Top 13 Amazon Virtual Private Cloud (VPC) Best Practices

Amazon Virtual Private Cloud (VPC) brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of internal IPs and NICs between instances, heightened security, and more. Read on to learn more about some key implementation-related best practices for developers and companies that utilize Amazon VPC. Whether you’re currently maintaining an existing VPC implementation or you’re planning to migrate to the AWS ecosystem, this article will help you identify the top thirteen best practices.

To gain hands-on practice in a virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways, check out Cloud Academy’s Introduction to Virtual Private Cloud Hands-on Lab. 

AWS VPC

1. Choosing the proper VPC configuration for your organization’s needs

Best practices start at the foundation, so you’ll need to select the right architecture for your Amazon VPC implementation.  You’ll want to keep in mind the specific requirements you currently have and those you predict you will need in the future.

It is advisable to design your Amazon VPC implementation based on your expansion requirements looking ahead at least two years.

Today, there are various Amazon VPC setup types available, including:

  1. Public and Private VPC
  2. Public-Facing VPC
  3. Amazon VPC – Private Subnets and Hardware VPN Access
  4. Amazon VPC – Public and Private Subnets and Hardware VPN Access
  5. Software-based VPN access – and so on

You can select whichever configuration best suits your current and future requirements.

2. Choosing a CIDR block for your VPC implementation

When designing your Amazon VPC instance, you must consider the number of IP addresses required and the connectivity type with the data center before choosing the CIDR block. The permissible size of the block ranges between /16 netmask and a /28 netmask.

As of now, you cannot alter or modify Amazon VPC, so it is better to pick the CIDR block that has more IP addresses. While designing your Amazon VPC architecture to communicate with the on-premises data center, it is required that the CIDR range used in Amazon VPC does not overlap or cause a conflict with the CIDR block in the on-premises data center.

3. Isolating your VPC environments

Physical isolation which is present in the on-premises environment should also be a part of the cloud environment. Best practices show that it’s always better to create a distinct Amazon VPC for development, production, and staging – or one Amazon VPC with Separate Security/Subnets/isolated NW groups for staging, production, and development.

4. Best practices for securing your AWS VPC implementation 

Running a machine with mission-critical workloads requires multiple layers of security. Amazon VPC can be secured like your on-premises data center by following some of these useful tips:

  • Amazon Web Services Marketplace offers you a web application firewall, a firewall virtual appliance, and a few other tools which you can use to secure your Amazon VPC.
  • To secure your protocols from unauthorized use or intrusion you can configure intrusion detection systems and intrusion prevention virtual appliances.
  • With the help of Configure Privileged Identity access management, you can audit and monitor Administrator access to your VPC.
  • For transferring information securely between Amazon VPC among diverse regions or Amazon VPC to an on-premises data center, you can easily configure a Site-to-Site VPN. 
  • Another option to transfer information securely is to use AWS Transfer for Secure File Transfer Protocol (AWS SFTP). With AWS SFTP, you use VPC endpoints and avoid using public IP addresses or going through the internet. In addition, VPC endpoints for AWS SFTP leverage security functionality via AWS PrivateLink, which provides private connections between your VPCs and AWS services.

For more information about AWS security, be sure to check out Cloud Academy’s Security Fundamentals for AWS course.

5. Creating your disaster recovery plan

Developing a disaster recovery plan with respect to your VPC implementation is of critical importance. Here are a few key tips to guide you:

  • You need to ensure that you do not have any conflicts with your on-premises subnet CIDR block in the event where both need to be integrated into the on-premises data center as well.
  • After creating these CIDR blocks, instantiate a VPC which will tunnel between regions and to your on-premises data center. It may help to replicate the data with the aid of private IPs.
  • For more disaster recovery best practices, check out this hands-on CloudFormation lab from Cloud Academy which goes into detail on how to ensure recoverability during disasters with rapid re-deployment. 

6. Traffic control and security

To bolster your implementation’s security posture, you should take advantage of software like Sophos or Squid to limit any URLs, domains, ports, etc. which would then allow all traffic to pass through the controlled proxy tier and would also get logged.

Using these proxy and security systems, you could also limit threatening and unwanted ports.

Click here to walk step-by-step through the process of securing your VPC infrastructure.

