Top 13 Amazon Virtual Private Cloud (VPC) Best Practices

Amazon VPC brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of internal IPs and NICs between instances, heightened security, and more.

Read on to learn more about some key implementation-related best practices for developers and companies that utilize Amazon VPC. Whether you’re currently maintaining an existing VPC implementation or you’re planning to migrate to the AWS ecosystem, this guide can help you identify thirteen best practices. Here they are:

1. Choosing the Proper VPC Configuration for Your Organization’s Needs

First, you’ll need to select the right architecture for your Amazon VPC implementation.  You’ll want to keep in mind the specific requirements you currently have and those you predict you will need in the future.

It is advisable to design your Amazon VPC implementation based on your expansion requirements looking ahead at least two years.

Today, there are various Amazon VPC setup types available, including:

  1. Public and Private VPC
  2. Public-Facing VPC
  3. Amazon VPC – Private Subnets and Hardware VPN Access
  4. Amazon VPC – Public and Private Subnets and Hardware VPN Access
  5. Software-based VPN access – and so on

You can select whichever configuration best suits your current and future requirements.

2. Choosing a CIDR Block for Your VPC Implementation

When designing your Amazon VPC instance, you must consider the number of IP addresses required and the connectivity type with the data center before choosing the CIDR block. The permissible size of the block ranges between /16 netmask and a /28 netmask.

As of now, you cannot alter or modify Amazon VPC, so it is better to pick the CIDR block that has more IP addresses. While designing your Amazon VPC architecture to communicate with the on-premise data center, it is required that the CIDR range used in Amazon VPC does not overlap or cause a conflict with the CIDR block in the on-premise data center.

3. Isolating Your VPC Environments

Physical isolation which is present in the on-premise environment should also be a part of the cloud environment. It’s always better to create a distinct Amazon VPC for development, production, and staging – or one Amazon VPC with Separate Security/Subnets/isolated NW groups for staging, production and development.

4. Securing Your Amazon VPC Implementation 

Running a machine with mission-critical workloads requires multiple layers of security. Amazon VPC can be secured like your on-premise data center by following some of these useful tips:

  • Amazon Web Services Marketplace offers you a web application firewall, a firewall virtual appliance, and a few other tools which you can use to secure your Amazon VPC.
  • To secure your protocols from unauthorized use or intrusion you can configure intrusion detection systems and intrusion prevention virtual appliances.
  • With the help of Configure Privileged Identity access management, you can audit and monitor Administrator access to your VPC.
  • For transferring information securely between Amazon VPC among diverse regions or Amazon VPC to an on-premise data center, you can easily configure a Site to Site VPN.

For more information about AWS security, be sure to check out Cloud Academy’s Security Fundamentals for AWS course.

5. Creating Your Disaster Recovery Plan

Developing a disaster recovery plan with respect to your VPC implementation is of critical importance. Here are few simple rules to follow:

You need to ensure that you do not have any conflicts with your on-premises subnet CIDR block in the event where both need to be integrated into the on-premise data center as well.

After creating these CIDR blocks, instantiate a VPC which will tunnel between regions and to your on-premise data center. It may help to replicate the data with the aid of private IPs.

For more disaster recovery best practices, check out this hands-on CloudFormation lab from Cloud Academy.

6. Traffic Control and Security

To bolster your implementation’s security posture, you should take advantage of software like Sophos or Squid to limit URLs, domains, ports, etc. which would then allow all traffic to pass through the controlled proxy tier and would also get logged.
Using these proxy and security systems, you could also limit threatening and unwanted ports.
Click here to walk step-by-step through the process of securing your VPC infrastructure.  

7. Keep your Data Close

If cost is more critical for your needs as opposed to high availability, it could be a good idea to keep the Web and App within the same availability zone as RDS, ElastiCache, and so on of the Amazon VPC. You can develop and design the subnets accordingly. However, it is not a recommended architecture for applications which demand high availability.

8. VPC Peering

With the introduction of VPC peering features, life has become easier for AWS users. With the help VPC peering connectivity, you can connect two Amazon VPCs and which would then enable you to route traffic between them with the aid of private IP addresses.

