Amazon Virtual Private Cloud (VPC) is a commercial cloud computing service that provides a virtual private cloud, by provisioning a logically isolated section of Amazon Web Services (AWS) Cloud. This service enables customer to launches AWS resources into a virtual network that he/she/it has defined. So, a customer has complete control over his/her/its virtual networking environment, including selection of his/her/its own IP address range, creation of subnets, and configuration of route tables and network gateways. Also, VPC is very customizable and its customization is easy.
AWS users can connect to Amazon VPC through an Internet gateway, an on-premises data center through the Hardware VPN Connection tool or through a variety of AWS tools and other vendor VPCs. When you open up a service within a public cloud, it is effectively open to the world and can be at risk to attacks from the internet. In order to lock your instances down and secure them against attacks from the outside, you lock them within a VPC. The VPC restricts what sort of traffic, IP addresses and also the users that can access your instances. This prevents unwanted guests accessing your resources and secures you from things like DDOS attacks.
Finally, there are quotas on the number of Amazon VPC components that you can provision. Click here to see Amazon VPC quotas.
What is EC2-VPC?
With VPC, a user can define network configurations such as IP address range as well as route tables and manage network gateways and subnets. In fact, users are able to choose a range of IP addresses for their VPC. Within this range, users can assign various private and public IPv4 and IPv6 addresses to instances in the VPC in order to communicate with the Internet and other instances of VPCs. Static assignment of Public IP addresses is not possible. When a consistent IP address is needed, a third type of IP Address, Elastic IP addresses, can be used in place of Public IP addresses.
VPC enables a developer to create security groups to set limits on inbound and outbound traffic to Amazon Elastic Compute Cloud (EC2) instances and network access control lists to allow or deny traffic to subnets. In other words, a VPC can contain all public subnets (or) public/private subnet combination. AWS limits the size of each VPC; a user cannot change the size once the VPC has been created. Amazon VPC also sets a limit of 200 subnets per VPC, each of which can support a minimum of 14 IP addresses.
When creating an EC2 instance, users can assign an IP address to the instance — as long as it is within the IP address range of the associated subnet, not assigned to another interface and not reserved by Amazon. VPC routers enable communication between instances in different subnets. Routers also allow subnets, Internet gateways and virtual private gateways to communicate with each other. In other hand, private Subnet is a subnet which doesn’t have a route to the internet gateway (A gateway that you attach to your VPC to enable communication between resources in your VPC and the internet.). Users are able to route traffic from one VPC to another VPC using private IP addresses. To achieve a one-to-many connections between VPCs, you can deploy a transit gateway. Peering can be achieved by connecting a route between two VPC’s on the same account or two VPC’s on different accounts in the same region.
AWS VPC allows users to connect to the Internet, a user’s corporate data center, and other users’ VPCs. Amazon VPC also enables customer to defines a virtual network in his/her/its own logically isolated area within the VPC. You can launch your AWS resources, such as instances, into your VPC.
If you created your AWS account after 2013-12-04, it supports only EC2-VPC. In this case, AWS creates a default VPC for you in each AWS Region. Therefore, unless you create a non-default VPC and specify it when you launch an instance, AWS launch your instances into your default VPC.
VPCs can span multiple Availability Zones (AZs), but subnets must reside within a single AZ. When AWS users first provision EC2 resources, they are launched within a default VPC if the subnet ID is left unspecified. Default VPCs offer the same level of security and network control as regular Amazon VPCs, but they allow a user to create and manage resources using the AWS Management Console, EC2-Classic command line or API. AWS places further limitations per account / per region, including limiting the number of VPCs to five, the number of Elastic IP addresses to five, the number of Internet gateways per VPC to one, the number of virtual private gateways to five and the number of customer gateways to 50.
Source: en.wikipedia.org and searchaws.techtarget.com and infoq.com
Accessing Amazon VPC
We can create, access, and manage VPCs using any of the following interfaces:
- AWS Command Line Interface (AWS CLI): This interface Provides commands (These commands are supported on Windows, Mac, and Linux) for a broad set of AWS services, including Amazon VPC.
- AWS Management Console: This console provides a web interface to access VPCs.
- Query API: This query is the most direct way to access Amazon VPC, and it provides low-level API actions that user calls using HTTPS requests.
- AWS SDKs: These SKDs Provide language-specific APIs and take care of many of the connection details.
Why use Amazon VPC?
- Host multi-tier web applications: VPC is useful for hosting multi-tier web applications and it enforce access and security restrictions between web servers, application servers, and databases. To create a VPC that supports this use case, you can select “VPC with Public and Private Subnets” in the Amazon VPC console wizard.
- Out-of-band and inline traffic inspection: VPC traffic mirroring duplicates the traffic, along with full payload data, from elastic network interfaces (ENIs) of EC2 instances, and delivers it to out-of-band monitoring and security analysis tools. Also, inline traffic inspection helps you screen and secure traffic to protect your workloads from malicious actors.
- Extending corporate network into the cloud: We can move corporate applications to the cloud, launch additional web servers, or add more compute capacity to your network by connecting your VPC to your corporate network.
- Hosting a website: We can hosting a basic web application or a website in a VPC. We also can help secure the website by creating security group rules which allow the webserver to respond to inbound HTTP and SSL requests from the Internet while simultaneously prohibiting the webserver from initiating outbound connections to the Internet.
- Disaster recovery: By using Amazon VPC we can periodically backup critical data from your datacenter to a small number of Amazon EC2 instances with Amazon Elastic Block Store (EBS) volumes, or import your virtual machine images to Amazon EC2.
- Secure connection of cloud applications to datacenter: An IPsec VPN connection between your Amazon VPC and your corporate network encrypts all communication between the application servers in the cloud and databases in your data center.
- Security: Amazon VPC provides advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance and subnet level.