VPC
4 minute read
Amazon Virtual Private Cloud (VPC) is a service that enables you to create a private, isolated section of the AWS cloud, where you can launch AWS resources in a virtual network that you define. This allows you to have full control over your virtual networking environment, including IP address range selection, subnets creation, route tables, and network gateways.
With VPC, you can create a private and secure network within the AWS cloud and have complete control over the network configuration. This means you can customize and define your own network topology, and choose to expose or isolate certain resources within the network. Additionally, VPC lets you connect your AWS resources to your existing data center using a VPN connection or AWS Direct Connect.
Example topology of an AWS VPC and its core components
A VPC spans a given AWS region but cannot exist beyond it, to connect to reasources in other VPC you could employ for example, network peering. As the AWS region is made up of multiple data centers or availability zones in AWS speak, you can create multiple subnets tied to specific availabilty zones meaning you build tolernace to failure into your workload.
When a VPC is created the main route table is created which takes the role of defining the routes of all the network traffic within the VPC. It is associated with all subnets in the VPC. As the main route table does not have any routes to or from the Internet a second route table that could be called public route table should be created to handle routes for Internet based resources that would be associated with public subnets.
There are two distinct types of subnet: private and public. The main difference is that resources within a private subnet cannot be connected to directly from the Internet and you would need to stand up a network device such as a load balancer that is on the Internet that can connect to private resources. So the public subnet use case should be easy to understand as this is where you put resources that can be directly connected to from the Internet as resources created here will be assigned a publicly addressible IP address alongwith a private IP address for internal connectivity.
Creating a public subnet does not on its own allow access to the Internet, for that you require an Internet Gateway (IGW). When created it is associated with the VPC and allows Internet access for the public subnets. Only one IGW can exist per VPC. As the Internet is normally referenced as 0.0.0.0/0 in routing tables it’s not recommended to define such an open route in the main routing table which is one reason why you create the public route table.
Best practices
Design a well-planned network architecture: A well-designed network architecture for your VPC can help ensure the scalability, availability, and security of your resources. Consider factors like the number of resources you plan to deploy, the size of your network, and the types of applications you want to run.
Use multiple availability zones (AZs): Distributing your resources across multiple AZs can help you achieve high availability and fault tolerance. AWS VPC allows you to create subnets in different availability zones, which can provide redundancy and reduce the risk of data loss.
Secure your VPC: AWS VPC provides built-in security features like security groups and network access control lists (ACLs). It’s important to use these security features to secure your VPC and protect your resources from unauthorized access.
Monitor your VPC: Monitoring your VPC can help you detect potential issues before they become major problems. AWS provides tools like Amazon CloudWatch and AWS Config to help you monitor your VPC and track changes to your resources.
Use AWS VPN or AWS Direct Connect: AWS VPC provides several options for connecting your VPC to your on-premises network. Using AWS VPN or AWS Direct Connect can provide a secure and reliable connection between your VPC and your data center.
Use automation tools: AWS provides automation tools like AWS CloudFormation and AWS Elastic Beanstalk that can help you manage and deploy your resources in your VPC. Using automation can help you reduce manual errors and speed up deployments.
Terraform
cidr_block The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM
instance_tenancy specifies if instances running in this VPC run on shared compute resource default or on dedicated compute resource which costs extra
enable_dns_hostnames When you enable DNS hostnames, each instance that is launched in the VPC will be assigned a DNS hostname that is based on its private IP address
enable_dns_support required to be enabled when using dns_hostanmes, instances will be able to resolve DNS names to IP addresses using Amazon’s DNS servers
locals {
tags = {
app = var.prefix
env = var.environment
}
}
resource "aws_vpc" "vpc" {
cidr_block = var.vpc_cidr
instance_tenancy = "default"
enable_dns_hostnames = true
enable_dns_support = true
lifecycle {
create_before_destroy = true
}
tags = local.tags
}