[AWS] Amazon Virtual Private Cloud VPC

“The present is theirs; the future, for which I really worked, is mine.” -Nikola Tesla

The Amazon Virtual Private Cloud (Amazon VPC) is a custom-defined virtual network within the AWS Cloud. Amazon VPC enables you to launch AWS resources into a virtual network that you’ve defined.

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can specify an IP address range for the VPC, add subnets, associate security groups, and configure route tables.

This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.


Secure Amazon VPC provides advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level. In addition, you can store data in Amazon S3 and restrict access so that it’s only accessible from instances in your VPC. Optionally, you can also choose to launch Dedicated Instances which run on hardware dedicated to a single customer for additional isolation.

Simple You can create a VPC quickly and easily using the AWS Management Console. You can select one of the common network setups that best match your needs and press “Start VPC Wizard.” Subnets, IP ranges, route tables, and security groups are automatically created for you so you can concentrate on creating the applications to run in your VPC.

All the Scalability and Reliability of AWS Amazon VPC provides all of the same benefits as the rest of the AWS platform. You can instantly scale your resources up or down, select Amazon EC2 instances types and sizes that are right for your applications, and pay only for the resources you use - all within Amazon’s proven infrastructure.

Amazon VPC Fundamentals

When you create an Amazon VPC, you must specify the IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block, such as

The address range of the Amazon VPC cannot be changed after the Amazon VPC is created.

An Amazon VPC address range may be as large as /16 (65,536 available addresses) or as small as /28 (16 available addresses) and should not overlap any other network with which they are to be connected.

AWS accounts that support EC2-VPC will have a default VPC created in each region with a default subnet created in each Availability Zone. The assigned CIDR block of the VPC will be

An Amazon VPC consists of the following components:

An Amazon VPC has the following optional components:


A subnet is a segment of an Amazon VPC’s IP address range where you can launch Amazon EC2 instances, Amazon Relational Database Service (Amazon RDS) databases, and other AWS resources. CIDR blocks define subnets (for example, and

The smallest subnet that you can create is a /28 (16 IP addresses).

AWS reserves the first four IP addresses and the last IP address of every subnet for internal networking purposes. For example, a subnet defined as a /28 has 16 available IP addresses; subtract the 5 IPs needed by AWS to yield 11 IP addresses for your use within the subnet.

After creating an Amazon VPC, you can add one or more subnets in each Availability Zone.

Subnets reside within one Availability Zone and cannot span zones.

One subnet can have one Availability Zone. One Availability Zone can have multiple subnets.

Subnets can be classified as public, private, or VPN-only

A public subnet is one in which the associated route table directs the subnet’s traffic to the Amazon VPC’s IGW. Has attached an Internet Gateway (IGW)

A private subnet is one in which the associated route table does not direct the subnet’s traffic to the Amazon VPC’s IGW. Doesn’t have attached an Internet Gateway (IGW)

A VPN-only subnet is one in which the associated route table directs the subnet’s traffic to the Amazon VPC’s VPG and does not have a route to the IGW.

Regardless of the type of subnet, the internal IP address range of the subnet is always private (that is, non-routable on the Internet).

Default Amazon VPCs contain one public subnet in every Availability Zone within the region, with a netmask of /20.

Route Tables

A route table is a logical construct within an Amazon VPC that contains a set of rules (called routes) that are applied to the subnet and used to determine where network traffic is directed. A route table’s routes are what permit Amazon EC2 instances within different subnets within an Amazon VPC to communicate with each other.

Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet.

A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Each route table contains a default route called the local route, which enables communication within the Amazon VPC, and this route cannot be modified or removed.

Additional routes can be added to direct traffic to exit the Amazon VPC via the IGW, the VPG, or the NAT instance.

An VPC has an implicit router.

An VPC automatically comes with a main route table that you can modify.

Additional custom route tables can be created for your VPC.

Each subnet must be associated with a route table, which controls the routing for the subnet. If you don’t explicitly associate a subnet with a particular route table, the subnet uses the main route table.

You can replace the main route table with a custom table that you’ve created so that each new subnet is automatically associated with it.

Each route in a table specifies a destination CIDR and a target; for example, traffic destined for is targeted for the VPG. AWS uses the most specific route that matches the traffic to determine how to route the traffic.

