Ugur Kira, AWS Premium Support Engineer

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon Virtual Private Cloud (VPC)
Networking Fundamentals and Connectivity Options
Ugur KIRA
Senior Cloud Support Engineer
9th April 2018

2. EC2 Instance

3. 172.31.0.128
172.31.0.129
172.31.1.24
172.31.1.27
54.4.5.6
54.2.3.4
VPC

4. VPC: your private network in AWS

5. Walkthrough: setting up an
Internet-connected VPC

6. Creating an Internet-connected VPC: steps
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC

7. Choosing an IP address range

8. CIDR notation review
CIDR range example:
172.31.0.0/16
1010 1100 0001 1111 0000 0000 0000 0000

9. Choosing an IPv4 address range for your VPC
172.31.0.0/16
Recommended:
RFC1918 range
Recommended:
/16
(64K addresses)

10. Adding a secondary IPv4 address range
Primary CIDR
Secondary
CIDR
172.31.0.0/20
172.31.16.0/20

11. Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20

12. Adding a secondary IPv4 address range
Primary CIDR
172.31.0.0/20
172.31.16.0/20
172.31.32.0/20
172.31.112.0/20
Maximum 5 CIDRs

13. Subnets

14. VPC subnets and Availability Zones
172.31.0.0/16
Availability Zone Availability Zone Availability Zone
VPC subnet VPC subnet VPC subnet
172.31.0.0/24 172.31.1.0/24 172.31.2.0/24
eu-west-1a eu-west-1b eu-west-1c

15. VPC subnet considerations
• /16 VPC (64K IPv4 addresses)
• /24 subnets (251 IPv4 addresses)
• One subnet per Availability Zone
• first 4 IP addresses and the last IP address in each subnet CIDR
block are reserved , and cannot be assigned
• For example, in a subnet with CIDR block 10.0.0.0/24
• 10.0.0.0: Network address
• 10.0.0.1: Reserved by AWS for the VPC router.
• 10.0.0.2: Reserved by AWS as DNS server IP
• 10.0.0.3: Reserved by AWS for future use.
• 10.0.0.255: Network broadcast address(Not Supported)

16. Route to the Internet

17. Routing in your VPC
• Route tables contain rules for which
packets go where
• Your VPC has a default route table
• … but you can assign different route
tables to different subnets

18. Can instances with the CIDR- 10.0.0.0/24 reach to the instances
with the CIDR 10.0.1.0/24?

19. Can instances with the CIDR- 10.0.0.0/24 reach to the instances
with the CIDR 10.0.1.0/24?
With VPC, YES!

20. Traffic destined for my VPC
stays in my VPC

21. Internet Gateway
Send packets here if you want
them to reach the Internet

22. Everything that isn’t destined for the VPC:
Send to the Internet

23. Network security in VPC:
Network ACLs / Security Groups

24. Network ACLs: Stateless firewalls
English translation: Allow all traffic in
Can be applied on a subnet basis
Rules are evaluated starting with the lowest numbered rule.

25. “MyWebServers” Security Group
“MyBackends” Security Group
Allow only “MyWebServers”
Security Groups- Stateful Firewall

26. Security groups example: web servers
In English: Hosts in this group are reachable
from the Internet on port 80 (HTTP)

27. Security groups example: backends
In English: Only instances in the MyWebServers
Security Group can reach instances in this
Security Group

28. Security groups in VPC: additional notes
• Follow the Principle of Least Privilege
• VPC allows creation of egress as well as ingress
Security Group rules
• You can only define ALLOW rule not a DENY

29. Connectivity options for VPCs

30. Beyond Internet connectivity
Restricting
Internet access
Connecting to your
corporate network
Connecting
to other VPCs
Accessing Services
Through AWS PrivateLink
VPC Endpoints for
Amazon S3 &
DynamoDB

31. Restricting Internet access:
Routing by subnet

32. Routing by subnet
VPC subnet
VPC subnet
Public Subnet: Has route to Internet
Private Subnet: Has NO route to
Internet

33. Outbound-only Internet access: NAT gateway
Private VPC subnet Public VPC subnet
0.0.0.0/0
0.0.0.0/0
Public IP: 54.161.0.39
NAT gateway

34. Inter-VPC connectivity:
VPC peering

35. Example VPC peering use:
shared services VPC
You can create a VPC peering connection
between:
• your own VPCs
• with a VPC in another AWS account
• with a VPC in a different AWS Region
Common/core services
• Authentication/directory
• Monitoring
• Logging
• Remote administration
• Scanning
Can VPC B access VPC C via VPC A?