7. Keep your data close

If cost is more critical for to needs as opposed to high availability, it could be a good idea to keep your web server and app server within the same availability zone as RDS, ElastiCache, and so on of the Amazon VPC. You can develop and design the subnets accordingly. However, it is not a recommended architecture for applications which demand high availability.

8. VPC peering

When VPC peering features first premiered, they allowed life to become easier for AWS users because of the particulars of peering functionality. VPC peering connectivity allows you to connect two Amazon VPCs and which would then allow you to route traffic between them with the aid of private IP addresses.

A key quality of VPC peering connections is that they are neither a VPN connection nor a gateway and thus does not depend on any physical hardware. Instead,  AWS uses the current infrastructure of a VPC for creating a VPC peering connection. 

VPC Peering can be useful in various scenarios such as:

  • Interconnected applications requiring private and secure access inside AWS. Typically, this can happen within large enterprises that have multiple VPCs running in a single region.
  • Systems have been deployed in different AWS accounts by some business units and are required to be either shared or consumed privately. Some large organizations have different AWS accounts for various business departments, units, and/or teams, along with varying communication needs among the groups.
  • Better integrated access of systems, such as when a customer can peer their VPC with their core suppliers.

9. EIP – just in case

It is always advisable to keep a part of your application services in the public subnet for external communication. It is also a recommended exercise to associate them with Amazon EIP (Elastic IP) and to whitelist these IP addresses in the target services which access the IP addresses.

10. Best practices for NAT instances

In specific cases, there might be hundreds of EC2 instances within an AWS VPC which are creating lots of heavy web service or HTTP calls simultaneously. At times, even a single NAT instance with the largest EC2 size may not be able to handle that bandwidth and may cause performance issues.

During such events, it is advisable to span the EC2 across multiple subnets and create NATs for each the subnets. With the help of this strategy, you can spread the outgoing bandwidth while improving the performance of VPC-based deployments.

11. Determining the NAT instance type

Every time EC2 instances residing within the private subnet of your Amazon VPC implementation are created or make HTTP/SQS/S3 calls, they go through a NAT instance.

You should scale the NAT instance capacity per your application needs in order to avoid performance bottlenecks. With the help of NAT instances, you can save on the cost of an Elastic IP, which also provides an extra level of security without revealing the instances to the outer world for accessing the internet.

12. IAM for your AWS VPC infrastructure

When planning who will maintain your Amazon VPC, you can enlist the help of Amazon Identity Access Management (IAM) to help you create accounts with granular levels of permissions, starting with the least possible. Also, you can use Sophisticated Privileged Identity Management solutions which are available on the AWS Marketplace to IAM your VPC.

13. ELB on Amazon VPC

While using ELB for web applications, ensure that you place all other EC2 instances in private subnets wherever possible. Except where there is an explicit requirement for instances requiring outside world access and Elastic IP attached, place all the instances only in private subnets. In the Amazon VPC environment, secure practice dictates that only ELBs must be in the public subnet.

One freebie tip — tags!

Yes, tags. Tagging is important. You may (and hopefully do) use a tagging policy to efficiently organize resources for reporting. Continue to do this and bear in mind what would be helpful for admins and users to view — after all, there are many perspectives in your deployment, not just needs that from the networking point of view. With that in mind, keep your best practices up by using any tagging strategy and modify as you move forward. A good place to start is with tags covering environment, purpose, business unit, etc.

Summary

We’ve covered a lot of ground in this best practices guide for AWS VPC implementations.

Be sure to also check out Cloud Academy’s AWS Solutions Architect Associate learning path. You’ll learn everything there is to know about developing scalable and sustainable AWS architectures, as well as gain a solid mastery of the knowledge and skills necessary to pass the exam and acquire your certification.

As always, please leave a comment below if you have any questions – we’ll be happy to help!

Avatar

Written by

Sudhi Seshachala

Sudhi is part of Cloud Technology Partners & is a trusted advisor and strategic consultant to many C level executives and IT Directors. He brings 18+ years diverse experience covering software, IT operations, cloud technologies, and management. Have led several global teams in HP, Sun/Oracle, SeeBeyond and few startups to deliver scalable and highly available business/technology products and solutions. He has expertise in systems management, monitoring and integrated SaaS and on-premise applications addressing a wide range of business problems.