CIDR blocks for IPv4 and IPv6 are treated separately. For example, a route with a destination CIDR of (all IPv4 addresses) does not automatically include all IPv6 addresses. You must create a route with a destination CIDR of ::/0 for all IPv6 addresses.

Every route table contains a local route for communication within the VPC over IPv4. If your VPC has more than one IPv4 CIDR block, your route tables contain a local route for each IPv4 CIDR block. If you’ve associated an IPv6 CIDR block with your VPC, your route tables contain a local route for the IPv6 CIDR block. You cannot modify or delete these routes.

When you add an Internet gateway, an egress-only Internet gateway, a virtual private gateway, a NAT device, a peering connection, or a VPC endpoint in your VPC, you must update the route table for any subnet that uses these gateways or connections.

There is a limit on the number of route tables you can create per VPC, and the number of routes you can add per route table. For more information, see Amazon VPC Limits

Internet Gateway (IGW)

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances in your Amazon VPC and the Internet.

An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.

An internet gateway supports IPv4 and IPv6 traffic.

Amazon EC2 instances within an Amazon VPC are only aware of their private IP addresses.

When traffic is sent from the instance to the Internet, the IGW translates the reply address to the instance’s public IP address (or EIP address) and maintains the one-to-one map of the instance private IP address and public IP address.

When an instance receives traffic from the Internet, the IGW translates the destination address (public IP address) to the instance’s private IP address and forwards the traffic to the Amazon VPC.

To enable access to or from the internet for instances in a VPC subnet, you must do the following:

You can scope the route to all destinations not explicitly known to the route table (, or you can scope the route to a narrower range of IP addresses, such as the public IP addresses of your company’s public endpoints outside of AWS or the EIP addresses of other Amazon EC2 instances outside your Amazon VPC.

Dynamic Host Configuration Protocol (DHCP) Option Sets

Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters. Some of those parameters are the domain name, domain name server, and the netbios-node-type.

AWS automatically creates and associates a DHCP option set for your Amazon VPC upon creation and sets two options: domain-name-servers (defaulted to AmazonProvidedDNS) and domain-name (defaulted to the domain name for your region).

AmazonProvidedDNS is an Amazon Domain Name System (DNS) server, and this option enables DNS for instances thatneed to communicate over the Amazon VPC’s IGW.

The DHCP option sets element of an Amazon VPC allows you to direct Amazon EC2 host name assignments to your own resources. To assign your own domain name to your instances, create a custom DHCP option set and assign it to your Amazon VPC.

You can configure the following values within a DHCP option set:

Every Amazon VPC must have only one DHCP option set assigned to it.

Elastic IP Addresses (EIPs)

AWS maintains a pool of public IP addresses in each region and makes them available for you to associate to resources within your Amazon VPCs.

An Elastic IP Addresses (EIP) is a static, public IP address in the pool for the region that you can allocate to your account (pull from the pool) and release (return to the pool).

EIPs allow you to maintain a set of IP addresses that remain fixed while the underlying infrastructure may change over time.

Here are the important points to understand about EIPs:

The following are the basic characteristics of an Elastic IP address:

Elastic Network Interfaces (ENIs)

An elastic network interface is a logical networking component in a VPC that represents a virtual network card.

An Elastic Network Interface (ENI) is a virtual network interface that you can attach to an instance in an Amazon VPC.

ENIs are only available within an Amazon VPC, and they are associated with a subnet upon creation.

They can have one public IP address and multiple private IP addresses. If there are multiple private IP addresses, one of them is primary.

Assigning a second network interface to an instance via an ENI allows it to be dual-homed (have network presence in different subnets).

An ENI created independently of a particular instance persists regardless of the lifetime of any instance to which it is attached; if an underlying instance fails, the IP address may be preserved by attaching the ENI to a replacement instance.

ENIs allow you to create a management network, use network and security appliances in your Amazon VPC, create dual-homed instances with workloads/roles on distinct subnets, or create a low-budget, high-availability solution.

A network interface can include the following attributes:


An Amazon VPC endpoint enables you to create a private connection between your Amazon VPC and another AWS service without requiring access over the Internet or through a NAT instance, VPN connection, or AWS Direct Connect. You can create multiple endpoints for a single service, and you can use different route tables to enforce different access policies from different subnets to the same service.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

There are two types of VPC endpoints: interface endpoints and gateway endpoints. Create the type of VPC endpoint required by the supported service.

