔹 Key Benefit: Offloads security functions to a dedicated Security VPC, isolating inspection
from application workloads.

Summary

VPC resources can access AWS managed services using VPC endpoints.
An interface VPC endpoint uses AWS PrivateLink to access AWS managed services. It incurs
cost and has throughput limitations.
A gateway VPC endpoint integrates directly with Amazon S3 and Amazon DynamoDB. It does
not incur cost and has no throughput limitations.
Gateway Load Balancer endpoints are used with Gateway Load Balancers to inspect traffic
with security appliances.

Monitoring networks in Amazon VPC

In this section you will learn about VPC Flow Logs and other tools for VPC troubleshooting.

Amazon VPC flow logs

VPC Flow Logs capture packet-level traffic details for analysis.

Key Features
 Can capture all, accepted, or rejected traffic.
Can be enabled at the VPC, subnet, or ENI level.
Logs are delivered to Amazon CloudWatch, S3, or Kinesis Data Firehose.

Log Destinations & Use Cases

CloudWatch Logs → View & filter logs in AWS Console.

S3 Storage → Query logs using Amazon Athena (supports plain text & Parquet formats).
Kinesis Data Firehose → Send logs to Amazon OpenSearch (dashboard) or third-party
tools like Splunk.

🔹 Flow logs operate outside your VPC, so they don’t impact network latency or
performance.

Summary

Use VPC Flow Logs to capture information about the network traffic in your VPC.
Flow log records consist of all flows within a an aggregation interval.
Use Reachability Analyzer to test whether two resources in a VPC have connectivity.
Use Network Access Analyzer to identify unintended network access to resources in your
AWS account.
Use Traffic Mirroring to make a copy of your network traffic to send to security and
monitoring appliances.

AWS 2-04 Connecting Amazon VPCs

How can I connect to my Amazon VPC?

🌍 1. Public Access (accès via Internet)

➤ Objectif :

Accéder à une instance EC2 dans ton VPC depuis Internet (depuis ton PC ou ton laptop, par
exemple).

🧭 Étapes détaillées :
1. Créer une EC2 dans un subnet public :
 Un subnet public est un sous-réseau dans ton VPC qui est connecté à Internet (via une
route vers un Internet Gateway).
2. Attacher une Internet Gateway (IGW) à ton VPC :
L’Internet Gateway est comme un pont entre ton VPC et Internet.
Sans elle, aucune instance ne peut sortir sur Internet ou recevoir du trafic externe.
3. Attribuer une IP publique à ton instance EC2 :
Tu peux cocher l’option “auto-assign public IP” au moment du lancement.
Sinon, tu peux attacher une Elastic IP manuellement.
4. Configurer le Security Group :
Autoriser le port 22 (SSH) si c’est une machine Linux.
Autoriser le port 3389 (RDP) si c’est une machine Windows.

🔐 2. Private Access (VPN)

➤ Objectif :

Connecter ton réseau privé (ex: entreprise, maison) au réseau privé AWS (VPC) de manière
sécurisée, sans passer par Internet public.

🧭 Méthodes possibles :
✅ a. Site-to-Site VPN :
Tu crées un VPN Gateway dans ton VPC.
Tu configures un Customer Gateway dans ton réseau local.
Cela établit un tunnel VPN permanent entre ton VPC AWS et ton réseau sur site.

✅ b. AWS Client VPN :

Permet aux utilisateurs (toi, tes collègues) de se connecter individuellement à la VPC via un
client VPN installé sur leur PC.
Requiert la création d’un Endpoint Client VPN dans AWS.
Très utile pour les télétravailleurs ou les admins.

⚡ 3. AWS Direct Connect

➤ Objectif :

Avoir une connexion dédiée, rapide et privée entre ton datacenter (ou ton bureau) et AWS,
sans passer par Internet.

✅ Cas le plus courant (simple et rapide) :

Lancer une instance EC2 dans un subnet public, lui attribuer une IP publique, puis se
connecter via SSH ou RDP.

VPC Peering
What is VPC Peering?

