The following is derived from a recorded webinar, and it has been edited for clarity. You can view the original webinar recording here and download the slide deck here.
- What is an AWS VPC?
- Virtual Private Cloud Flexibility
- AWS VPC Topology
- Accessing the AWS VPC
- AWS VPC Packet Flow
What is an AWS VPC?
A VPC (Virtual Private Cloud) is a virtual network that’s specific to your environment. Amazon Virtual Private Clouds or AWS VPC provide you with your own virtual private data center and private network within your AWS account. Once you have created a VPC, you can create resources, such as EC2 instances, in your VPC to keep them physically isolated from other resources in AWS.
A VPC gives you configuration options that allow you to tune your VPC environment. These options include: being able to configure your private IP address ranges, setup private subnets, control and manipulate the routing versus route tables, setup different networking gateways and get granular with security settings from both a network ACL as well as a security group type settings.
Virtual Private Cloud Flexibility
One of the greatest features of the AWS VPC is flexibility. You configure what is going to be your IP address range, how the VPC routing works, whether or not you’re going to allow VPN access, and what the architecture of the different VPC subnets is going to be. You have security options such as security groups and network ACLs and specific routing rules that can be configured to enable different features, such as running multiple NIC interfaces, configuring static private IP addresses and VPC peering.
VPCs can be leveraged to create an AWS hybrid cloud by leveraging the AWS Direct Connect service. AWS Direct Connect allows you to connect your on-prem resources into the AWS cloud over a high bandwidth, low latency connection.
It is possible to connect one VPC to another VPC. Both VPCs may be in the same organization, or you can connect one to other organizations for specific services. Endpoint flow logs can be enabled that can help you with troubleshooting connectivity issues to specific services within the VPC itself.
AWS VPC Topology
VPCs are used in a single region. But they are a multi-availability zone, which basically means that each subnet you create has the ability to live in a different availability zone or in a single availability zone. All of the subnets that you create within a VPC can route to each other by default.
The overall network size for a single VPC can be anywhere between a16 or 28 subnet for the overall CIDR (Classless Inter-Domain Routing) of the VPC, and is configurable for each of the subnets that you want to set within the AWS VPC.
You have the ability to choose your own IP prefix. If you want the 10 network, the 50 network or whatever you’d like your private IP address to be, the IP prefix is configurable within your AWS VPC network topology.
Accessing the AWS VPC
There are several types of gateways to connect into and out of a VPC. One of the questions often ask is what do each of these gateways do? How do they work?
The internet gateway allows you to point specific resources within your VPC via route tables to gain access to the outside world, or you can leverage a NAT (Network Address Translation) instance. This allows you to enable VPN access into your VPC, using AWS Direct Connect or another VPN solution to gain access to resources inside the VPC.
There are two parts involved in setting up a VPN to your VPC.
The VPG (Virtual Private Gateway) which is the AWS side of a VPN connection
The customer gateway which is the customer side of a VPN connection. Most of the major VPN hardware vendors have supported template configurations that can be downloaded directly from the virtual private gateway interface within your VPC via the AWS console.
How do the packets flow within a Virtual Private Cloud?
Let’s use the above example setup of a VPC and discuss how the packets will flow.
In this example, we have three subnets:
We have three instances in the VPC:
- instance A connected to subnet 1 (10.0.0.0)
- instance C connected to subnet 3 (10.0.2.0)
- instance B has two elastic network interfaces, or ENIs, that are connected to two subnets
- subnet 1 (10.0.0.0)
- subnet 2 (10.0.1.0)
AWS VPC Packet Flow (Instance A and Instance B)
How do instance A and instance B connect to each other over subnet 1?
- Instance A and B both living in the same subnet so by default, the routing table is the first check and the routing table automatically has a default route associated with it to route to all traffic within the overall CIDR of the VPC.
- Next, it hits the ARP (Address Resolution Protocol) table, the outbound portion of the firewall, a source and destination check occurs, which is a configurable option within AWS.
- Then it hits the outbound security group which, by default, the outbound security group is wide open. All traffic is allowed out.
- It then goes over to the other instance and checks the inbound security group, a second source and destination check and then hits the firewall before the packet flows into instance B.
When people run into VPC networking issues they say, “I can SSH, or I can’t SSH, or I can ping, or I can’t ping,” and a lot of the problems that people experience in troubleshooting connectivity here are primarily around the security groups on the inbound side because the outbound is opened by default. The inbound side is usually the first place to check when you’re having some type of connectivity issue within the AWS VPC to ensure that the security group is not blocking the type of traffic based upon either source or destination IP or port number, for example, that may be impairing your connectivity.
AWS VPC Packet Flow (Instance B and Instance C)
How would the packets flow to instance B and C? Remember, instance B is living in two subnets (Subnet 1 and 2), and instance C which is living in subnet 3.
If instance B wanted to talk to instance C, it can go one of two ways. It could go out subnet 1 or subnet 2. Regardless of which subnet it goes out on, the same rules apply. It’s going to hit the route table, go to the firewall, source destination check, security group out.
It’s going to check the route table to make sure it has a route to that destination network, and then because it’s going to a different network, it’s going to check the network ACL out, and then on the reverse side it comes back in. It’s going to check the network ACL in before it checks the security group, so it’s different types of connectivity options for instances that happen to live in a different subnet.
Understanding the above flow can be very useful. Once you understand how the packets flow and where they were going, how everything was being checked, it allows you to better troubleshoot VPC network connectivity issues.
Once you grasp the VPC networking concepts in this blog, we suggest you have a look at our “Best Practices Learned from 1,000 AWS VPC Configurations” blog post. In it, we share a detailed look at best practices for the configuration of an AWS VPC and common VPC configuration errors.