Table of Contents
What is a Virtual Private Cloud (VPC)?
A Virtual Private Cloud is a cloud computing model which offers on-demand configurable pool of shared computing resources allocated within a public cloud environment while providing a certain level of isolation from other users of the public cloud. Since the cloud (pool of resources) is only accessible to a single client in a VPC model, it therefore offers privacy with greater control and a secure environment where only the specified client can operate.
How does VPC works?
Provisioning a private isolated section of the public cloud between one VPC user and all other users of the same cloud is achieved through allocation of a private IP subnet and a virtual communication construct such as a VLAN or a set of encrypted communication channels. Because of this isolation, the user accessing the cloud is in effect working on a ‘virtually private’ cloud as if the cloud infrastructure is not shared with other users, hence the name Virtual Private Cloud. A VPN function, allocated to each VPC user, secures the remote access of the organization to its VPC cloud resources by means of authentication and encryption. VPC is most commonly used in the context of cloud infrastructure as a service.
Amazon Virtual Private Cloud
Amazon Virtual Private Cloud (VPC) is a commercial cloud computing service that provides users a virtual private cloud, by provisioning a logically isolated section of Amazon Web Services (AWS) Cloud. Enterprise customers are able to access the Amazon Elastic Compute Cloud (EC2) over an IPsec based virtual private network. Unlike traditional EC2 instances which are allocated internal and external IP numbers by Amazon, the customer can assign IP numbers of their choosing from one or more subnets.
Features & Benefits
Multiple Connectivity Options:
- Connect directly to the Internet (public subnets)
- Connect to the Internet using Network Address Translation (private subnets)
- Connect securely to your corporate datacentre
- Connect privately to other VPCs
- Privately connect to AWS Services without using an Internet gateway, NAT or firewall proxy through a VPC Endpoint
- Privately connect your internal services across different accounts and VPCs within your own organizations
- Privately connect to SaaS solutions supported by AWS PrivateLink
Secure:
- Advanced security features such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level
- Store data in Amazon S3 and restrict access so that it’s only accessible from instances in your VPC
- For additional isolation launch dedicated instances which run on hardware dedicated to a single customer
Simple:
- Setup VPC quickly and easily using the AWS Management Console
- Easily select common network setups that best match your needs
- Subnets, IP ranges, route tables, and security groups are automatically created using VPC Wizard
Scalability & Reliability:
- Amazon VPC provides all of the benefits of the AWS platform
Amazon VPC Functionality
With Amazon Virtual Private Cloud (Amazon VPC), you can:
- Create an Amazon VPC on AWS’s scalable infrastructure and specify its private IP address range from any range you choose.
- Expand your VPC by adding secondary IP ranges.
- Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.
- Assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC.
- Attach one or more Amazon Elastic IP addresses to any instance in your VPC so it can be reached directly from the Internet.
- Bridge your VPC and your onsite IT infrastructure with an encrypted VPN connection, extending your existing security and management policies to your VPC instances as if they were running within your infrastructure.
- Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
- Associate VPC Security Groups with instances on EC2-Classic.
- Use VPC Flow Logs to log information about network traffic going in and out of network interfaces in your VPC.
- Enable both IPv4 and IPv6 in your VPC.
Components of Amazon VPC
- A Virtual Private Cloud:A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.
- NAT Gateway:A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
- Hardware VPN Connection:A hardware-based VPN connection between your Amazon VPC and your data center, home network, or co-location facility.
- Router:Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.
- Peering Connection:A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
- VPC Endpoints:Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
- Egress-only Internet Gateway:A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
VPC Configuration Scenarios
Scenario 1: VPC with a Single Public Subnet
This scenario (Figure 1) includes a virtual private cloud (VPC) with a single public subnet, and an Internet gateway to enable communication over the Internet. This configuration is recommended if you need to run a single-tier, public-facing web application, such as a blog or a simple website.
Figure 1. Key Components of the Configuration
-
Scenario 2: VPC with Public and Private Subnets (NAT)
This scenario (Figure 2) includes a virtual private cloud (VPC) with a public subnet and a private subnet. This is recommended this if you want to run a public-facing web application, while maintaining back-end servers that aren’t publicly accessible. A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet.
Figure 2. Key Components of the Configuration
Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access
This scenario (Figure 3) includes a virtual private cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. It is recommended when you want to extend your network into the cloud and also directly access the Internet from your VPC. This scenario enables you to run a multi-tiered application with a scalable web front end in a public subnet, and to house your data in a private subnet that is connected to your network by an IPsec VPN connection.
Figure 3. Key Components of the Configuration
Scenario 4: VPC with a Private Subnet and Hardware VPN Access
This scenario (Figure 4) includes a virtual private cloud (VPC) with a single private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. There is no Internet gateway to enable communication over the Internet. This is recommended if you want to extend your network into the cloud using Amazon’s infrastructure without exposing your network to the Internet.