What is Virtual Private Computing (VPC)?
Learn what is Virtual Private Computing (VPC)?, its benefits, and how it creates secure, isolated cloud environments for enhanced data protection and privacy.
- Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined.
- This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
- Amazon VPC is the AWS Virtual Private Cloud. A VPC logically separates your virtual network from all other
- AWS customers and from the internet.
Think of it as a container for all the networking that you do when running on AWS:
- A Virtual Private Cloud is like a private network which created on a cloud.
- It is a logically isolated network from another network created in the cloud.
iii. Amazon VPC enables you to build a virtual network in the AWS cloud no VPNs, hardware, or physical data centers are required. You can define your own network space, and control how your network work.
- We can create a maximum of 5 VPC (one region) and each VPC can have 200 setup subnets.
- When we create VPC then DHCP, Security Group, and NACL are created automatically.
Important Terms in VPC
Following terms/components important to understand VPC in AWS:
1) A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from the ranges you select.
2) Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources.
3) Internet Gateway: The Amazon VPC side of a connection to the public Internet.
4) NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
5) Hardware VPN Connection: A hardware-based VPN connection between your Amazon VPC and your data center, home network, etc.
6) Virtual Private Gateway: The Amazon VPC side of a VPN connection. 7) Customer Gateway: Your side of a VPN connection.
8) Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
9) VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
10)Egress-only Internet Gateway: A stateful gateway to provide egress-only access for IPv6 traffic from the VPC to the Internet.
Type of VPC
1. Default VPC :
- It presents by default in every region of AWS
- It by default has CIDR, Security Group, NACL, and other routing table configurations.
- It also has a default gateway.
2. Custom VPC:
- a) We can create custom VPC as per our requirement (with custom CIDR).
- b) It has default CIDR, Security Group, NACL, and another routing table.
- c) It does not have an internet gateway, we need to create it manually if required.
Types of Subnet
1. Public Subnet:
- a) Basically, a public subnet connected to the internet,
- b) It is connected to an internet gateway. This means system attached in a public subnet directly can communicate with the internet.
2. Private Subnet:
- a) Private subnet not connected with an internet gateway.
- b) It is not connected to an internet gateway, which means the system attached in the private subnet does not directly communicate with the internet
VPC Subnet Creation rule
- When we create VPC, we need to assign IP address and CIDR (prefix)to VPC.
- AWS VPC allows us to create CIDR from /16 to /28 Range.
- After creating VPC and CIDR also remember reserved ip addresses which allows to assign our system (Non-Valid IP).
- The first 4 ip and the last 1 is reserved for the following usage. (Total 5 IPReserved):
- First IP Reserved for Network ID = 10.0.0.0
- AWS Reserved 2nd IP for Router (Gateway) =10.0.0.1
- AWS Reserved 3rd IP for DNS Server =10.0.0.2
- AWS Reserve 4th IP for future usage = =10.0.0.3
- Last IP address reserved for Broadcast =10.0.0.255
Components of VPC
A] Subnets:
There are two types of subnets available
Public subnet =
- Subnets which is reachable to and from the Internet these subnets have connectivity to the Internet using Internet Gateways.
- Both inbound and outbound traffic from the internet is allowed.
Private Subnet =
- Subnet which is not reachable from the internet.
- They do not have connectivity with Internet Gateways.
- No inbound traffic from internet is allowed.
- Can send outbound traffic to the internet using NAT gateways.
- Allowed block size (CIDR) while creating subnet
is from /16 to /28
- Let’s consider the network of VPC as 10.0.0.0/8
Subnet 1 = 10.0.0.0/16
- 1st IP address = 10.0.0.1
- Last IP address = 10.0.255.254 BA = 10.0.255.255
- For each subnet 1st four IP address and Last IP
address is reserved.
- 10.0.0.0 = Network Address
- 10.0.0.1 = Reserved by AWS for VPC
Router.
iii. 10.0.0.2 = Reserved by AWS for DNS
Server IP.
- 10.0.0.3 = Reserved by AWS for Future
use.
- 10.0.255.255 = Broadcast Address.
- Maximum CIDR allowed while creating subnet is /28
- AS in /29 subnets total number of available IP
addresses are 6 and out of that if 5 IPs are reserved
there is only one IP available.
B] Route Table
- It consists of Rules called routes, that determine where the network traffic is directed
- Each subnet in the VPC must be connected to only one Route Table • One Route table can be associated with multiple subnets.
- One Route table gets automatically created when we create VPC • Additional custom route tables can be created.
- Maximum 200 route tables can be created in one VPC.
- One Route table can have a maximum of 50 routes.
Note: If subnet is not explicitly associated with custom route table then implicitly it is associated with the default route table.
The following diagram shows a custom route table created for private
subnet and default route table is used for public subnet.
