A brief (kind of!) introduction to VPC in AWS

As the cloud mimics a traditional IT architecture, one of the most valuable features of the cloud is the provision of the virtual private cloud (VPC).

This provides us with a number of benefits;

  • We can provision a logically isolated section of the cloud.
  • We determine where resources sit within our network, we're able to determine our IP range, subnets, route tables and how we organise network gateways.
  • VPC's can span multiple Availability Zones as well as feature multiple subnets.
We're able to build these networks because of elastic network interfaces, which is is a virtualized network adapter.

So in the most simple form, a VPC is a cloud-based network with a private IP address space where we can deploy compute resources. In the diagram above we can see three EC2 instances and one RDS instance sitting within our VPC. However this example isn't revealing all the complexity present yet.

Now this diagram above provides a better insight into a VPC. It distinguishes between the different availability zones anc also shows us the necessity of gateways. But we can note, the EC2 instances within the private subnets have access to a external corporate data centre but with no NAT gateway, it remains completely isolated to the public internet.

The diagram luckily provides us with the key components we'd find in a VPC;

  • Subnet – Subnets are logical network segments within your VPC. They enable you to subdivide your VPC network into smaller networks inside a single Availability Zone. A subnet is public if it is attached to an internet gateway, or private if it is not. A subnet is required to deploy an instance into a VPC.
  • Security group – A security group is a set of firewall rules that secure instances. They allow or block inbound and outbound traffic into an instance (stateful). If you do not specify a particular group at launch time, an instance is automatically assigned to the default security group for the VPC. A security group is associated with an instance.
  • Primary network interface (elastic network interface) – An elastic network interface is a virtual network interface (NIC) that connects an instance to a network. Each instance in a VPC has a default network interface, the primary network interface, which cannot be detached from the instance.
  • Router – A router is a component that routes traffic within the VPC.
  • Internet gateway – An internet gateway is a VPC component that enables communication between instances in a VPC and the internet.
  • Virtual private gateway – A virtual private gateway is the component that is defined on the AWS side of a virtual private network (VPN) connection. A VPN connection provides a secure and encrypted tunnel between two network endpoints.
  • Customer gateway – A customer gateway is a physical device or software application that is defined on the client side of a VPN connection.

VPCs have implicit routers directing traffic between subnets. Route tables determine where traffic goes, with rules specifying destinations and targets. Default route tables, created with VPCs, route local traffic within the IP range. Subnets automatically associate with the default table, but custom tables can be created for specific subnets. VPCs may have internet gateways for routing traffic to the internet.

The router reads the route like this: “Any traffic that goes to destination should be routed through target.”


Here we have a more straight forward visualization of the route tables. Between both, default and route, we see that traffic is allowed out of the subnet only to the IP addresses in the VPC’s address range (10.0.0.0/16). We note that this is local traffic, as distinguished on the target but also because it's also a range sitting within the private subnet (subnet 2), with no NAT gateway. 

We can see however in the public subnet (subnet 1), that all traffic (0.0.0.0/0) with target of the internet gateway means that traffic to any other IP addresses is also allowed.

AWS offers multiple connectivity options for VPCs, external endpoints, and AWS services. Key options include NAT devices for private subnet traffic, Cloud peering, AWS Direct Connect with VPN, and AWS VPN CloudHub. AWS provides recommended solutions categorized by Amazon EC2 instance connectivity, VPC-to-VPC, and network-to-VPC scenarios. Differentiation includes the use of VPN connectivity or VPC endpoints where applicable.We will explore each of these options in greater depth in the rest of this blog post.

The diagram above now presents us with an architecture featuring a NAT gateway. The main route table sends internet traffic from the instances in the private subnet to the NAT gateway. The NAT gateway sends the traffic to the internet gateway by using the NAT gateways' Elastic IP address as the source IP address. It is best practice if using multiple Availability Zones that you host a NAT gateway in each Availability Zone for enhanced availability.

