AWS VPC configuration: getting it right.
The great thing about an AWS VPC is the incredible flexibility and security it offers. Amazon’s VPCs allow you to provision compute resources, like EC2 instances and RDS deployments, inside Amazon’s isolated virtual networks, giving you complete control over all inbound and outbound network traffic. You can select IP address ranges, subnet association, and route table and network gateway configuration. You’re really in control.
Here’s what’s great about the VPCs:
- Since instances launched into an AWS VPC aren’t directly accessible from the internet, they are by default more secure.
- VPCs simplify security, allowing seamless integration with ACLs, Routing rules, and security groups.
- You can attach multiple network interfaces.
- You can directly connect your on-premise network to an AWS VPC.
- VPCs simplify secure, multi-tier web deployments (like connecting a public app to a private database server living in a private subnet).
- Disaster recovery backup images built on VPC connectivity through private connections can make recovering mission-critical data simpler and more reliable.
- Launch-dedicated instances running on hardware dedicated to a single customer gain additional isolation.
On the other hand…
As well-designed as VPCs are, they’re not bulletproof. Especially when human beings get involved. Since you should be aiming for absolute perfection for all your deployments, make sure that you avoid these configuration blunders:
Five AWS VPC config mistakes
- Poor subnet/CIDR Block planning: Administrators often fail to keep network compatibility and future needs in mind while designing their VPC subnets and CIDR blocks. Bearing in mind that AWS VPC subnet blocks, once assigned, can’t be modified, you should carefully calculate how many nodes each subnet might need. Remember: creating a /24 or /27 CIDR might not leave you enough addresses. Also, choosing, say, a 10.0.0.0/16 block for your VPC subnet when the local data center you want to connect to uses 10.0.26.0/24 won’t end happily.
- Public IP addresses: When you launch an instance into the public subnet of a nondefault VPC (using it’s default settings), it will not get a public IP or hostname the way it would use the old EC2-Classic. Once it’s created, the only way to make your instance publicly addressable is by assigning an elastic IP to the node. Elastic IPs are not free and, by default, you are limited to five per account (although you can always request more).
- Sharing Production and Development Environments: Putting all your staging, dev, and production environments into a single VPC will pretty much guarantee loads of confusion and endless security group and routing table conflicts.
- Not considering distributed redundancy for NAT instances: Smart admins always build High-Availability into their applications. But then some of them place their applications or database servers inside private subnets that will access remote services (S3, SQS, patches, and updates) through stand-alone NAT instances. When the NAT instance goes down, your whole application will break. Here’s a quick tutorial to build and configure a NAT Instance.
- Assuming an AWS VPC requires complex networking skills: VPCs are not switches. VPCs are not routers. VPCs are not firewalls. Even if they perform the work of all three of those hardware tools, VPCs are really software-defined networks (SDN). AWS designed them from the bottom up to be straightforward and uncomplicated. You do need to understand a few very basic networking concepts like routing, NAT, VPN, and ACL, but AWS itself does most of the heavy lifting.
If you’re still hosting your applications within EC2-Classic, you should seriously consider migrating to AWS VPC to leverage the huge benefits of VPC. But always stick with Best Practices…and think ahead!
And by the way, Cloud Academy has a full video course on AWS VPCs.
New on Cloud Academy: AWS Solution Architect Lab Challenge, Azure Hands-on Labs, Foundation Certificate in Cyber Security, and Much More
Now that Thanksgiving is over and the craziness of Black Friday has died down, it's now time for the busiest season of the year. Whether you're a last-minute shopper or you already have your shopping done, the holidays bring so much more excitement than any other time of year. Since our...
Understanding Enterprise Cloud Migration
What is enterprise cloud migration? Cloud migration is about moving your data, applications, and even infrastructure from your on-premises computers or infrastructure to a virtual pool of on-demand, shared resources that offer compute, storage, and network services at scale. Why d...
6 Reasons Why You Should Get an AWS Certification This Year
In the past decade, the rise of cloud computing has been undeniable. Businesses of all sizes are moving their infrastructure and applications to the cloud. This is partly because the cloud allows businesses and their employees to access important information from just about anywhere. ...
AWS Regions and Availability Zones: The Simplest Explanation You Will Ever Find Around
The basics of AWS Regions and Availability Zones We’re going to treat this article as a sort of AWS 101 — it’ll be a quick primer on AWS Regions and Availability Zones that will be useful for understanding the basics of how AWS infrastructure is organized. We’ll define each section,...
Application Load Balancer vs. Classic Load Balancer
What is an Elastic Load Balancer? This post covers basics of what an Elastic Load Balancer is, and two of its examples: Application Load Balancers and Classic Load Balancers. For additional information — including a comparison that explains Network Load Balancers — check out our post o...
Advantages and Disadvantages of Microservices Architecture
What are microservices? Let's start our discussion by setting a foundation of what microservices are. Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs). ...
Kubernetes Services: AWS vs. Azure vs. Google Cloud
Kubernetes is a popular open-source container orchestration platform that allows us to deploy and manage multi-container applications at scale. Businesses are rapidly adopting this revolutionary technology to modernize their applications. Cloud service providers — such as Amazon Web Ser...
AWS Internet of Things (IoT): The 3 Services You Need to Know
The Internet of Things (IoT) embeds technology into any physical thing to enable never-before-seen levels of connectivity. IoT is revolutionizing industries and creating many new market opportunities. Cloud services play an important role in enabling deployment of IoT solutions that min...
Which Certifications Should I Get?
As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...
How to Go Serverless Like a Pro
So, no servers? Yeah, I checked and there are definitely no servers. Well...the cloud service providers do need servers to host and run the code, but we don’t have to worry about it. Which operating system to use, how and when to run the instances, the scalability, and all the arch...
AWS Security: Bastion Hosts, NAT instances and VPC Peering
Effective security requires close control over your data and resources. Bastion hosts, NAT instances, and VPC peering can help you secure your AWS infrastructure. Welcome to part four of my AWS Security overview. In part three, we looked at network security at the subnet level. This ti...
Top 13 Amazon Virtual Private Cloud (VPC) Best Practices
Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of interna...