AWS VPC: Peering, Endpoint, VPN, Gateways- Internet, NAT, DX

VPC stand for Virtual Private Cloud, its is your own isolated network in cloud. Suppose you want some of your resources to be exposed to outside world and some resources not to be exposed then you can create your own private network in the cloud, that is called VPC. Here you can control the traffic to your resources- like who can access your resources and when and how much all those stuff.
In the below diagram we have made our application to be accessible by the outside world, but the database we didn’t want to be accessed, so we made that Private Subnet.

Public Subnet: Has inbound and outbound traffic through internet.
Private Subnet: Has no inbound and outbound traffic through internet.

Each VPC has to be in a region only.

Each Subnet has to be in a AZ only.

Whenever you create an EC2 instance, an default VPC having some default Subnet(s) is assigned to that EC2 instance. Suppose you create an EC2 instance in Mumbai region, an VPC having 3 Subnets is created by default inside that. Why 3 subnets ? Because Mumbai has 3 AZs.

CIDR (Classless Inter Domain Routing):

CIDR is a range of addresses that resources in a same network can have. Typically resources in the same network uses similar IP address to make routing easy.
So a CIDR block consists of an IP address (e.g., 75.209.0.0) and a range (e.g., /28).
So what does 75.209.0.0/28 indicates ?
It indicates that the first 28 bits (out of 32 bits) are fixed, and so last 4 bits can change. That means 2 to the power of 4 i.e., 16 addresses the above CIDR can represent.
IPv4 address like this have total 32 bits.
75.209.0.0/32 indicates only 1 IP address.
0.0.0.0/0 indicates all IP address.

CIDR Block Example – Security Group:

Given the below security mappings:

DirectionProtocolPort RangeSource/Destination
InboundTCP443175.55.0.0/28
InboundTCP22189.98.9.3/32
OutboundAllAll0.0.0.0/0

  • Allow Inbound traffic from HTTPS from a range of address (175.5.0.0/28).
  • Allow Inbound traffic from SSH from exactly one address (189.98.9.3/32).
  • Allow Outbound traffic to all address.

VPC CIDR Blocks:

  • Every VPC is associated with a CIDR Block.
  • The addresses in the CIDR Block should be from /16 to /28.
  • The addresses in a VPC CIDR Blocks are private to the VPC.
  • You can’t do address overlap of CIDR Blocks in a VPC.
  • Choose a wider range for a CIDR Block than you need, so that later you won’t run out of addresses.
  • A Subnet is required to do grouping of resources in a VPC.
  • So the CIDR Block of a subnet must be same or sub-set of a VPC.
  • Address range of a VPC can be extended by adding new CIDR Blocks.
  • But address range of a Subnet can not be extended.

Internet Gateway & Route Table:

  • This allows resources in a VPC to connect to Internet (both inbound and outbound).
  • Only 1 Internet Gateway is attached to a VPC.
  • Only Internet Gateway can’t let the VPC to connect to the Internet, you also need to edit the Route Table.

Bastion Hosts :

  • Bastion Hosts are nothing but EC2 instances in the public subnet thorough which we can SSH the EC2 instances of the private subnet.
  • Since here we do only SSH the security group in the Bastion Hosts must allow inbound traffic on port 22.
  • Besides doing SSH we can also do RDP (Microsoft Remote Desktop Protocol) with this.

NAT Devices(Network Address Translation):

NAT devices are used to get outbound traffic to Internet from a private subnet (since private subnet in a VPC can’t connect to the outside world directly).
A use case of NAT devices: You want to download/upgrade a software patch for resources in a private subnet from the internet.

There are 3 types of NAT Devices:

  1. NAT instance.
    (outdated, but still in the exam)

2. NAT Gateway:
Managed Service.
Unlike as in NAT instance, does not need to manage any Security Group.
Can’t be used by VPC resources in the same subnet. That means if you need this for a private subnet you have to put this in a public subnet.
Supports IPv4 only.
Can not work without the Internet Gateway to connect to Internet.