Interface Endpoints (Powered by AWS PrivateLink)

An interface endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported service. The following services are supported:

Gateway Endpoints

A gateway endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to a supported AWS service. The following AWS services are supported:

You must do the following to create an Amazon VPC endpoint:


An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network. You can create an Amazon VPC peering connection between your own Amazon VPCs or with an Amazon VPC in another AWS account within a single region.

A VPC peering connection helps you to facilitate the transfer of data. For example, if you have more than one AWS account, you can peer the VPCs across those accounts to create a file sharing network. You can also use a VPC peering connection to allow other VPCs to access resources you have in one of your VPCs.

A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

Peering connections are created through a request/accept protocol. The owner of the requesting Amazon VPC sends a request to peer to the owner of the peer Amazon VPC. If the peer Amazon VPC is within the same account, it is identified by its VPC ID. If the peer VPC is within a different account, it is identified by Account ID and VPC ID.

The owner of the peer Amazon VPC has one week to accept or reject the request to peer with the requesting Amazon VPC before the peering request expires.

An Amazon VPC may have multiple peering connections, and peering is a one-to-one relationship between Amazon VPCs, meaning two Amazon VPCs cannot have two peering agreements between them. Also, peering connections do not support transitive routing.

Here are the important points to understand about peering:

Security Groups

A security group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances.

A security group acts as a virtual firewall that controls the traffic for one or more instances.

All Amazon EC2 instances must be launched into a security group.

If a security group is not specified at launch, then the instance will be launched into the default security group for the Amazon VPC.

The default security group allows communication between all resources within the security group, allows all outbound traffic, and denies all other traffic.

For each security group, you add rules that control the inbound traffic to instances and a separate set of rules that control the outbound traffic.

The rules of a security group control the inbound traffic that’s allowed to reach the instances that are associated with the security group and the outbound traffic that’s allowed to leave them.

You may change the rules for the default security group, but you may not delete the default security group.

You can add rules to each security group that allow traffic to or from its associated instances.

You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

Here are the important points to understand about security groups:

Network Access Control Lists (ACLs)

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.

A network access control list (ACL) is another layer of security that acts as a stateless firewall on a subnet level.

A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.

Amazon VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic.

When you create a custom network ACL, its initial configuration will deny all inbound and outbound traffic until you create rules that allow otherwise.

You may set up network ACLs with rules similar to your security groups in order to add a layer of security to your Amazon VPC, or you may choose to use the default network ACL that does not filter traffic traversing the subnet boundary. Overall, every subnet must be associated with a network ACL.

The following are the basic things that you need to know about network ACLs:

Network Address Translation (NAT) Instances and NAT Gateways

By default, any instance that you launch into a private subnet in an Amazon VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances within private subnets need direct access to the Internet from the Amazon VPC in order to apply security updates, download patches, or update application software. AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to gain Internet access. For common use cases, we recommend that you use a NAT gateway instead of a NAT instance. The NAT gateway provides better availability and higher bandwidth, and requires less administrative effort than NAT instances.

NAT Instance

A network address translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW. In addition, the NAT instance maintains the state of the forwarded traffic in order to return response traffic from the Internet to the proper instance in the private subnet. These instances have the string amzn-ami-vpc-nat in their names, which is searchable in the Amazon EC2 console.

To allow instances within a private subnet to access Internet resources through the IGW via a NAT instance, you must do the following:

This configuration allows instances in private subnets to send outbound Internet communication, but it prevents the instances from receiving inbound traffic initiated by someone on the Internet.

NAT Gateway

A NAT gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

To allow instances within a private subnet to access Internet resources through the IGW via a NAT gateway, you must do the following:

Like a NAT instance, this managed service allows outbound Internet communication and prevents the instances from receiving inbound traffic initiated by someone on the Internet.

Virtual Private Gateways (VPGs), Customer Gateways (CGWs), and Virtual Private Networks (VPNs)

You can connect an existing data center to Amazon VPC using either hardware or software VPN connections, which will make Amazon VPC an extension of the data center.

Amazon VPC offers two ways to connect a corporate network to a VPC: VPG and CGW.

A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks.

A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection.

After these two elements of an Amazon VPC have been created, the last step is to create a VPN tunnel. The VPN tunnel is established after traffic is generated from the customer’s side of the VPN connection.