36. Security groups across peered VPCs
VPC Peering
172.31.0.0/16 10.55.0.0/16
Orange Security Group Blue Security Group
ALLOW
You can create inbound or outbound rules for your VPC
security groups to reference security groups in the
peered VPC

37. Establish a VPC peering: initiate request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request

38. Establish a VPC peering: accept request
172.31.0.0/16 10.55.0.0/16
Step 1
Initiate peering request
Step 2
Accept peering request

39. Establish a VPC peering: create route
172.31.0.0/16 10.55.0.0/16Step 1
Initiate peering request
Step 2
Accept peering request
Step 3
Create routes
In English: Traffic destined for the
peered VPC should go to the peering

40. Connecting to on-premises networks:
Virtual Private Network & Direct Connect

41. Extend an on-premises network into your VPC
VPN
Direct Connect

42. AWS VPN basics
Customer
Gateway
Virtual
Gateway
Two IPSec tunnels
192.168.0.0/16 172.31.0.0/16
192.168/16
Your networking device

43. VPN and AWS Direct Connect
• Both allow secure connections
between your network and your VPC
• VPN is a pair of IPSec tunnels over
the Internet
• DirectConnect is a dedicated line with
lower per-GB data transfer rates
• For highest availability: Use both

44. VPC Endpoints for DynamoDB
VPC Endpoints for Amazon S3
VPC Endpoint Services (AWS
PrivateLink)

45. S3, DynamoDB and your VPC
S3 Bucket
Your applications
Your data
DynamoDB
Table

46. AWS VPC endpoints
S3 BucketDynamoDB
Table

47. VPC Endpoint-S3
S3 Bucket
Route S3-bound
traffic to the VPCE

48. DynamoDB
DynamoDB
Table

49. IAM policy for VPC endpoints
S3 Bucket
IAM Policy at VPC Endpoint -
Endpoint Policy: Restrict actions
of VPC in S3
IAM Policy at S3 Bucket:
Make accessible from
VPC Endpoint only

50. Accessing Services Through
AWS PrivateLink

51. AWS PrivateLink
• privately connect your VPC to supported
AWS services, services hosted by other AWS
accounts (VPC endpoint services)
• do not require an internet gateway, NAT
device, public IP address, AWS Direct
Connect connection, or VPN connection to
communicate with the service *(without using public
IPs, and without requiring the traffic to traverse across the Internet)
• Amazon Elastic Compute Cloud (EC2),
Elastic Load Balancing (ELB), Kinesis
Streams, EC2 Systems Manager …
• Even You can create your own application in
your VPC and configure it as an AWS
PrivateLink-powered service

52. VPC Endpoint Services (AWS PrivateLink)
Running Internal Web Services in a
private subnet
Using an interface endpoint to access
the services in subnet B.
Subnets should not overlap!

53. VPC and the rest of AWS
DNS in-VPC with
Amazon Route 53
Logging VPC Traffic
with VPC Flow Logs

54. VPC DNS options
Use Amazon DNS server
Have EC2 auto-assign DNS
hostnames to instances

55. Amazon Route 53 private hosted zones
Private Hosted
Zone
example.demohostedzone.org 
172.31.0.99

56. VPC Flow Logs:
VPC traffic metadata in Amazon
CloudWatch Logs

57. VPC Flow Logs
Visibility into effects of security
group rules
Troubleshooting network
connectivity
Ability to analyze traffic

58. VPC Flow Logs: setup
VPC traffic metadata captured in
CloudWatch Logs

59. VPC Flow Logs data in CloudWatch Logs
Who’s this?
# dig +short -x 109.236.86.32
internetpolice.co.
REJECT
UDP Port 53 = DNS

60. THANK YOU