VPCs in AWS are isolated to their region, but you can connect them using VPC peering, a networking link which allows for private IP traffic exchange between different VPCs. Peering works across Regions and AWS accounts without the need for gateways, relying on route tables for control. It ensures communication without a single point of failure or bandwidth bottleneck. Examples include allowing resources in different accounts to communicate and facilitating data transfer, such as creating a file-sharing network. The process involves establishing a two-way connection through the AWS Management Console, with both parties initializing and accepting the connection, and ensuring non-overlapping address spaces for routing.

AWS Direct Connect establishes a physical, secure connection between your data center and AWS, creating a dedicated endpoint. One end connects to your data center router, while the other connects to an AWS Direct Connect router. Virtual interfaces are then created to directly access AWS services or VPCs, bypassing ISPs in the network path. Public virtual interfaces enable access to services like Amazon S3, while private ones enable access to a VPC, connected to a virtual private gateway. Combining Direct Connect with Site-to-Site VPN adds IPsec encryption to enhance security.

AWS VPN CloudHub provides a cost-effective solution for multiple VPC-to-remote-site VPN connections using a hub-and-spoke model. If we wanted to implement AWS VPN CloudHub, we'd create a virtual private gateway with multiple customer gateways, each configured to advertise Border Gateway Patrol (BGP) routes over AWS Site-to-Site VPN connections, enabling data exchange between sites and the VPC. 

For example, a corporate headquarters in New York connects through AWS Direct Connect, while branch offices in Los Angeles and Miami use Site-to-Site VPN connections, all operating within the AWS VPN CloudHub model as shown in the diagram above.


To facilitate a gradual transition to the cloud, AWS offers various network-to-Amazon VPC connectivity options. The primary solutions include AWS Site-to-Site VPN, AWS Direct Connect plus VPN, and AWS VPN CloudHub. 
  • AWS Site-to-Site VPN establishes a secure internet connection between your VPC and remote network using IPsec, requiring a virtual private gateway on the AWS side and a customer gateway on the remote side.

  • AWS Direct Connect plus VPN combines AWS Direct Connect's dedicated private connection with AWS Site-to-Site VPN features. Direct Connect creates a private link from your data center to VPCs via a fiber-optic cable, providing enhanced privacy and bandwidth. This results in a secure IPSec-based connection.

VPC endpoints enable secure and private connections between a VPC and supported AWS services or VPC endpoint services via AWS PrivateLink. This method eliminates the need for an internet gateway, NAT device, VPN, or AWS Direct Connect. Two types of VPC endpoints exist:

1. Interface endpoint: Acts as a virtual network interface attached to an EC2 instance, allowing connection to services through AWS PrivateLink. Services, including custom ones, can be powered by AWS PrivateLink, referred to as VPC endpoint services.

2. Gateway endpoint: Provides direct access to Amazon S3 and DynamoDB resources without internet routing. It is configured in a route table, facilitating efficient connection to the target resource.


AWS PrivateLink ensures secure connections between VPCs and various services, including AWS services, third-party services on AWS Marketplace and custom services on AWS. The traffic uses private IP addresses, staying within the AWS network.

Supported AWS services accessible via interface endpoints include Amazon EC2, Elastic Load Balancing, and AWS Systems Manager. We can see the diagram above shows an instance i connected to three interface endpoints. The first connects to an AWS service (e.g., Systems Manager), the second to an AWS Marketplace service (potentially third-party), and the third to a custom service created by the consumer, exposed through AWS PrivateLink as a VPC endpoint service. Custom services are onboarded by setting up a Network Load Balancer in front of them, connecting the interface endpoint to the load balancer.

AWS Transit Gateway simplifies the complexity of interconnecting growing numbers of VPCs in the AWS Cloud environment. Unlike the exponential growth and operational challenges of peering connections, Transit Gateway offers a centralized solution. It acts as a hub, efficiently managing traffic routing among connected networks, serving as spokes. This hub-and-spoke model streamlines management and reduces operational costs, requiring each network only to connect to the Transit Gateway and not every other network.

Securing and Troubleshooting Your Network

To enhance network security, adopting a layered design is crucial. This layered network approach leverages various components for effective control. Route tables play a key role in regulating traffic flow, while Network Access Control Lists (NACLS) are employed to control inbound and outbound traffic within networks. Security Groups (SGs) further manage traffic, focusing on hosts and services. Additionally, secure access for administration is achieved through the implementation of Bastion hosts, facilitating secure connections to Linux-based hosts and remote desktops (RDP) for Windows. 