Related Posts

Alisha Reyes
Alisha Reyes
— April 8, 2020

New on Cloud Academy: AWS Solutions Architect – Associate Exam Prep, Azure Courses, Google Associate Cloud Engineer Exam Prep, Programming Labs, and Much More

Free content on Cloud Academy More and more customers are relying on our technology and content to keep upskilling their people in these months, and we are doing our best to keep supporting them. While the world fights the COVID-19 pandemic, we wanted to make a small contribution to he...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • programming
Joe Nemer
Joe Nemer
— April 3, 2020

Breaking News: All AWS Certification Exams Now Available Online

Remote proctoring for all AWS certifications Cloud Academy is an Advanced AWS Technology Partner, and we are happy to announce all AWS certification exams are available online!  What does this mean for you? You can stay focused on your certification goal. Or you can start a certifica...

Read more
  • AWS
  • AWS certification
  • AWS Certifications
Connie Benton
Connie Benton
— April 1, 2020

How To Build a Career with AWS Certifications

From Iaas and PaaS solutions to digital marketing, cloud computing reshapes the world of technology. As the influence of this technology grows, so does investment. Tens of billions of dollars are being spent on cloud computing-related services each year. This influx is continuing to inc...

Read more
  • AWS
  • Certifications
Vijayakumar Athithan
Vijayakumar Athithan
— March 27, 2020

What is Cognito in AWS?

Web applications usually allow a valid username and password combination for successful sign in to the application. Modern authentication flows incorporate more approaches to ensure user authentication. When using AWS, this is no exception, thanks to the abilities and features offered b...

Read more
  • AWS
  • AWS Cognito
  • Solutions Architect
Avatar
Andrew Larkin
— March 20, 2020

The 12 AWS Certifications: Which is Right for You and Your Team?

As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing. As the market leader and most ma...

Read more
  • AWS
  • AWS Certifications
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Avatar
Cloud Academy Team
— March 13, 2020

Which Certifications Should I Get?

As we mentioned in an earlier post, the old AWS slogan, “Cloud is the new normal” is indeed a reality today. Really, cloud has been the new normal for a while now and getting credentials has become an increasingly effective way to quickly showcase your abilities to recruiters and compan...

Read more
  • AWS
  • Azure
  • Certifications
  • Cloud Computing
  • Google Cloud Platform
Alisha Reyes
Alisha Reyes
— March 7, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Alisha Reyes
Alisha Reyes
— March 6, 2020

New on Cloud Academy: Intro to GitOps; AWS Courses; Java, Python, Amazon Linux 2, Ubuntu, & Docker Playgrounds; and much more

New Lab Playgrounds This month, our Content Team released six new "playground labs." Our playground labs provide a safe and secure sandbox environment for you to explore your own ideas, follow along with Cloud Academy courses, or answer your own questions — all without having to instal...

Read more
  • AWS
  • Azure
  • gitops
  • Google Cloud Platform
  • lab playground
  • programming
Patrick Navarro
Patrick Navarro
— March 4, 2020

AWS Certifications: How Do They Increase Your Employability and Progress Your Career?

AWS certifications are no walk in the park. They’re designed to validate in-depth, specialist knowledge and comprehensive experience, often requiring months of dedicated studying to earn even for those already working with the cloud platform. But the rewards that AWS professionals ca...

Read more
  • AWS
  • AWS certification
  • certification
Avatar
Chandan Patra
— February 21, 2020

Elasticsearch vs. CloudSearch: AWS Cloud Search Choices

Elasticsearch vs. CloudSearch: What's the main difference? Let's compare AWS-based cloud tools: Elasticsearch vs. CloudSearch. While both services use proven technologies, Elasticsearch is more popular, open source, and has a flexible API to use for customization; in comparison, CloudS...

Read more
  • AWS
  • Azure
  • cloudsearch
  • elasticsearch
Avatar
Andrew Larkin
— February 13, 2020

Cloud Academy Content Roadmap Updates

Welcome to our Q1 2020 roadmap. This is the content we plan to build over the next three months, between February 1 - and April 30, 2020. Let's look at some of our roadmap highlights. Atlassian Bamboo for CI/CD We had a lot of requests for practical guides on how to apply DevOps tool...

Read more
  • Artificial Intelligence
  • AWS
  • Azure
  • Docker
  • Google Cloud Platform
  • Kubernetes
  • Machine Learning