A VPC peering connection is a networking connection between two VPCs that lets you route
traffic between them privately.

Benefits of VPC peering

✅ Highly Available – No reliance on gateways or VPNs, avoiding hardware failures.
✅ No Bottlenecks – Direct connection without bandwidth limits.
✅ Inter-Region Peering – Secure, private communication across AWS Regions.
✅ No Public Internet Exposure – Traffic stays on AWS backbone, reducing security risks.
✅ Encrypted Traffic – Ensures data security without additional configurations.
✅ Cross-Account Peering – Connect VPCs across different AWS accounts.
✅ Cost-Effective – Simple way to share resources or enable geographic redundancy.
Peering scenarios

There are several reasons why you would set up a VPC peering connection. The following
scenarios can help demonstrate which configuration might be best suited to your requirements.

Scenario 1: Full sharing of resources between all VPCsKey Takeaways from Fully Meshed
VPC Peering

✅ Direct Peering Required – Each VPC needs a dedicated peering connection to every other
VPC.

✅ Non-Transitive Routing – Traffic cannot pass through an intermediary VPC.

✅ Complexity Increases with Scale – More VPCs mean more peering connections to manage.
✅ Use Case – Suitable for organizations needing full resource sharing across multiple VPCs.
✅ Alternative Approach – AWS Transit Gateway can simplify management by enabling hub-
and-spoke

Scenario 2: Partial sharing of centralized resourcesKey Takeaways from Hub-and-Spoke

VPC Peering

✅ Centralized Resource Sharing – Only the IT Support VPC is shared, preventing unnecessary
inter-VPC traffic.

✅ Reduces Peering Complexity – Each VPC has a single connection to the central IT VPC.
✅ Non-Transitive Routing – VPCs cannot communicate with each other unless separate
peering is established.

✅ Use Case – Best for organizations needing centralized services (e.g., file sharing, logging, or
authentication).

✅ Alternative Approach – AWS Transit Gateway can enable scalable, managed connectivity
without requiring multiple peering links.

Non-valid peering configuration

🚫Overlapping CIDR Blocks – VPC peering cannot be established if IPv4 CIDR ranges overlap,
even if only IPv6 is used.

🚫No Transitive Peering – Traffic cannot pass through an intermediary VPC. Each direct
connection must be explicitly defined.

🚫No Edge-to-Edge Routing – Peering does not extend to VPNs, Direct Connect, internet
gateways, NAT devices, or VPC endpoints.

✅Solution for Scaling – AWS Transit Gateway is a better alternative for large-scale, multi-VPC
connectivity without these limitations.

Pricing
Starting May 1st 2021, all data transfer over a VPC Peering connection that stays within an
Availability Zone (AZ) is now free.

All data transfer over a VPC Peering connection that crosses Availability Zones will continue to be
charged at the standard in-region data transfer rates.

VPN
AWS VPN is comprised of two services:

AWS Site-to-Site VPN enables you to securely connect your on-premises network to
Amazon VPC, for example your branch office site.
AWS Client VPN enables you to securely connect users to AWS or on-premises networks,
for example remote employees.

AWS Site-to-Site VPN:

Based on IPsec technology, AWS Site-to-Site VPN uses a VPN tunnel to pass data from the
customer network to or from AWS.

One AWS Site-to-Site VPN connection consists of two tunnels. Each tunnel terminates in a
different Availability Zone on the AWS side, but it must terminate on the same customer gateway
on the customer side.

Customer gateway

A resource you create and configure in AWS that represents your on-premise gateway device.
The resource contains information about the type of routing used by the Site-to-Site VPN, BGP,
ASN and other optional configuration information.

Customer gateway device

A customer gateway device is a physical device or software application on your side of the AWS
Site-to-Site VPN connection

Virtual private gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the AWS Site-to-Site
VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the
Amazon side of the AWS Site-to-Site VPN connection.

Transit gateway

A transit gateway is a transit hub that can be used to interconnect your VPCs and on-premises
networks. You use a transit gateway or virtual private gateway as the gateway for the Amazon
side of the AWS Site-to-Site VPN connection.