When troubleshooting network issues, a systematic approach is the recommended path. It involves verifying the availability of the resource, checking for any potential blockages in NACLS or SGs, and ensuring correct routing for the specific host or service in question.

Your virtual network can and should be secured at several different levels:

  1. Begin with broad security measures at the route table level, establishing private subnets to shield internal computing resources from unauthorized access.
  2. The second level employs network access control lists (network ACLs) to set default security behaviors for subnets, typically overseen by the network security team.
  3. Move to the third level, utilizing security groups to manage behavior at the instance or elastic network interface level.
  4. Finally, at the fourth level, consider implementing third-party host-based detection software to monitor Amazon EC2 instances for specific threats like malware, operating system vulnerabilities, and security auditing.

A bastion host acts as a secure gateway, enabling access from the public internet to Amazon EC2 instances and resources in a private subnet. This setup allows public access to private resources while minimizing the attack surface of the private subnet. To ensure security, users must possess valid keys for both the bastion host and private instances. AWS strongly recommends using different key pairs for the bastion host and private subnet resources to prevent unauthorized access.

For Linux instances, SSH clients with agent forwarding support enable the passing of private keys from the client through the SSH connection with the bastion host to access private network resources.

For Windows instances, the Amazon EC2 console can be used to generate a login password with the private key. The Remote Desktop (RDP) client program is then employed to log in to the private instance using the generated password.


How do you configure security groups to allow the bastion host to access an instance in your private subnet?

Begin by configuring the bastion host to permit connections exclusively from within the corporate network, preventing external access. For instance, the bastion host in the example only accepts SSH connections from clients within the 17.5.0.0/16 address range.

Next, establish a rule in the private instance's security group, allowing incoming traffic solely from instances associated with the bastion host's security group. For example, if the bastion host has a security group named sg-192d536a, specify that the private subnet server permits incoming connections exclusively from instances in security group sg-192d536a. This rule ensures flexibility and reusability compared to restricting connections to the IP address of the bastion host.

When managing Microsoft Windows instances in Amazon EC2 via RDP, configuring security group rules for TCP port 3389 is essential. Following the principle of least privilege, it's recommended to allow connections only from specific IP addresses where administrators operate, denying all others. However, in cases where administrators connect from various locations, allowing every IP address (0.0.0.0/0) becomes a common, yet insecure practice.

To address this, a more secure solution involves implementing a Microsoft Remote Desktop (RD) Gateway server as a bastion host. Configured to accept HTTPS connections (TCP port 443) from any internet IP address, the RD Gateway then proxies these connections to other Windows instances through RDP port (TCP port 3389). Access to the protected Windows instances is restricted to users who authenticate through the RD Gateway, ensuring a secure network layer and enforcing the principle of least privilege.


A very typical problem is users not being able to connect to their EC2 instance. The most basic of troubleshooting steps are outlined herein:

Firstly, ensure the instance is running, and secondly, confirm that the security group permits connections on the relevant port(s) (e.g., port 22 for SSH or port 80/443 for web servers). Additionally, check if the public IP address has changed, especially after stopping and restarting an instance, and validate the correctness of internet gateway and route table settings.

Verify user login details, ensuring the correct username and password combination is used, as not all EC2 instances have an ec2-user defined. When connecting through SSH, confirm the accurate use of the private key with correct access permissions.

Lastly, leverage the ping tool, available in both Microsoft Windows and Linux, as a networking utility to test host reachability on the IP network. Addressing these aspects systematically can resolve common EC2 connectivity issues.

After setting up a NAT gateway or NAT instance, updating the associated subnet's route table is crucial. The route table should direct internet-bound traffic to the NAT gateway or instance, allowing private instances to communicate with the internet.

It's important to note that AWS-created NAT instances, when used, don't require troubleshooting by system administrators. This is especially relevant for companies modifying NAT instances to align with their security rules or processes.