C] Internet Gateway:
- It is a virtual router that connects VPC to the internet
- Default VPC is attached to the internet gateway
- When we create a Custom VPC, we need to create an Internet Gateway to access VPC from the Internet.
- We need to add a route for the internet in the route table pointing towards the internet gateway.
D] NAT Gateways:
- NAT = Network Address Translation
- convert private IP address into public and Public IP address into private • NAT gateways allow instances in a private subnet to connect to the internet, but these instances are not accessible from the internet
- Instances created in private subnet need internet access for Software updates, security patches, etc.
- NAT gateways are not free
- Charges are based on an hourly basis and Data processing.
- NAT gateways are always created in the Public subnet.
- It needs an elastic IP address.
- Once the NAT gateway is available, no need to assign public IP addresses to instances created in the private subnet.
- Update the private routing table with the default route pointing towards nat gateway.
E] Virtual Private Gateway (VPN Connections):
- It is the VPN concentrator on the Amazon side of the VPN connection. • We need to create a VPG and attach it to the VPC from which VPN connection should be created.
- We can create static or dynamic routes through VPG
- VPG only supports private Autonomous System Numbers.
- One VPG can have a maximum of 10 connections.
F] Customer Gateway (VPN Connections):
- A customer gateway device is a physical or software appliance that you own or manage in your on-premises network (on your side of a Site-to-Site VPN connection).
- To create a VPN connection between the VPG (Virtual Private Gateway) created on the Amazon side and the Customer Gateway created on customer side, one Customer gateway resource needs to be created in AWS which provides information to AWS about the Customer Gateway device.
G] Peering Connections:
- A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.
- Instances in either VPC can communicate with each other as if they are within the same network.
- We can create a VPC peering connection between our own VPCs, or with a VPC in another AWS account.
- The VPCs can be in different regions as well.
- Transitive peering is not allowed.
- VPC-A peered with VPC-B
- VPC-B peered with VPC-C
Note: It will not create automatic peering between VPC-A and VPC-C • Overlapping CIDR blocks are also not allowed.
VPC-A = 10.0.0.0/16
VPC-B = 10.0.0.0/16
Not possible to peer these two VPCs
H] End Points:
- A VPC endpoint enables private connections between your VPC and supported AWS services and VPC endpoint services powered by AWS Private Link. AWS Private Link is a technology that enables you to privately access services by using private IP addresses.
- A VPC endpoint does not require an internet gateway, virtual private gateway, NAT device, VPN connection, or AWS Direct Connect connection. • Instances in our VPC do not require public IP addresses to communicate with resources in the service.
- VPC endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components.
- They allow communication between instances in our VPC and services without imposing availability risks.
I] DHCP Options:
- The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network • The options field of a DHCP message contains configuration parameters, including the domain name, domain name server, and the NetBIOS-node type.
- When we create a VPC, we automatically create a set of DHCP options and associate them with the VPC.
- We can configure your own DHCP options set for your VPC.
Options supported in DHCP option set
Domain-name-servers
- The IP addresses of up to four domain name servers, or Amazon Provided DNS.
- If specifying more than one domain name server, separate them with commas. Although you can specify up to four domain name servers, some operating systems may impose lower limits.
- To use this option, set it to either Amazon Provided DNS, or to custom domain name servers. If you set this option to both, the result might cause unexpected behavior.
Default DHCP options set:
- Amazon Provided Domain-Name
- The domain name for your instances. You can specify a custom domain name (for example, example.com).
- This value is used to complete unqualified DNS hostnames.
- Default DHCP options set: For us-east-1, the value is ec2.internal. • For other Regions, the value is region. compute.internal (for example, ap northeast-1.compute.internal). ntp-servers
- The IP addresses of up to four Network Time Protocol (NTP) servers NetBIOS-name-servers
- The IP addresses of up to four NetBIOS name servers.
- Default DHCP options set: None.
NetBIOS-node-type
- The NetBIOS node type (1, 2, 4, or 8).
- We recommend that you specify 2 (point-to-point, or P-node). • Broadcast and multicast are not currently supported.
J] Elastic IPs:
- An Elastic IP address is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account and is yours until you release it
- An Elastic IP address is static; it does not change over time. • To use an Elastic IP address, you first allocate one to your account, and then associate it with your instance or a network interface. • When you associate an Elastic IP address with an instance, it is also associated with the instance’s primary network interface. When you associate an Elastic IP address with a network interface that is attached to an instance, it is also associated with the instance.
- When we associate an Elastic IP address with an instance or its primary network interface, the instance’s public IPv4 address (if it had one) is released back into Amazon’s pool of public IPv4 addresses. You cannot reuse a public IPv4 address, and you cannot convert a public IPv4 address to an Elastic IP address.