As AWS uses the current infrastructure of a VPC for creating a VPC peering connection; it is neither a VPN connection nor a gateway, and does not depend on any physical hardware.

VPC Peering can be useful in various scenarios such as:

  1. Big corporations typically have multiple Amazon VPCs which are running in a single region with interconnected applications requiring private and secure access inside AWS.
  2. Some large organizations have different AWS accounts for various business departments or units or teams, where at times the systems which have been deployed in different AWS accounts by some business units are required to be shared or consumed privately.
  3. To achieve integrated access of systems, the customer can peer their VPC with their core suppliers.

9. EIP – Just In Case

It is always advisable to keep a part of your application services in the public subnet for external communication. It is also a recommended exercise to associate them with Amazon EIP (Elastic IP) and whitelisting these IP addresses in the target services which are used by them.

10. NAT Instances

In specific cases, there might be hundreds of EC2 instances within the Amazon VPC which are creating lots of heavy web service or HTTP calls simultaneously. At times, even a single NAT instance with the largest EC2 size may not be able to handle that bandwidth and may cause performance issues.

During such events, it is advisable to span the EC2 across multiple subnets and create NATs for each the subnets. With the help of this strategy, you can spread the outgoing bandwidth while improving the performance of VPC-based deployments.

11. Determining the NAT Instance Type

Every time EC2 instances residing within the private subnet of your Amazon VPC implementation are created or make HTTP/SQS/S3 calls, they go through a NAT instance.

You should scale the NAT instance capacity per your application needs in order to avoid performance bottlenecks. With the help of NAT instances, you can save on the cost of an Elastic IP, which also provides an extra level of security without revealing the instances to the outer world for accessing the internet.

12. IAM for Your Amazon VPC Infrastructure

When planning who will maintain your Amazon VPC, you can enlist the help of Amazon IAM to help you create accounts with granular levels of permissions. Also, you can use Sophisticated Privileged Identity Management solutions which are available on the AWS Marketplace to IAM your VPC.

13. ELB on Amazon VPC

While using ELB for web applications, ensure that you place all other EC2 instances in private subnets wherever possible. Except where there is an explicit requirement for instances requiring outside world access and Elastic IP attached, place all the instances in private subnets only. In the Amazon VPC environment, only ELBs must be in the public subnet as secure practice.

Summary

We’ve covered a lot of ground in this best practices guide for AWS VPC implementations.

Be sure to also check out Cloud Academy’s AWS Solutions Architect Associate learning path. You’ll learn everything there is to know about developing scalable and sustainable AWS architectures, as well as gain a solid mastery of the knowledge and skills necessary to pass the exam and acquire your certification.

As always, please leave a comment below if you have any questions – we’ll be happy to help!

Avatar

Written by

Sudhi Seshachala

Sudhi is part of Cloud Technology Partners & is a trusted advisor and strategic consultant to many C level executives and IT Directors. He brings 18+ years diverse experience covering software, IT operations, cloud technologies, and management. Have led several global teams in HP, Sun/Oracle, SeeBeyond and few startups to deliver scalable and highly available business/technology products and solutions. He has expertise in systems management, monitoring and integrated SaaS and on-premise applications addressing a wide range of business problems.

Related Posts

Avatar
Jeremy Cook
— September 17, 2019

Cloud Migration Risks & Benefits

If you’re like most businesses, you already have at least one workload running in the cloud. However, that doesn’t mean that cloud migration is right for everyone. While cloud environments are generally scalable, reliable, and highly available, those won’t be the only considerations dri...

Read more
  • AWS
  • Azure
  • Cloud Migration
Joe Nemer
Joe Nemer
— September 12, 2019

Real-Time Application Monitoring with Amazon Kinesis

Amazon Kinesis is a real-time data streaming service that makes it easy to collect, process, and analyze data so you can get quick insights and react as fast as possible to new information.  With Amazon Kinesis you can ingest real-time data such as application logs, website clickstre...

