Amazon VPC is a fundamental building block in AWS, offering the ability to create a secure, isolated, and highly customizable network environment in the cloud. It allows you to have your own IP address range, subnets, internet gateways, NAT gateways, and security groups. VPC is the one that introduces the concept of private cloud in the world of public cloud and adds a lot of security.

You can have multiple VPCs in an AWS region (max. 5 per region – soft limit)

What are the Default services we get when we create a custom AWS VPC?

Main Route Table
Default Security Group
Default Network ACL (Access Control List)
Default VPC Subnet
Internet Gateway (IGW)

What is default VPC and nondefault VPC?

If you have a default VPC in a Region and you don't specify a subnet when you launch an EC2 instance into that Region, we choose one of the default subnets and launch the instance into that subnet. You can also create your own VPC and configure it as you need. This is known as a nondefault VPC.

Default VPC	Non-default VPC
Automatically created in each AWS region.	Manually created for customized settings
Preconfigured settings and internet connectivity	Requires explicit configuration for internet access.
Suitable for quick deployments	Offers greater flexibility and control

What are the key components of Amazon VPC?

The main components of an Amazon VPC are:

Subnets: A large section of IP Address divided into chunks are known as subnets

Gateway: Gateway is a network device that connects different networks. For example, an Amazon VPC (Virtual Private Cloud) can be connected to an on-premises network using an AWS VPN Gateway.

A Transit Gateway is a service in AWS that allows you to connect multiple VPCs and on-premises networks together in a hub-and-spoke model.

Route Tables: A Route table is a set of rules that determine where network traffic is directed within your VPC

Internet Gateway: An internet gateway (IGW) in Amazon Web Services (AWS) is a component that allows communication between a Virtual Private Cloud (VPC) and the internet

NAT Gateway: A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances.

Security Groups: Virtual firewalls controlling inbound and outbound traffic for your resources.

Network Access Control Lists (NACLs): Virtual firewalls controlling inbound and outbound traffic at the subnet level.

What is CIDR?

CIDR Classless Inter-Domain Routing (CIDR) – a method for allocating IP addresses. Every machine, server, and end-user device that connects to the internet has a unique number, called an IP address, associated with it.

A CIDR consists of two components Base IP & Subnet Mask

What is meant by Subnet?

A large section of IP Address divided into chunks are known as subnets

Public Subnet: The server in the public subnet gets assigned a public IP address. The public internet can reach it, and it can reach the public internet.
Private Subnet: The server in the private subnet does not get a public IP and is not accessible from the outside internet (but it can reach the internet through the NAT Gateway).

By default, how many IP addresses does AWS reserve in a subnet?
Answer: 5

How can you convert a public subnet to a private subnet?
Answer: Remove IGW & add NAT Gateway, Associate subnet in Private route table

`When setting up a Virtual Private Cloud (VPC), it is imperative to specify an`IP address`in the range that dictates the VPC's dimensions. This defined range essentially determines the` size of your VPC.

Types of Amazon VPC

1. Default VPC

When you create an AWS account, a default VPC is automatically set up in each AWS region. It comes with default configurations, including a main route table, a security group, and a network ACL. The default VPC is designed for convenience but may not be the most secure option, as it has default security group rules that allow certain traffic. You can, however, modify and secure the default VPC according to your requirements.

2. Custom VPC

A custom VPC is one that you create yourself, tailoring it to your organization's specific needs. You have full control over the IP address range, subnet design, and routing configuration. This level of customization is beneficial for enterprises and developers looking to create a network environment that precisely aligns with their applications and security policies.

3. VPC Peering Connection

● VPC peering connection allows you to connect 1 VPC with another VPC. Instances in these VPCs behave as if they are in the same network.

● Peering connections can be established between VPCs in the same region, VPCs in a different region, or VPCs in another AWS Account as well

4. Transit Gateway

For more complex networking needs, Transit Gateway is an ideal solution. It enables you to connect multiple VPCs, on-premises data centers, and remote offices in a hub-and-spoke model. This simplifies network management and helps ensure low latency and secure connections, making it suitable for large-scale enterprise architectures.