AWS Site-to-Site VPN limitations

A Site-to-Site VPN connection has the following limitations.

IPv6 traffic is not supported for VPN connections on a virtual private gateway.
An AWS VPN connection does not support Path MTU Discovery.

In addition, take the following into consideration when you use Site-to-Site VPN.

When connecting your VPCs to a common on-premises network, we recommend that you
use non-overlapping CIDR blocks for your networks.

AWS Site-to-Site VPN monitoring

You can monitor VPN tunnels using Amazon CloudWatch, which collects and processes raw data
from the VPN service into readable, near real-time metrics. These statistics are recorded for a
period of 15 months. You can access historical information and gain a better perspective on how
your web application or service is performing. VPN metric data is automatically sent to
CloudWatch as it becomes available.

AWS Site-to-Site VPN pricing

AWS Site-to-Site VPN:

AWS Site-to-Site VPN connection per hour (varies by Region) Data transfer out charges (see
Amazon EC2 On-Demand pricing)

Accelerated Site-to-Site VPN:

AWS Site-to-Site VPN connection per hour (varies by Region)

Data transfer out charges (see Amazon EC2 On-Demand pricing)
Hourly charges for two AWS Global Accelerators per VPN connection
Data Transfer Out Premium (DT-Premium) fees
DT-Premium depends on the source (AWS Region) and the destination (the edge
location). (See the AWS Global Accelerator pricing)

Client VPN
Based on OpenVPN technology, Client VPN is a managed client-based VPN service that lets you
securely access your AWS resources and resources in your on-premises network. With Client
VPN, you can access your resources from any location using an OpenVPN-based VPN client.

Client VPC endpoint Your Client VPN administrator creates and configures a Client VPN
endpoint in AWS. Your administrator controls which networks and resources you can access
when you establish a VPN connection.

VPN client application

This is the software application that you use to connect to the Client VPN endpoint and establish
a secure VPN connection.

Client VPN endpoint configuration file

This is a configuration file that is provided to you by your Client VPN administrator. The file
includes information about the Client VPN endpoint and the certificates required to establish a
VPN connection. You load this file into your chosen VPN client application.

What is AWS Transit Gateway?

🌐 What is AWS Transit Gateway?
AWS Transit Gateway (TGW) is a network hub that allows you to connect multiple VPCs, on-
premises networks, and AWS services together — through a single gateway.
🧭 Why use it?
Without TGW, if you want to connect several VPCs together (VPC peering), you’d need to create a
complex mesh of connections. With Transit Gateway, everything connects through a central
point, like a hub-and-spoke model.

🔧 Key Features
Feature Description

🔄 Centralized Routing Acts as a central router

for all attached networks
(VPCs, VPNs, Direct
Connect).

🧠 Scalable Can connect thousands

of VPCs and networks.

🔐 Secure & Isolated Uses route tables to

control how traffic flows
between attached
networks.

⚡ High Performance Built on AWS backbone

— highly available and
fast.

Each VPC or external network is attached to the Transit Gateway. Then, routes are defined to
control who can talk to who.

✅ Use Cases
Connecting multiple VPCs across different accounts (via AWS Organizations).
Centralized hybrid cloud networking (link on-prem to many VPCs).
 Simplifying routing management at scale.
Creating shared services (e.g., a central VPC for DNS or security appliances).

AWS Transit Gateway inter-regional peering

15 mins read

AWS offers two types of peering connections for routing traffic between VPCs in different
Regions: VPC peering and transit gateway peering. Both peering types are one-to-one, but transit
gateway peering connections have a simpler network design and more consolidated
management.

Suppose a customer has multiple VPCs in three different Regions. As the following diagram
illustrates, to permit network traffic to route between each VPC requires creating 30 VPC peering
connections. Each VPC needs 5 different routing configurations and security policies.

With AWS Transit Gateway, the same environment only needs three peering connections. The
transit gateway in each Region facilitates routing network traffic to all the VPCs in its Region.
Because all routing can be managed by the transit gateway, the customer only needs to
maintain three routing configurations, simplifying management.
Hub-and-spoke scenario
Challenges with VPC Peering & VPN Mesh

❌ Complex Routing – Hard to manage as the network grows.