Popular posts from this blog

Network Fundamentals for the Cloud

Image
Computer networking is all around us. From the days of dial up internet, internet connected devices have grown rapidly on the global scale. Despite this, across the globe there are broadly three types of computer network  - LAN/MAN and WAN.  The above diagram does a good example of representing the geographical elements of these networks. But it is worth elaborating bit further. LAN networks are usually used in office locations and connected by physical cables and local wifi. MAN networks are typically interconnected LAN networks with a private network link and a connection to the internet. MAN use cases are mostly reserved for governmental or state institutions, along with huge corporates - I'd imagine Alphabet Inc in Silicon Valley might use this for example. Whilst WAN connects devices in a large geographic area, across multiple cities or countries. WAN's are used to connect LANs. You could argue that the biggest WAN in the world is the internet itself. Some of the fundamen...
Read more

Familiarizing with the Command Line Interface

Image
I'm beyond lucky to have been a successful applicant onto the Amazon re/Start programme. This week on our intensive bootcamp we've been focusing on manoeuvring around the command line interface on Linux. Due to being computer active before YouTube (the delightful days of dial-up internet!) this wasn't all too unfamiliar to me for three specific reasons; Internet Relay Chat , or as the acronym goes - IRC. Before the endless content on YouTube, if you wanted to have a copy of a music video you either had to rely on the artist putting a movie file on a CD single or  you relied on a fan club setting a server/channel up on IRC. To get a music video on IRC, the wizkids of the era set-up a system identical to a Linux CLI. So there I was at 13, deploying my dir and get commands to get my own personal slice of MTV heaven! Raspberry Pi Inspired by the super cool RetroFlag SNES case for the RaspberryPi and all amazing bespoke retro arcades I saw people posting online, I went ahead ...
Read more

Security Fundamentals for the Cloud

Image
Security is the practice of protecting valuable assets. When we talk about information security, cyber security is actually just a subset of this discipline. Cybersecurity is focused on protecting digital related devices – like networks, systems and digital information. Focus on stopping unauthorised access, malicious actions like theft, destruction or alteration or simply disrupting the service. One of the most popular models for thinking about information security is the CIA triad. Confidentiality, Integrity and Availability.  Threats can come in many different forms. The tables below provide some a variety and most interestingly also explore what part of the Triad is impacted.    So, working with the security lifecycle model we can determine what actions we can take at each stage to deliver a robust security infrastructure within our organisation.  Prevention Identify assets – what devices are you using? Are they contemporary? Can you flash newer firmware on them,...
Read more

CLI Fundamentals for the Cloud

Image
Operating a computer with BASH is the reality the end-user faced prior to Window's graphical user interface. In the end however, what we're actually doing is rather much the same. By deploying actions via a CLI, we're empowered in our agency in what we can schedule and automate in the environment.  Ensuring we're starting off at the right directory is key, for that we use; pwd This outputs are current directory which informs us were we're currently sitting at in the system. A basic rule of command syntax is that is delivered in below format; command -> option - > argument eg. sudo usermod -a -G Sales arosalez sudo usermod -> -a -G  -> Sales arosalez The most basic commands revolve around providing quick user or system data. I won't elaborate on the most of these as they are either ubiquitous or pretty self evident. ls, cd, whoami, id, hostname, uptime, date cal, clear, echo, history, touch, cat Don't forget to use the tab autocomplete function...
Read more

DataDog, a Cloud Analytics & Monitoring application

Image
Due to having an industry connection, I had the opportunity to do something really fun this weekend. The application running on AWS is a CRUD API - however, Datadog, a Cloud Analytics & Monitoring agent has been installed to provide feedback on what's actually happening. I found this so beyond awesome, the scope of this product is really impressive.  On the left side you can see a command line running on my Linux VM. On the right you can see a live monitoring of the AWS machine, tracking the inputs received on the API application.  As I send commands into the CRUDE API application, DataDog continues monitoring and updating our dashboard. If you can imagine for the deployment of a much busier service, the possibilities of this kind of real-time monitoring isn't to be underestimated.   Above you can see the CPU usage graphs, but unlike the ones you find on the AWS console, you can see that DataDog manages to also show us the split of the CPU usage.  Even in th...
Read more