When to Use Each Type

Default VPC: The default VPC is best suited for beginners or those who need a quick and straightforward setup. However, it's crucial to review and adjust its security settings to meet your specific requirements.
Custom VPC: Custom VPCs are ideal for businesses and projects with unique network requirements. You can build your VPC from the ground up, ensuring that it aligns perfectly with your applications and security needs.
VPC Peering: Use VPC peering when you have resources in multiple VPCs that need to communicate with each other while remaining separate. This is often the case when you want to maintain network isolation between different teams or projects.
Transit Gateway: For large enterprises with extensive network needs, Transit Gateway simplifies complex network topologies. It streamlines connectivity between VPCs, data centers, and remote locations, making it the right choice for organizations with a global presence.

Can you establish a peering connection to a VPC in a different REGION?

Not possible. Peering Connections are available only between VPCs in the same region

Can you connect your VPC with a VPC owned by another AWS account?

Yes, Possible. Provided the owner of other VPCs accepts your connection

What is a Route table?

A Route table is a set of rules that determine where network traffic is directed within your VPC
One Subnet can connect to one route table at a time.
But one Route table can connect to multiple subnets.
If the route table is connected to the Internet Gateway and that route table is associated with the subnet, then that subnet will be considered as a Public Subnet.
The private subnet is not associated with the route table which is connected to the Internet gateway.

Here's why route tables are important:

1. Routing Decisions:

A route table contains entries that specify the destination for traffic. For example, a default route might direct all traffic to the Internet through an Internet Gateway.

2. Custom Routing:

You can create custom route tables to define specific routing rules for your subnets. This flexibility allows you to control how traffic flows within your VPC.

3. Network Segmentation:

By manipulating the routes in a route table, you can control which subnets can communicate with one another. This is a powerful security feature that helps prevent unauthorized traffic.

Can you edit a Route Table in VPC?

Yes. You can always modify route rules to specify which subnets are routed to the Internet gateway, the virtual private gateway, or other instances.

Difference between Internet Gateway and NAT Gateway

Internet Gateway (IGW): An Internet Gateway in Amazon VPC is a horizontally scalable, redundant, and highly available VPC component that allows communication between Instances in the VPC and the Internet. It essentially enables traffic to flow in and out of the VPC to and from the public internet. IG helps our VPC instances connect with the Internet
NAT Gateway (Network Address Translation): A NAT gateway is a Network Address Translation (NAT) service. You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC. Internet GW allows both inbound and outbound access to the internet whereas the NAT Gateway only allows outbound access

NAT Instance

● A network address translation (NAT) instance is an Amazon Linux machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the Public IP address of the NAT instance, and forward the traffic to IWG.

● It will be deployed in the Public Subnet.

● NAT Instance allows you to initiate IPv4 Outbound traffic to the internet.

● It will not allow the instance to receive inbound traffic from the internet.

NAT Gateway

● Nat Gateway is Managed by AWS.

● NAT will be using the elastic IP address.

● You will be charged for NAT gateway on a per-hour basis and data processing rates.

● NAT is not for IPv6 traffic.

● NAT gateway allows you to initiate IPv4 Outbound traffic to the internet.

● It will not allow the instance to receive inbound traffic from the internet.

What are Network Access Control lists (ACLs) in Amazon VPC?

Network ACLs are stateless filters that control inbound and outbound traffic at the subnet level. They provide an additional layer of security to control traffic flow.

Given is thearchitecture of a VPC,

in which there are two public and two private subnets. In the private subnet lies our webservers and the public subnet has a load balancer and a NAT gateway. The purpose of a NAT gateway is to mask the IP address of the webservers, if in case the webservers need to talk to the internet which is outside the VPC, with that of its own public IP and hence providing security to it. The load balancer takes the traffic to both servers according to the load of the requests. The security groups act as an Endpoint of the security at the instance level while the NACLs act at the subnet level.

How can you control the security of your VPC?
You can use security groups and NACL (Network Access Control List) to control the security of your VPC.

What is Elastic IP?

An elastic IP address (EIP) is a public IP address that you can purchase and use as an independent resource. It is designed for dynamic cloud computing. When you want to have a static IP address for your instances when you stop and restart your instances, you will be using an EIP address.

Maximum number of EC2 that can be created in VPC?
A maximum of 20 instances can be created in a VPC. we can create 20 reserve instances and request spot instances as per demand.

How do security groups work in Amazon VPC?

Security groups act as virtual firewalls for your instances, controlling inbound and outbound traffic. They can be associated with instances and control their network access.

What are the target groups for AWS?