❌ Operational Overhead – No central control over traffic flow.
❌ Increased Downtime – Misconfigurations cause service disruptions.
The following diagram shows this network architecture.

Solution: AWS Transit Gateway (Hub-and-Spoke Model)

✅ Centralized Management – Simplifies routing by consolidating VPC and on-prem

connections.

✅ Improved Scalability – Supports large networks without exponential growth in connections.

✅ Reduced Complexity – Eliminates peer-to-peer mesh, reducing configuration conflicts.
🚀 Next Step: Deploy AWS Transit Gateway and migrate from VPC peering.ted to a centrally
managed model, reducing operational overhead.Key Benefits of Migrating to AWS Transit
Gateway
✅ Simplified VPC Connectivity – Eliminates the complexity of managing multiple VPC peering
connections.

✅ Centralized Routing Management – Transit Gateway centralizes all routing policies,

reducing errors.

✅ Cost Reduction – Fewer VPN connections and peering links lower operational costs.
✅ Optimized Direct Connect – A single Direct Connect link integrates all AWS and on-prem
traffic efficiently.

✅ Scalability & Flexibility – Easily scale to support new VPCs or locations without complex
configurations.

These optimizations result in a more scalable, cost-effective, and manageable network

architecture, particularly for a company with a distributed presence across multiple locations
and VPCs.

Hybrid network

Highly available hybrid network connections

In the following network design, a company with two physical data centers has used two
different Direct Connect Partner locations to establish connections to the company's AWS
environment. AWS guarantees Direct Connect service as highly available by providing the service
with a four nines (99.99%) SLA. However, that guarantee only extends from the AWS router that
the company connects to, not the segments of the connection before that.

Alternatively, if the company’s router or circuit connecting to one of the company’s data centers
experience an issue at the Direct Connect Partner locations. The company will not be able to use
the Direct Connect connection to reach AWS until the issue is resolved.
By updating the original design as shown in the following diagram, the company has eliminated
the single points of failure seen in the previous diagram.

AWS Direct Connect Partner location

In this design, the company has added a second router to the rack they rent. Each WAN circuit
terminates to a different router, and each router has a separate cross-connect cable to the AWS
router at the Partner location.

Unlike in the previous design, the company router is no longer considered a single point of
failure. If one router suffers a failure, the hardware gateway at the respective data center will
detect the failure and redirect traffic to the active connection.

Company data center

A second physical WAN circuit is added to each data center that terminates at the Direct Connect
Partner location. This helps the company reduce the chances of an interruption to the company
AWS environment.

Now, if one circuit suffers an interruption and the hardware gateways are configured as active-
active or active-passive, traffic to the Partner location will not be interrupted.

Cross-regional VPC peering

The following network design shows a cross-regional, highly available application. Deploying
your application in multiple Regions facilitates:

Just-in-time routing of users to the Region with the lowest latency (best response time)
relative to their location
Distributing application load across Regions— for example, if an application hosted in one
Region decreases in performance, work can be directed to the Region with the best-
performing application
Redundancy for your application— for example, if a Region hosting your application
experiences an interruption in service, your users can still access your application from the
alternate Regions

In the following diagram, Amazon Route 53 routes end users to the Region with the least latency.
The databases in each Region are synchronized using a VPC peering connection between the
two Regions. If a user reconnects after their session is interrupted, this design ensures they can
resume their session regardless of which Region they reconnect to. For example, the user begins
their session in Region 1 and is disconnected. When they reconnect, they are routed to Region 2.
They can resume their session because the databases are synchronized through the VPC
peering connection.

Inter-Region VPC peering

Inter-Region VPC peering lets you share resources or replicate data between Regions without
your traffic leaving the global AWS backbone.

This uncomplicated and cost-effective service reduces external threat vectors such as distributed
denial of service (DDoS) attacks or common code or configuration exploits. This is because your
traffic never traverses the public internet.