VPC (Virtual Private Cloud)

This virtual network closely

Amazon Virtual Private Cloud
resembles a traditional network Amazon VPC is the networking
(Amazon VPC) enables you to
that you'd operate in your own layer for Amazon EC2, and it is a
launch AWS resources into a
data center, with the benefits of virtual network dedicated to your
virtual network that you've
using the scalable infrastructure AWS account.
defined.
of AWS.

You can specify an IP address

It is logically isolated from other You can launch your AWS
range for the VPC, add subnets,
virtual networks in the AWS resources, such as Amazon EC2
associate security groups, and
Cloud. instances, into your VPC.
configure route tables.

https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
IP Addresses Classes and Range

There are five classes of IP addresses in networking.

Types of IP Addresses in AWS:

Private IPv4 addresses (also referred to When you launch an instance into a A private IP address remains associated
as private IP addresses in this topic) are VPC, a primary private IP address from with the network interface when the
Private IP Addresses not reachable over the Internet and can the IPv4 address range of the subnet is instance is stopped and restarted and is
be used for communication between the assigned to the default network interface released when the instance is
instances in your VPC. (eth0) of the instance. terminated.

When you launch an instance in EC2-

A public IP address is an IPv4 address Classic, we automatically assign a
that's reachable from the Internet. You A public IP address is mapped to the public IP address to the instance from
Public IP Addresses can use public addresses for primary private IP address through the EC2-Classic public IPv4 address
communication between your instances network address translation (NAT). pool. And it’s not in our control,
and the Internet. generally managed by Amazon network
team.

With an Elastic IP address, you can

An Elastic IP address is a static IPv4 mask the failure of an instance or
An Elastic IP address is associated with
Elastic IP Addresses address designed for dynamic cloud
your AWS account.
software by rapidly remapping the
computing. address to another instance in your
account.

An Elastic IP address is a public IPv4

address, which is reachable from the
Internet.
 VPC Components

Subnet
 A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select.
 Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won't be connected to the Internet.
 Assign static private IP addresses to your instances that persist across starts and stops.
 Assign multiple IP addresses to your instances.
 Change security group membership for your instances while they're running.

Route Tables
 A route table contains a set of rules, called routes that are used to determine where network traffic is directed.
 Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet.
 A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Internet Gateway
 An Internet gateway is a highly available VPC component that allows communication between instances in your VPC and the Internet.
 It therefore imposes no availability risks or bandwidth constraints on your network traffic.
 An Internet gateway serves two purposes: to provide a target in your VPC route tables for Internet-routable traffic, and to perform network address translation (NAT) for instances that
have been assigned public IP addresses.
NAT (Network Address Translation)

 You can use a NAT device to enable instances in a private subnet to connect to the Internet (for
example, for software updates) or other AWS services, but prevent the Internet from initiating
connections with the instances.
 A NAT device forwards traffic from the instances in the private subnet to the Internet or other
AWS services, and then sends the response back to the instances.
 When traffic goes to the Internet, the source IP address is replaced with the NAT device’s
address and similarly, when the response traffic goes to those instances, the NAT device
translates the address back to those instances’ private IP addresses.
 Security Group

 A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.
 When you launch an instance in a VPC, you can assign up to five security groups to the instance.
 Security groups act at the instance level, not the subnet level.
 Each instance in a subnet in your VPC can be assigned to a different set of security groups.
 You can specify allow rules, but not deny rules.
 You can specify separate rules for inbound and outbound traffic.
 Security group rules enable you to filter traffic based on protocols and port numbers.
 Security groups are stateful — if you send a request from your instance, the response traffic for that request
is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are
allowed to flow out, regardless of outbound rules.
 NACL (Network Access Control List)

 A network access control list (ACL) is an optional layer of security for your VPC that acts as a
firewall for controlling traffic in and out of one or more subnets.
 You might set up network ACLs with similar rules to your security groups in order to add an
additional layer of security to your VPC.
 A network ACL contains a numbered list of rules and The highest number that you can use for a
rule is 32766.
 NACL is stateless firewall.
 The Well-Known Ports are those from 0 through 1023.
 The Registered Ports are those from 1024 through 49151.
 The Dynamic and/or Private Ports are those from 49152 through 65535.
 VPC Peering Connection

 A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between
them privately.
 VPC peering connection helps you to facilitate the transfer of data.
 For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file
sharing network.
 You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.
 ENIC (Elastic Network Interface Card)

An elastic network interface (referred to as a network interface in this documentation) is a logical networking component in a
VPC that represents a virtual network card.

• Primary private IPv4 address

• Secondary private IPv4 addresses
• One Elastic IP address per private IPv4 address
• One public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an instance
• One or more IPv6 addresses
• One or more security groups
• MAC address
• Source/destination check flag
• Description

Note: One EC2 Instance can have maximum 8 NICs.