- We can disassociate an Elastic IP address from a resource, and then associate it with a different resource.
- A disassociated Elastic IP address remains allocated to our account until you explicitly release it.
For Free, Demo classes Call: 020-71173070
Registration Link: AWS Classes in Pune!
K] Network ACL:
- It is an optional layer of security for VPC
- Network ACLs are stateless
- It acts as a firewall for controlling the traffic in or out of one or more subnets
- Every VPC has default NACL applied which allows all incoming and outgoing traffic.
- The default ACL can be edited or we can create a new ACL
- Each subnet in VPC must be associated with one Network ACL • If we don’t explicitly associate any subnet with a custom network ACL then it will be associated with the default NACL.
- One NACL can be associated with multiple Subnets, but one subnet can be associated with only one NACL.
- It contains a list of statements or rules.
- Every statement in ACL has a number, these statements are checked in order starting with the lowest number first
- The highest number that can be used is 32766
- The first statement automatically has the number 100, Add the statements with numbers multiple of 100
- New rules can be inserted at the desired position
• There are two types of ACL:
- Stateful ACL :
▪ When a rule is created for inbound traffic, outbound
traffic corresponding to it is by default allowed.
▪ Source – 0.0.0.0
▪ Source Port: any (1024—65535) Destination –IP
address of EC2-Port Number—TCP/3389
- Stateless ACL — Define the rules explicitly for both inbound and outbound traffic.
L] Network ACL:
- Virtual Private Network — Two private networks communicate with each other over an existing public network (internet)
- To secure this communication we need to use some encryption protocols.
- On the transport layer for VPN connectivity protocol used is IPsec (IP Security)
- IPsec is responsible for authentication, encryption, and negotiation as well. •
- There are different types of VPN Connections available
- Site-to-site VPN
- Remote Access VPN
- AWS supports IPsec protocol for VPN configuration.
- When we associate an Elastic IP address with an instance that previously had a public IPv4 address, the public DNS hostname of the instance changes to match the Elastic IP address.
- An Elastic IP address comes from Amazon’s pool of IPv4 addresses, or from a custom IP address pool that you have brought to your AWS account. • An Elastic IP address is for use in a specific Region only, and cannot be moved to a different Region.
VPC Peering between Two Different Regions
VPC Peering
- VPC peering allows communication between two different VPC created on different Regions by using private IP.
- We know generally private IP addresses can’t communicate with others over the internet, when we create two subnets in the same region its ok it will communicate with each other with the help of private IP.
- But what happens when we create it in different regions?
- So, on AWS is possible with VPC Peering.
Transitive peering – Not Allowed
- VPC does not support edge-to-edge routing or known as transitive peering. That means it cannot go through one VPC to connect to another VPC.
- Can’t access from B to C through A. Must create VPC peering from B to C directly.
Scenario: Create EC2, VPC, Public and Private Subnet, Internet Gateway, Route Table, VPC Peering and try to connect ping both instances ipv4 with each other
Ans =
(I)
Create VPC, Subnet, Internet Gateway and Route Table for Mumbai Region Step 1: VPC
Open console – VPC (services) – Create VPC – VPC Only – Name Tag (Mumbai VPC) –Ipv4 CIDR – 10.0.0.0/16 – Create VPC.
Step 2: Subnet
Go to the Subnet=➔ Click on Create Subnet=➔Select your custom VPC from the dropdown menu➔Go to the Subnet Settings➔ And set the name for Subnet = Mumbai-Subnet➔Select the Availability Zone = ap-sout-1a➔Insert the IPv4 CIDR Block = 10.0.0.0/24 ➔Now last click on Create Subnet.
Step 3: Internet Gateway
Go to the Internet Gateway➔ Click on Create Internet Gateway button➔Under the Name tag set the name = Mumbai-IGW➔Now go the Action Menu and select the Attach to VPC➔ Available VPC’s (Mumbai-VPC) Attach Internet Gateway.
Step 4: Routing Tables
Click on Route Tables – Create Route Table – Name (Mumbai-RT) – VPC (Mumbai VPC) –create route table – Subnet associations – edit subnet associations – select Mumbai-Subnet – save association – routes – edit routes – add route – 0.0.0.0/0 – select internet gateway – save changes.
(II)
Create VPC, Subnet, Internet Gateway, and Route Table for London Region Step 1: VPC
Open console – VPC (services) – Create VPC – VPC Only – Name Tag (London VPC) –Ipv4 CIDR – 192.168.0.0/16 – Create VPC.
Step 2: Subnet
Go to the Subnet=➔ Click on Create Subnet=➔Select your custom VPC from the dropdown menu➔Go to the Subnet Settings➔ And set the name for Subnet = London–Subnet➔Select the Availability Zone = ap-sout-1a➔Insert the IPv4 CIDR Block = 192.168.0.0/24 ➔Now last click on Create Subnet.