Target groups route requests to individual registered targets, such as EC2 instances, using the protocol and port number that you specify

AWS Security using Security Groups and NACL

AWS (Amazon Web Services) provides multiple layers of security to protect resources and data within its cloud infrastructure. Two important components for network security in AWS are Security Groups and Network Access Control Lists (NACLs). Let's explore how each of them works:

Security Groups:
    Security Groups act as virtual firewalls for Amazon EC2 instances (virtual servers) at the instance level. They control inbound and outbound traffic by allowing or denying specific protocols, ports, and IP addresses.
    Each EC2 instance can be associated with one or more security groups, and each security group consists of inbound and outbound rules.
    Inbound rules determine the traffic that is allowed to reach the EC2 instance, whereas outbound rules control the traffic leaving the instance.
    Security Groups can be configured using IP addresses, CIDR blocks, security group IDs, or DNS names to specify the source or destination of the traffic.
    They operate at the instance level and evaluate the rules before allowing traffic to reach the instance.
    Security Groups are stateful, meaning that if an inbound rule allows traffic, the corresponding outbound traffic is automatically allowed, and vice versa.
    Changes made to security group rules take effect immediately.

Network Access Control Lists (NACLs):
    NACLs are an additional layer of security that operates at the subnet level. They act as stateless traffic filters for inbound and outbound traffic at the subnet boundary.
    Unlike Security Groups, NACLs are associated with subnets, and each subnet can have only one NACL. However, multiple subnets can share the same NACL.
    NACLs consist of a numbered list of rules (numbered in ascending order) that are evaluated in order from lowest to highest.
    Each rule in the NACL includes a rule number, protocol, rule action (allow or deny), source or destination IP address range, port range, and ICMP (Internet Control Message Protocol) type.
    NACL rules can be configured to allow or deny specific types of traffic based on the defined criteria.
    They are stateless, which means that if an inbound rule allows traffic, the corresponding outbound traffic must be explicitly allowed using a separate outbound rule.
    Changes made to NACL rules may take some time to propagate to all the resources using the associated subnet.

Keyword: Both NACLs and Security Groups can be used to allow or deny traffic, but NACLs operate at the subnet level, while Security Groups operate at the instance level

Example: In your organization, DevOps Engineers are the ones who take care of the instance level security that is "security groups" as well as "Nacls" What you can do effectively?

Instead of adding security groups for each and every ec2 instance, you apply Nacl to the subnet level. Even If there are 10000 ece instances this Nacl configuration is directly applied to ec2 Instances So you can automate this manual activity of assigning the rules to each and every instance using group.

How can you monitor network traffic in your VPC?

You can monitor network traffic in your VPC using Amazon VPC Flow Logs, which capture details of incoming and outgoing traffic. This feature helps you analyze and troubleshoot network activity by providing data on source and destination IP addresses, ports, protocols, and more.

Define the size of a VPC.

The size of a Virtual Private Cloud (VPC) in Amazon Web Services (AWS) refers to the range of private IP addresses that can be used for the instances and resources within the VPC. The size is defined by the CIDR block (Classless Inter-Domain Routing) that you specify when creating the VPC

CIDR Classless Inter-Domain Routing(CIDR) – a method for allocating IP addresses Used in Security group rules and AWS networking in general

Defined by CIDR Block: When you create a VPC, you specify a CIDR block that determines the range of private IP addresses available for instances and resources within the VPC.
IP Address Range: The size of the VPC is determined by the total number of IP addresses in the CIDR block. For example, The allowed block size is between

a /16 netmask (65,536 IP addresses) and a/28 netmask (16 IP addresses). After you've created your VPC, you can associate additional IPv4 CIDR blocks with the VPC.

Scenario-Based Questions and Some Important Questions:

You have been assigned to design a VPC architecture for a 2-tier application. The application needs to be highly available and scalable. How would you design the VPC architecture?

In this scenario, I would design a VPC architecture in the following way.

● I would create 2 subnets: public and private. The public subnet would contain the load balancers and be accessible from the internet. The private subnet would host the application servers. I would distribute the subnets across multiple Availability Zones for high availability. Additionally, I would configure auto-scaling groups for the application servers.

Your organization has a VPC with multiple subnets. You want to restrict outbound internet access for resources in one subnet, but allow outbound internet access for resources in another subnet. How do you achieve this?

