Thursday, October 30, 2025

Amazon VPC | Overview & Hands-On.


An Overview of  Amazon VPC (Virtual Private Cloud).

Focus:

  •        VPC Architecture,
  •       VPC Components,
  •        VPC Design Patterns,
  •        VPC Security,
  •        VPC Advanced Networking Capabilities (the kind of details that DevOps / Cloud / DevSecOps Engineers like twtech care about).

Breakdown:

  •       The concept: Amazon VPC,
  •        Core VPC Components,
  •        VPC Connectivity Options,
  •        Security and Isolation Features,
  •        Common Design Patterns,
  •        Advanced Topics,
  •        Operational Best Practices,
  •        Sample-Reference-Architecture.

 The concept: Amazon VPC

  •       Amazon Virtual Private Cloud (VPC) is an isolated, logically separated network within the AWS Cloud.
  •        Amazon Virtual Private Cloud (VPC) allows twtech to define and control networking.
  •        Amazon Virtual Private Cloud (VPC) therefore, controls:
    •    IP addressing,
    •    Subnets,
    •    Route tables,
    •    Gateways,
    •    Security.

NB:

  •        This control by Amazon Virtual Private Cloud (VPC) is just as the control in a traditional on-premises data center, but with AWS scalability and elasticity.

 Core VPC Components

1. CIDR Block

  •         Defines the IP address range for the VPC using Classless Inter-Domain Routing (CIDR) notation.
  • Example: 10.0.0.0/16 provides 65,536 IP addresses.
  •         twtech may later decide to add secondary CIDR blocks (IPv4 and IPv6) for IP expansion.

2. Subnets

  •         Subdivide twtech VPC CIDR into smaller ranges.
  •         Subnets are tied to a single Availability Zone (AZ).
  •         Two main types:
    •    Public Subnet: Has a route to the Internet Gateway (IGW).
    •    Private Subnet: Has no direct route to the internet; can use NAT Gateway for outbound internet.

3. Route Tables

  •         Control network traffic routing.
  •         Each subnet must be associated with exactly one route table.
  •         Routes can target:
    •    Local VPC traffic
    •    Internet Gateway
    •    NAT Gateway
    •    Transit Gateway
    •    VPC Peering Connection
    •    VPN Connection
    •    AWS PrivateLink / VPC Endpoint

4. Internet Gateway (IGW)

  •         Horizontally scaled, redundant gateway that allows internet access for public subnets.

5. NAT Gateway / NAT Instance

  •         Provides outbound internet access for private subnets without exposing them inbound.
  •         NAT Gateway is fully managed, supports multi-AZ high availability, and scales automatically.

6. VPC Endpoints (PrivateLink)

  •         Enables private connectivity to AWS services (like S3, DynamoDB, etc.) without using IGW/NAT/VPN.
    •  Two types of VPC Endpoints:
      •    Interface Endpoint (ENI-based, PrivateLink)
      •    Gateway Endpoint (for S3, DynamoDB)

7. Elastic Network Interface (ENI)

  •         A virtual network card that can be attached to EC2 instances.
  •         Useful for:
    •    Network separation
    •    Failover (e.g., moving Elastic Network Interface (ENI) between instances.
    •    Multi-homed configurations

8. Security Controls

a. Security Groups (SGs)

  •         Stateful firewalls at the instance level.
  •         Allow inbound/outbound rules; return traffic is automatically allowed.

b. Network ACLs (NACLs)

  •         Stateless firewalls at the subnet level.
  •         Evaluate inbound and outbound rules separately.
  •         Order-based rules (evaluated from lowest to highest).

 VPC Connectivity Options

Connectivity Type

Description

Use Case

Internet Gateway

Public internet access

Public-facing apps

NAT Gateway

Private → Public outbound

Private workloads needing updates

VPC Peering

Connects two VPCs privately

Same or different accounts/regions

Transit Gateway

Hub-and-spoke multi-VPC routing

Enterprise-scale multi-VPC networks

PrivateLink

Private access to services over AWS backbone

SaaS/private API access

VPN Connection

IPsec tunnels between on-prem and VPC

Hybrid connectivity

Direct Connect (DX)

Dedicated private fiber connection

Low-latency hybrid workloads

Security and Isolation Features

  •         Flow Logs: Capture metadata about network traffic (can be sent to CloudWatch or S3).
  •         VPC Traffic Mirroring: Copy traffic from ENIs for inspection.
  •         Prefix Lists: Centralize and simplify routing and security rule management.
  •         Network Firewall / Gateway Load Balancer (GWLB): For deep packet inspection, intrusion detection, etc.
  •         Egress-Only Internet Gateway (for IPv6): Allows outbound IPv6 but no inbound.

Common Design Patterns

1. Public + Private Subnet Model

  •         Public Subnet: Load balancers, bastion hosts
  •         Private Subnet: App servers, databases
  •         NAT Gateway in public subnet for outbound traffic from private subnets

2. Three-Tier Architecture

  •         Web Tier (Public)
  •         App Tier (Private)
  •         DB Tier (Private, no internet)

3. Hub-and-Spoke with Transit Gateway

  •         Centralized connectivity model where multiple VPCs connect through a Transit Gateway (TGW).

4. Shared VPC

  •         Multiple AWS accounts share subnets within a centrally managed VPC.
  •         Useful for multi-account organizations using AWS Organizations and Service Control Policies (SCPs).

Advanced Topics

 Hybrid Networking

  •         Combine VPC + On-Prem using:
    •    AWS Direct Connect (DX)
    •    Site-to-Site VPN
    •    Transit Gateway for central management

 IPv6 Dual-Stacking

  •         Assign both IPv4 and IPv6 CIDRs.
  •         IPv6 routing uses Egress-Only Internet Gateway for outbound-only internet access.

 VPC Lattice

  •         Application-level networking across VPCs and accounts.
  •         Offers service discovery, auth, traffic policies, and monitoring at the app layer.

 DNS in VPC

  •         AmazonProvidedDNS for name resolution.
  •         Route 53 Resolver for custom DNS forwarding between on-prem and AWS.

 Operational Best Practices

Area

Recommendation

IP Planning

Reserve address space for growth; avoid overlap with on-prem

High Availability

Distribute subnets across multiple AZs

Security

Use least-privilege SGs and NACLs; enable Flow Logs

Monitoring

Integrate with CloudWatch, GuardDuty, and AWS Config

Automation

Use IaC (Terraform / CloudFormation / CDK) for VPC setup

Cost Optimization

Reuse NAT Gateways; minimize cross-AZ traffic

Sample-Reference-Architecture.txt


Project: Hands-On
How twtech creates a Custom VPC within its Environment.
Search for aws service: VPC
Create VPC:
Create VPC
A VPC is an isolated portion of the AWS Cloud populated by AWS objects, such as Amazon EC2 instances. 
How twtech calculates the number of addresses for a CIDR block from website:
https://www.ipaddressguide.com/cidr
Create VPC:
How twtech adds CIDR blocks to a Custom VPC: Select the custom VPC and click Open to edit CIDRs
Add new IPv4 CIDR: 10.0.0.1/24

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...