Step 3: Internet Gateway
Go to the Internet Gateway➔ Click on the Create Internet Gateway button➔Under the Name tag set the name = London -IGW➔Now go the Action Menu and select the Attach to VPC➔ Available VPCs (London -VPC) Attach Internet Gateway.
Step 4: Routing Tables
Click on Route Tables – Create Route Table – Name (London RT) – VPC (London – VPC) –create route table – Subnet associations – edit subnet associations – select London -Subnet – save association – routes – edit routes – add route – 0.0.0.0/0 – select internet gateway – save changes.
(II)
Launch Amazon Linux 2023 Mumbai Region
1) Take an “Amazon Linux 2023”
2) Create a Key Pair = Mumbai-Linux-Key
3) Under Network Settings ➔Edit Select VPC which you have created➔ Selectsubnet = Mumbai-Subnet➔Auto assign public IP = Enable
4) Security Group (Firewall) = Select the option “Create Security Group newly”➔and Name it : Mumbai-SG and last Launch the Instance.
5) Go to the Security Group (Firewall)➔ Select the check box of your Security Group which you have created recently➔Go to the Inbound Rules➔Add the below protocols:
SSH = Anywhere IPv4
All Traffic = Anywhere IPv4
All ICMP IPv4 = Anywhere IPv4
And Go to the Outbound Rules➔ Add the below protocol:
All Traffic = Anywhere IPv4
6) Now connect with MobaXterm as below:
Now, go to the dashboard and select the running instance ➔Click on it Copy the Public IPv4: 65.0.94.71 and paste it in a MobaXterm like
Go to the MobaXterm➔ Click on the Sessions button:
Click on the SSH option and paste the below details such as:
Launch Amazon Linux 2023 London Region
1) Take an “Amazon Linux 2023”
2) Create a Key Pair = London-Linux-Key
3) Under Network Settings ➔Edit Select VPC which you have created➔ Selectsubnet = London i-Subnet➔Auto assign public IP = Enable
4) Security Group (Firewall) = Select the option “Create Security Group newly”➔and Name it: London -SG and last Launch the Instance.
5) Go to the Security Group (Firewall)➔ Select the check box of your Security Group which you have created recently to the Inbound Rules➔Add the below protocols:
SSH = Anywhere IPv4
All Traffic = Anywhere IPv4
All ICMP IPv4 = Anywhere IPv4
And Go to the Outbound Rules➔ Add the below protocol:
All Traffic = Anywhere IPv4
6) Now connect with MobaXterm as below:
Now, go to the dashboard and select the running instance ➔Click on it Copy the Public IPv4: 65.0.94.71 and paste it in a MobaXterm like
Go to the MobaXterm➔ Click on the Sessions button:
Click on the SSH option and paste the below details such as:
NOTE: Now, copy the Mumbai Region Instance Private Ipv4 and paste in a London Region Linux Terminal and ping .
Command: ping 192.168.0.0
You will get failure.
(IV)
Launch VPC Peering Connection for Mumbai-Region
Step 1: Go to the VPC of Mumbai-Region➔Click on the Peering connections option➔Click on Create peering connection=➔ And now fill up the below details:
Name: Mumbai to London
VPC ID: Select your Mumbai-Region-VPC
Account: Select the option “My Account”
Region: Select the option “Another Region”➔ From the below dropdown box select the Opposite Region =➔ Europe (London) (ec west-2)=➔ Insert the VPIC ID of London Region VPC ID.
Step 2: Once done all above ➔ Click on the Create peering connection button. Note: Once you create a peering connection in the Mumbai Region and send a request to the London Region. London Region will get a request and you will be able to see there as in Pending Status.
Launch VPC Peering Connection for London-Region
Step 1: Go to the VPC of London-Region➔Click on the Peering connections option Select the pending request ➔ Go to the Actions ➔Request Accept.
(V)
Once again go to the Routing Table of Mumbai Region
Step 1: Go to the Route Table of Mumbai Region➔ Click Name (Mumbai RT) ➔ Edit Route➔ Add Route: 192.168.0.0/16 ➔Select peering connection => Save changes.
Also, go to the Routing Table of the London Region
Step 1: Go to the Route Table of Mumbai Region➔ Click Name (London -RT) ➔ Edit Route➔ Add Route: 10.0.0.0/16➔Select peering connection => Save changes.
To explore more do visit: Click Here
Author:-
Gandhar Bodas
Call the Trainer and Book your free demo Class For CCNA Call now!!!
| SevenMentor Pvt Ltd.
© Copyright 2021 | SevenMentor Pvt Ltd.