● To restrict outbound internet access for resources in one subnet, we can modify the route table associated with that subnet. In the route table, we can remove the default route (0.0.0.0/0) that points to an internet gateway. This would prevent resources in that subnet from accessing the internet. For the subnet where outbound internet access is required, we can keep the default route pointing to the internet gateway.

You have a VPC with a public subnet and a private subnet. Instances in the private subnet need to access the internet for software updates. How would you allow internet access for instances in the private subnet?

● To allow internet access for instances in the private subnet, we can use Gateway or a NAT instance. We would place the NAT Gateway/instance in the public subnet and configure the private subnet route table to send outbound traffic to the NAT Gateway/instance. This way, instances in the private subnet can access the internet through the NAT Gateway/instance.

You have launched EC2 instances in your VPC, and you want them to communicate with each other using private IP addresses. What steps would you take to enable this communication?

By default, instances within the same VPC can communicate with each other using private IP addresses.

● To ensure this communication, we need to make sure that the instances are launched in the same VPC and are placed in the same subnet or subnets that are connected through a peering connection or a VPC peering link.

●Additionally, we should check the security groups associated with the instances to ensure that the necessary inbound and outbound rules are configured to allow communication between them.

You want to implement strict network access control for your VPC resources. How would you achieve this?

●To implement granular network access control for VPC resources, we Network Access Control Lists (ACLS).

● NACLS are stateless and operate at the subnet level. We can define inbound and outbound rules in the NACLS to allow or deny traffic based on source and destination IP addresses, ports, and protocols.

●By carefully configuring NACL rules, we can enforce fine-grained access control for traffic entering and leaving the subnets.

Your organization requires an isolated environment within the VPC for running sensitive workloads. How would you set up this isolated environment?

●To set up an isolated environment within the VPC, we can create a subnet with no internet gateway attached.

● This subnet, known as an "isolated subnet," will not have direct internet connectivity. We can place the sensitive workloads in this subnet, ensuring that they are protected from inbound and outbound internet traffic.

●However, if these workloads require outbound internet access, we can set up a NAT Gateway or NAT instance in a different subnet and configure the isolated subnet's route table to send outbound traffic through the NAT Gateway/instance.

Your application needs to access AWS services, such as S3 securely within your VPC. How would you achieve this?

●To securely access AWS services within the VPC, we can use VPC endpoints to allow instances in the VPC to communicate with AWS services privately, without requiring internet gateways or NAT gateways.

●We can create VPC endpoints for specific AWS services, such as S3 and DynamoDB, and associate them with the VPC.

●This enables secure and efficient communication between the instances in the VPC and the AWS services.

How can you connect your on-premises network to Amazon VPC?

You can establish a Virtual Private Network (VPN) connection or use AWS Direct Connect to connect your on-premises network to Amazon VPC.

How can you ensure private communication between instances in Amazon VPC?

You can create private subnets and configure security groups to allow communication only between instances within the same subnet, enhancing network security.

Can you peer VPCs in different regions?

No, VPC peering is limited to VPCs within the same region. To connect VPCs across regions, you would need to use a VPN or AWS Direct Connect.

How can you control public and private IP addresses in Amazon VPC?

Amazon VPC allows you to allocate private IP addresses to instances automatically. Public IP addresses can be associated with instances launched in public subnets.

What is a VPN connection in Amazon VPC?

A VPN connection allows you to securely connect your on-premises network to your Amazon VPC using encrypted tunnels over the public internet.

What is an Internet Gateway (IGW) in Amazon VPC?

An Internet Gateway enables instances in your VPC to access the internet and allows internet traffic to reach instances in your VPC.

How can you ensure high availability in Amazon VPC?

You can design your VPC with subnets across multiple Availability Zones (AZs) to ensure that your resources remain available in the event of an AZ outage.

How does Amazon VPC provide isolation?

Amazon VPC provides isolation by allowing you to define and manage your own virtual network environment, including subnets, route tables, and network ACLs.

Can you modify a VPC after creation?

While you can modify certain attributes of a VPC, such as its IP address range and subnets, some attributes are immutable, like the VPC's CIDR block.

What is a default route in Amazon VPC?

A default route in a route table directs traffic to the Internet Gateway (IGW), allowing instances in public subnets to communicate with the Internet.

What is the purpose of the Amazon VPC Endpoint?

An Amazon VPC Endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services without needing an internet gateway or VPN connection.

Overall VPC Summary!!!