A brief introduction to Databases and MySQL

Image
Thanks to completing an IT GNVQ during my secondary school days, databases aren’t all that new to me. I had experience querying a relational database in Microsoft Access already. But for the purpose of this post, I’ll revisit some core principles. The first to example is the types of database, which I’ll use an infographic to explain; Now what we’ll be looking this post is the relational model. This works by having a series of tables linked by public and foreign keys. Each of these keys has to be completely unique. When we update our database, we term this as a transaction. This means one or more changes are performed to a database. To commit a change we need to ensure transactions follow the four standard principles of atomicity, consistency, isolation, and durability. Before we go into talking about querying our relational database, let’s get into the NULL value. When searching we can use IS NULL and IS NOT NULL, but beyond this, there are several useful things to know about this v...
Read more

AWS CodeCommit + Creating a CI/CD pipeline

Image
  Having signed up to the AWS Skill Builder I thought it was something I'd be looking at post-programme. However the above builder labs email landed, I thought, what better way to spend my Sunday afternoon? So the fundamentals lab was working with the AWS service CodeCommit. Having gone through most of gitimmersion  this lab felt very straight forward. It involved creating a local and "remote" (ie. CloudCommit) git repository and synchronising them together. The intermediate lab now proved a little more tricky. First of all was to comprehend that we were going to build a CI/CD pipeline - ie. manifesting the principles of DevOps. Below I've posted a full scale CI/CD pipeline to demonstrate the complexity. However, in this lab we're only using CodeCommit, CodeBuild, CodeDeploy, AWS ECR and ECS. This lab involved the most complex technology stack I've come across thus far, so really appreciated doing something a little more challenging. However, it did involve so...
Read more

Future Orientation: Tips from a AWS re/Start Graduate

Image
  Today we had a recent AWS re/Start Graduate join us for a short presentation and Q&A about their experience both about the programme and their post-programme period before starting a role as a Cloud Engineer.  It was great to hear from someone who less then 12 months ago had also undergone the same exact programme we're a third of the way through now. We got an insight into their day to day (lots of meetings!), how long it took until they were allowed to pick up tickets independently (two months) and how much did their employer support their development (lots!). By chance, they were scheduled to complete the solutions AWS solutions architect certification tomorrow! I found it incredibly motivating and centring to hear their story. I made sure to ask a question myself, which revolved around finding potential roles and then knowing the essential skills that we might need to enhance our employability. The advice provided was; Make sure to continue studying Networking. This ...
Read more

A brief introduction to AWS Cloud Adoption Framework (CAF) and Well-Architected Framework (WAF)

Image
To aid in moving more businesses into the cloud AWS have developed the Cloud Adoption Framework (CAF). There are also competitors’ models, but in the broadest sense they tend to follow the same principles and categories. I’ll start with showing broad categories, then the Azure model and the AWS model.  So now we've familiarised ourselves with the broad categories, we can see the two major cloud providers high-level frameworks presented; Now the 2nd infographic of the AWS CAF begins to show more detail, exposing us to the genuine complexity behind the considerations required during the CAF process. If a business is consequently adopting a cloud, well, it also makes sense to have a structure to think about how the future architecture will be designed and if it matches cloud best practice, in other words AWS's Well-Architected Framework (WAF). Thankfully like many of my posts, there are infographics that excellently and succinctly summaries these ideas for us; It is very likely th...
Read more

Building a VPC in AWS

Image
  For our very last lab about the network, we were given the following customer environment to build. By virtue of the fact the AWS management console GUI is constantly updated it meant that our task instructions were wholly out of date. However, this actually proved to only make it a far more involved and fun process - necessitating lots of troubleshooting when things had not spun up as expected. I felt like I had learnt a lot more this way and for the benefit of my future self, I thought I would make some step by step notes (not necessarily in reference to the diagram above) to serve as prompts for any future cloud VPC's I'll be spinning up. Our challenge was to build the VPC as the diagram above.  Create an elastic IP. We will associate this later with our NAT gateway. Launch your VPC with a private class IP range without forgetting to specific how many availability zones (AZ) you want. Create and label your subnets, again specifying what AZ, as none are public at the ...
Read more