# Amazon VPC
> Introduction to AWS VPC

- toc: true 
- comments: true
- author: Ankush Agarwal
- categories: [aws,vpc]

### Amazon Virtual Private Cloud (Amazon VPC)

    Amazon VPC is the networking layer for Amazon Elastic Compute Cloud (Amazon EC2), and it allows 
    you to build your own virtual network within AWS. 
    You control various aspects of your Amazon VPC, including selecting your own IP address range; 
    creating your own subnets; and configuring your own route tables, network gateways, and security 
    settings. Within a region, you can create multiple Amazon VPCs, and each Amazon VPC is logically 
    isolated even if it shares its IP address space.
    
    When you create an Amazon VPC, you must specify the IPv4 address range by choosing a Classless 
    Inter-Domain Routing (CIDR) block, such as 10.0.0.0/16. 
    The address range of the Amazon VPC cannot be changed after the Amazon VPC is created. 
    An Amazon VPC address range may be as large as /16 (65,536 available addresses) or as small as /28 
    (16 available addresses) and should not overlap any other network with which they are to be connected.
    
    An Amazon VPC consists of the following components:
        Subnets
        Route tables
        Dynamic Host Configuration Protocol (DHCP) option sets
        Security groups
        Network Access Control Lists (ACLs)
    An Amazon VPC has the following optional components:
        Internet Gateways (IGWs)
        Elastic IP (EIP) addresses
        Elastic Network Interfaces (ENIs)
        Endpoints
        Peering
        Network Address Translation (NATs) instances and NAT gateways
        Virtual Private Gateway (VPG), Customer Gateways (CGWs), and Virtual Private Networks (VPNs)

#### Subnets
    A subnet is a segment of an Amazon VPC’s IP address range where you can launch Amazon EC2 instances, 
        Amazon Relational Database Service (Amazon RDS) databases, and other AWS resources.        
    AWS reserves the first four IP addresses and the last IP address of every subnet for internal 
        networking purposes
    After creating an Amazon VPC, you can add one or more subnets in each Availability Zone. 
    Subnets reside within one Availability Zone and cannot span zones. 
    You can, however, have multiple subnets in one Availability Zone.    
    
    Subnets can be classified as public, private, or VPN-only. 
    A public subnet is one in which the associated route table (discussed later) directs the 
        subnet’s traffic to the Amazon VPC’s IGW (also discussed later). 
    A private subnet is one in which the associated route table does not direct the 
        subnet’s traffic to the Amazon VPC’s IGW. 
    A VPN-only subnet is one in which the associated route table directs the 
        subnet’s traffic to the Amazon VPC’s VPG (discussed later) and does not have a route to the IGW.

#### Route Tables
    A route table is a logical construct within an Amazon VPC that contains a set of rules (called routes)
        that are applied to the subnet and used to determine where network traffic is directed. 
    A route table’s routes are what permit Amazon EC2 instances within different subnets within 
        an Amazon VPC to communicate with each other.
    You can also use route tables to specify which subnets are public (by directing Internet 
        traffic to the IGW) and which subnets are private (by not having a route that directs 
        traffic to the IGW).
    Each subnet must be associated with a route table, which controls the routing for the subnet. 
    If you don’t explicitly associate a subnet with a particular route table, 
        the subnet uses the main route table.

#### Internet Gateways
    An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available Amazon VPC 
        component that allows communication between instances in your Amazon VPC and the Internet. 
    An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic, and it 
        performs network address translation for instances that have been assigned public IP addresses.

#### Dynamic Host Configuration Protocol (DHCP) Option Sets
    Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information 
        to hosts on a TCP/IP network. 
    The options field of a DHCP message contains the configuration parameters.

#### Elastic IP Addresses (EIPs)
    AWS maintains a pool of public IP addresses in each region and makes them available for you to
        associate to resources within your Amazon VPCs. 
    An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that you 
        can allocate to your account (pull from the pool) and release (return to the pool). 
    EIPs allow you to maintain a set of IP addresses that remain fixed while the underlying infrastructure
        may change over time.

