VPC Networking Basics

A VPC is essentially a logically isolated section of private AWS cloud resources. By default you can have 5 VPC’s in an AWS region You can request more through support By default every region will have a default VPC A VPC cannot span across regions

To build a VPC you will need:

  • VPC name tag

  • CIDR Block

  • Tenancy, default or dedicated.

The VPC Name Tag can be changed after initial creation. Dedicated mode is dedicated hardware, not all services are needed. More expensive. Cannot change after created. Choosing the right CIDR block range is very important. Cannot be changed after created Choosing CIDR block ranges to integrate with different regions and on-prem is very important You must choose an IPv4 mode, this is mandatory as some internal AWS functions will only use IPv4. You can choose an option for IPv6. You will not run in dual-stack mode and networking functions between v4 and v6 will work independently of one another.

  • When choosing an IPv4 addressing range you have between a /16 and /28.

  • When choosing ipv6 you have only a /56 option. Which could equal 256 /64 subnets

  • You are limited by the amount of IPv4 addresses available in the CIDR range…?… I think I understand… you are limited by your IPv4 addresses because your instances will always need an IPv4 address. So you are limited by the amount of addresses you have allocated for IPv4. Every server/instance will need both types of addresses

  • You choose the range you want for IPv4 addresses. With IPv6 it is automatically chosen for you.

  • With IPV4 there are separate public and private addresses. With IPv6 there is no difference and security is controlled with routing and security policies.

AWS VPC reserves 5 IP addresses from every subnet space? *What are they and what are they used for?*….

Two of the reserved addresses are what you would find in any broadcast ethernet network. The network address(1st address of the subnet) and the broadcast address (last ip address in the subnet.)

The other three reserved addresses are used for the built-in AWS VPC router, the DNS server and one for future use.

Given a network of 192.168.0.0/24 the reserved IP addresses would break down as follows:

  • 192.168.0.0 = Network Address

  • 192.168.0.1 = AWS VPC Router (Reserved by AWS)

  • 192.168.0.2 = AWS DNS Server (Reserved by AWS) (Sometimes referred to as the gateway+1 address)

  • 192.168.0.3 = Reserved by AWS for future use

  • 192.168.0.255 = Network Broadcast address. Broadcast is not supported by AWS but they reserve this address. Almost any host is going to use an ARP broadcast to find it’s neighbor devices in the same subnet though so I assume they intercept the broadcast and reply from their mapping DB to the original host with a unicast reply of the IP of the host the arp was intended for.

Subnets within a VPC

Subnets cannot span across availability zones.

Subnets can be public, private or VPN only

The default VPC CIDR block range will be 172.31.0.0/16

AWS Recommends your standard RFC 1918 addresses spaces, although you can use public IP address spaces if you want. This will probably cause many issues accessing public AWS resources like S3 where your path to the resource would not go through your internet gateway and get a NAT translation.

192.168.0.0/16 172.16.0.0/12 10.0.0.0/8

When creating a subnet you must select the targe AZ. A subnet can be between a /28 and /16 CIDR mask

VPC Router

Is a built-in logical construct. This would be the default gateway for your resources in any given subnet. This is the first reserved address of any subnet created within a VPC.

By default when a VPC is created a route table is created. Your subnets will automatically populate the route table and they are directly connected routes. You can not create more specific routes to target these subnets. You can create a custom route table to a subnet but if one does not exist it will use the default for the VPC. Using custom route tables is preferred as a best practice

Internet Gateway (IGW)

Attached to the edge of the VPC for public internet access. The default route will point to this in our default route table.

It works like a router or firewall would at the edge of traditional network and will NAT private IP addresses to public IP addresses as long as they are setup with a public IP address mapping, or Elastic IP or IPv6. For PAT style NAT functions I believe the NAT gateway should be used.

It sits at the edge of the VPC. It only attaches to one VPC and vice versa. It is managed by AWS and has HA built in. You will typical point your default route to the IGW target.

If you have an ENI with and elastic IP mapping, the IGW will be aware of this mapping and NAT the traffic appropriately.

Elastic IP addresses used with IGW

AWS offers elastic IP addresses and Dynamic external IP addresses but recommends the use of Elastic IP addresses. You request Elastic IP’s, assign them to an ENI and can choose when to give them back to the AWS pool. You are allowed 5 of theses addresses by default. Dynamic External IP’s are assigned when your EC2 instance is instantiated. They cannot be moved from the instance and are released back to AWS as soon as the EC2 instance is stopped.

Virtual Private Gateway (VGW)

Used for direct connect and VPN connections to private enterprise networks