3. Egress-Only Internet Gateway:

It is similar to NAT Gateway, but its only for IPv6 subnets.


NACL & Security Groups :

  • NACL (Network Access Control List) are like a firewall to a subnet.
  • One NACL will be assigned to one subnet. a new subnet is assigned a default NACL.
  • NACL are Stateless & Security Group are Stateful.
    What exactly is Stateless and Stateful is explained in the below diagram:

Let me explain for the Incoming Request:

  1. A request reaches NACL, checks the NACL inbound rule, if it allows it will pass though.
  2. The request check the SG inbound rule, if it allows, it will pass through.
  3. The response will be pass through the SG (why because its Stateful – if the inbound is allowed, the outbound also is allowed).
  4. The response checks the NACL outbound rule based on that it will allow the response back.

Similarly for the Outgoing Request the above diagram is self explanatory.

VPC Peering:

  • Privately connect 2 VPCs using AWS’s network.
  • You must update the Route tables of each VPC’s subnets to ensure communication among the resources in VPCs.
  • You can peer VPCs from different account or region.

VPC Endpoint:

  • Its powered by AWS PrivateLink. It helps in connecting your VPC with other AWS services (like S3 bucket, DynamoDB, etc.) using a private network instead of using the public Internet.
    The whole idea is that, all AWS services publicly accessible, i.e., they go through public network (so, if you want to access those AWS services from a VPC you want to take help of Internet Gateway or NAT Gateway). But if you want to access it through private network you can use VPC Endpoint.
  • They are redundant and scale horizontally.
  • They remove the need for Internet Gateway, NAT Gateway (why ? because you are not going to use the public Internet)

Types of VPC Endpoint:

1.Interface endpoint:
– Supports most of the services.
– Provisions an ENI (private IP address).
– Powered by AWS PrivateLink.
– Its not free.
– To use this you have to provision an ENI and Security Group.

2.Gateway endpoint:
-Supports only DynamoDB and S3.
-Its free.
-To use this you only have to configure the Route Table, so this is the preferred option.

Site-to-Site VPN :

It is required to connect your AWS VPC to on-premises data center. This is a encrypted connection although it is through the public internet only. (compare it with DX)
So it need 2 things- Virtual Private Gateway (on the AWS VPC) and Customer Gateway (on the on-premises data center). Next, you have to set up an Internet-routable IP address (static) of the customer gateway’s external interface.
In the red circle of the below diagram you can see a site-to-site VPN connection :

Direct Connect (DX):

  • It provides a dedicated private link between your VPC and your on-premise data center (unlikely, site-to-site VPN goes through a public internet).
  • Expensive compared to site-to-site VPN.
  • The prerequisite for this is you have to setup a Virtual Private Gateway on your VPC.
  • Using the same link you can access public resources (S3) and private resources (EC2).
  • If your DX connection fail, you can use site-to-site VPN as a backup.
Direct Connect Diagram

Direct Connect Gateway:

  • For setting connection between VPCs present in same or different regions for the same AWS account.

Transit Gateway :

If you see a network topology in AWS, like the below diagram, it can be very complicated:

A network topology in AWS

To avoid that we use Transit Gateway:

  • Regional resource, it can work cross-region, for that you can peer with other Transit Gateways.
  • Required for having transitive peering between thousand of VPCs and on-premises data centers, hub-and-spoke (star) connection.
  • Supports IP Multicast (this is not provided by any other AWS service).
  • It creates multiple tunnel while connecting to a site-to-site VPN, which increases the throughput.
  • Can work with VPN connection and Direct Connect Gateway.

Below diagram depicts how you can use Transitive Gateway to connect multiple VPCs present in multiple AWS accounts to connect to on-premise data center:

AWS Network Firewall :

  • It protects your entire VPC on AWS.
  • It can inspect the network in any direction for the below things :
    • VPC to VPC
    • VPC to Internet
    • Internet to VPC
    • To/from Direct Connect & Site-To-Site VPN.
  • It protects from Layer 3 to Layer 7.
  • Can act like a Intrusion Prevention System (like Gateway Load Balancer)