#### Elastic Network Interfaces (ENIs)
    An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance
        in an Amazon VPC. 
    ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation. 
    They can have one public IP address and multiple private IP addresses.

#### Endpoints
    An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and 
        another AWS service without requiring access over the Internet or through a NAT instance, 
        VPN connection, or AWS Direct Connect. 
    You can create multiple endpoints for a single service, and you can use different route tables to 
        enforce different access policies from different subnets to the same service.
    Amazon VPC endpoints currently support communication with Amazon Simple Storage Service (Amazon S3)

#### Peering
    An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables 
        instances in either Amazon VPC to communicate with each other as if they are within the same network. 
    You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in 
        another AWS account within a single region.
    A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a 
        single point of failure for communication.
    Peering connections do not support transitive routing

#### Security Groups
    A security group is a virtual stateful firewall that controls inbound and outbound network traffic to 
        AWS resources and Amazon EC2 instances. 
    All Amazon EC2 instances must be launched into a security group. 
    If a security group is not specified at launch, then the instance will be launched into the default 
        security group for the Amazon VPC. 
    The default security group allows communication between all resources within the security group, 
        allows all outbound traffic, and denies all other traffic
    
    You can create up to 500 security groups for each Amazon VPC.
    You can add up to 50 inbound and 50 outbound rules to each security group
    You can specify allow rules, but not deny rules. 
        This is an important difference between security groups and ACLs.
    You can specify separate rules for inbound and outbound traffic.
    Security groups are stateful. This means that responses to allowed inbound traffic are allowed 
        to flow outbound regardless of outbound rules and vice versa. 
        This is an important difference between security groups and network ACLs.
    Instances associated with the same security group can’t talk to each other unless you 
        add rules allowing it (with the exception being the default security group).

#### Network Access Control Lists (ACLs)
    A network access control list (ACL) is another layer of security that acts as a stateless firewall 
        on a subnet level. 
    A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest 
        numbered rule, to determine whether traffic is allowed in or out of any subnet associated with 
        the network ACL. 
    Amazon VPCs are created with a modifiable default network ACL associated with every subnet that 
        allows all inbound and outbound traffic. 
    When you create a custom network ACL, its initial configuration will deny all inbound and 
        outbound traffic until you create rules that allow otherwise

#### Network Address Translation (NAT) Instances and NAT Gateways
    If the instances within private subnets need direct access to the Internet from the Amazon VPC in 
        order to apply security updates, download patches, or update application software. 
        AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets 
        to gain Internet access. 
    For common use cases, we recommend that you use a NAT gateway instead of a NAT instance. 
    The NAT gateway provides better availability and higher bandwidth, and requires less 
        administrative effort than NAT instances.
        
    NAT Instance
        A network address translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) 
            that is designed to accept traffic from instances within a private subnet, translate the source 
            IP address to the public IP address of the NAT instance, and forward the traffic to the IGW.        
        Create a security group for the NAT with outbound rules that specify the needed Internet 
            resources by port, protocol, and IP address.
        Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the 
            NAT security group.
        Disable the Source/Destination Check attribute of the NAT.
        Configure the route table associated with a private subnet to direct Internet-bound 
            traffic to the NAT instance (for example, i-1a2b3c4d).
        Allocate an EIP and associate it with the NAT instance.
    
    NAT Gateway        
        Configure the route table associated with the private subnet to direct Internet-bound traffic 
            to the NAT gateway (for example, nat-1a2b3c4d).
        Allocate an EIP and associate it with the NAT gateway.

#### Virtual Private Gateways (VPGs), Customer Gateways (CGWs), and Virtual Private Networks (VPNs)
    A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side 
        of the VPN connection between the two networks. 
    A customer gateway (CGW) represents a physical device or a software application on the customer’s 
        side of the VPN connection. 
    After these two elements of an Amazon VPC have been created, the last step is to create a VPN tunnel. 
    The VPN tunnel is established after traffic is generated from the customer’s side of the VPN connection
    
    If you will be using static routing, you must enter the routes for your network that should be 
        communicated to the VPG. Routes will be propagated to the Amazon VPC to allow your resources to 
        route network traffic back to the corporate network through the VGW and across the VPN tunnel.