Read more
  • amazon kinesis
  • AWS
  • Stream Analytics
  • Streaming data
Joe Nemer
Joe Nemer
— September 6, 2019

Google Cloud Functions vs. AWS Lambda: The Fight for Serverless Cloud Domination

Serverless computing: What is it and why is it important? A quick background The general concept of serverless computing was introduced to the market by Amazon Web Services (AWS) around 2014 with the release of AWS Lambda. As we know, cloud computing has made it possible for users to ...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
Joe Nemer
Joe Nemer
— September 3, 2019

Google Vision vs. Amazon Rekognition: A Vendor-Neutral Comparison

Google Cloud Vision and Amazon Rekognition offer a broad spectrum of solutions, some of which are comparable in terms of functional details, quality, performance, and costs. This post is a fact-based comparative analysis on Google Vision vs. Amazon Rekognition and will focus on the tech...

Read more
  • Amazon Rekognition
  • AWS
  • Google Cloud Platform
  • Google Vision
Alisha Reyes
Alisha Reyes
— August 30, 2019

New on Cloud Academy: CISSP, AWS, Azure, & DevOps Labs, Python for Beginners, and more…

As Hurricane Dorian intensifies, it looks like Floridians across the entire state might have to hunker down for another big one. If you've gone through a hurricane, you know that preparing for one is no joke. You'll need a survival kit with plenty of water, flashlights, batteries, and n...

Read more
  • AWS
  • Azure
  • Google Cloud Platform
  • New content
  • Product Feature
  • Python programming
Joe Nemer
Joe Nemer
— August 27, 2019

Amazon Route 53: Why You Should Consider DNS Migration

What Amazon Route 53 brings to the DNS table Amazon Route 53 is a highly available and scalable Domain Name System (DNS) service offered by AWS. It is named by the TCP or UDP port 53, which is where DNS server requests are addressed. Like any DNS service, Route 53 handles domain regist...

Read more
  • Amazon
  • AWS
  • Cloud Migration
  • DNS
  • Route 53
Alisha Reyes
Alisha Reyes
— August 22, 2019

How to Unlock Complimentary Access to Cloud Academy

Are you looking to get trained or certified on AWS, Azure, Google Cloud Platform, DevOps, Cloud Security, Python, Java, or another technical skill? Then you'll want to mark your calendars for August 23, 2019. Starting Friday at 12:00 a.m. PDT (3:00 a.m. EDT), Cloud Academy is offering c...

Read more
  • AWS
  • Azure
  • cloud academy content
  • complimentary access
  • GCP
  • on the house
Avatar
Michael Sheehy
— August 19, 2019

What Exactly Is a Cloud Architect and How Do You Become One?

One of the buzzwords surrounding the cloud that I'm sure you've heard is "Cloud Architect." In this article, I will outline my understanding of what a cloud architect does and I'll analyze the skills and certifications necessary to become one. I will also list some of the types of jobs ...

Read more
  • AWS
  • Cloud Computing
Avatar
Nitheesh Poojary
— August 19, 2019

Boto: Using Python to Automate AWS Services

Boto allows you to write scripts to automate things like starting AWS EC2 instances Boto is a Python package that provides programmatic connectivity to Amazon Web Services (AWS). AWS offers a range of services for dynamically scaling servers including the core compute service, Elastic...

Read more
  • Automated AWS Services
  • AWS
  • Boto
  • Python
Avatar
Andrew Larkin
— August 13, 2019

Content Roadmap: AZ-500, ITIL 4, MS-100, Google Cloud Associate Engineer, and More

Last month, Cloud Academy joined forces with QA, the UK’s largest B2B skills provider, and it put us in an excellent position to solve a massive skills gap problem. As a result of this collaboration, you will see our training library grow with additions from QA’s massive catalog of 500+...

Read more
  • AWS
  • Azure
  • content roadmap
  • Google Cloud Platform
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Stefano Giacone
— August 8, 2019

Test Your Cloud Knowledge on AWS, Azure, or Google Cloud Platform

Cloud skills are in demand | In today's digital era, employers are constantly seeking skilled professionals with working knowledge of AWS, Azure, and Google Cloud Platform. According to the 2019 Trends in Cloud Transformation report by 451 Research: Business and IT transformations re...

Read more
  • AWS
  • Cloud skills
  • Google Cloud
  • Microsoft Azure