Amazon Web Services – Transit VPC
Amazon Web Services Transit vpc: Amazon Web Services (AWS) infrastructure and networks can be connected to each other and other non-AWS infrastruct...Learn More
Amazon VPC brings a host of advantages to the table, including static private IP addresses, Elastic Network Interfaces, secure bastion host setup, DHCP options, Advanced Network Access Control, predictable internal IP ranges, VPN connectivity, movement of internal IPs and NICs between instances, heightened security, and more.
Read on to learn more about some key implementation-related best practices for developers and companies that utilize Amazon VPC. Whether you’re currently maintaining an existing VPC implementation or you’re planning to migrate to the AWS ecosystem, this guide can help you identify thirteen best practices. Here they are:
First, you’ll need to select the right architecture for your Amazon VPC implementation. You’ll want to keep in mind the specific requirements you currently have and those you predict you will need in the future.
It is advisable to design your Amazon VPC implementation based on your expansion requirements looking ahead at least two years.
Today, there are various Amazon VPC setup types available, including:
You can select whichever configuration best suits your current and future requirements.
When designing your Amazon VPC instance, you must consider the number of IP addresses required and the connectivity type with the data center before choosing the CIDR block. The permissible size of the block ranges between /16 netmask and a /28 netmask.
As of now, you cannot alter or modify Amazon VPC, so it is better to pick the CIDR block that has more IP addresses. While designing your Amazon VPC architecture to communicate with the on-premise data center, it is required that the CIDR range used in Amazon VPC does not overlap or cause a conflict with the CIDR block in the on-premise data center.
Physical isolation which is present in the on-premise environment should also be a part of the cloud environment. It’s always better to create a distinct Amazon VPC for development, production, and staging – or one Amazon VPC with Separate Security/Subnets/isolated NW groups for staging, production and development.
Running a machine with mission-critical workloads requires multiple layers of security. Amazon VPC can be secured like your on-premise data center by following some of these useful tips:
For more information about AWS security, be sure to check out Cloud Academy’s Security Fundamentals for AWS course.
Developing a disaster recovery plan with respect to your VPC implementation is of critical importance. Here are few simple rules to follow:
You need to ensure that you do not have any conflicts with your on-premises subnet CIDR block in the event where both need to be integrated into the on-premise data center as well.
After creating these CIDR blocks, instantiate a VPC which will tunnel between regions and to your on-premise data center. It may help to replicate the data with the aid of private IPs.
For more disaster recovery best practices, check out this hands-on CloudFormation lab from Cloud Academy.
To bolster your implementation’s security posture, you should take advantage of software like Sophos or Squid to limit URLs, domains, ports, etc. which would then allow all traffic to pass through the controlled proxy tier and would also get logged.
Using these proxy and security systems, you could also limit threatening and unwanted ports.
Click here to walk step-by-step through the process of securing your VPC infrastructure.
If cost is more critical for your needs as opposed to high availability, it could be a good idea to keep the Web and App within the same availability zone as RDS, ElastiCache, and so on of the Amazon VPC. You can develop and design the subnets accordingly. However, it is not a recommended architecture for applications which demand high availability.
With the introduction of VPC peering features, life has become easier for AWS users. With the help VPC peering connectivity, you can connect two Amazon VPCs and which would then enable you to route traffic between them with the aid of private IP addresses.
As AWS uses the current infrastructure of a VPC for creating a VPC peering connection; it is neither a VPN connection nor a gateway, and does not depend on any physical hardware.
VPC Peering can be useful in various scenarios such as:
It is always advisable to keep a part of your application services in the public subnet for external communication. It is also a recommended exercise to associate them with Amazon EIP (Elastic IP) and whitelisting these IP addresses in the target services which are used by them.
In specific cases, there might be hundreds of EC2 instances within the Amazon VPC which are creating lots of heavy web service or HTTP calls simultaneously. At times, even a single NAT instance with the largest EC2 size may not be able to handle that bandwidth and may cause performance issues.
During such events, it is advisable to span the EC2 across multiple subnets and create NATs for each the subnets. With the help of this strategy, you can spread the outgoing bandwidth while improving the performance of VPC-based deployments.
Every time EC2 instances residing within the private subnet of your Amazon VPC implementation are created or make HTTP/SQS/S3 calls, they go through a NAT instance.
You should scale the NAT instance capacity per your application needs in order to avoid performance bottlenecks. With the help of NAT instances, you can save on the cost of an Elastic IP, which also provides an extra level of security without revealing the instances to the outer world for accessing the internet.
When planning who will maintain your Amazon VPC, you can enlist the help of Amazon IAM to help you create accounts with granular levels of permissions. Also, you can use Sophisticated Privileged Identity Management solutions which are available on the AWS Marketplace to IAM your VPC.
While using ELB for web applications, ensure that you place all other EC2 instances in private subnets wherever possible. Except where there is an explicit requirement for instances requiring outside world access and Elastic IP attached, place all the instances in private subnets only. In the Amazon VPC environment, only ELBs must be in the public subnet as secure practice.
We’ve covered a lot of ground in this best practices guide for AWS VPC implementations.
Be sure to also check out Cloud Academy’s AWS Solutions Architect Associate learning path. You’ll learn everything there is to know about developing scalable and sustainable AWS architectures, as well as gain a solid mastery of the knowledge and skills necessary to pass the exam and acquire your certification.
As always, please leave a comment below if you have any questions – we’ll be happy to help!
Amazon Web Services’ resource offerings are constantly changing, and staying on top of their evolution can be a challenge. Elastic Cloud Compute (EC2) instances are one of their core resource offerings, and they form the backbone of most cloud deployments. EC2 instances provide you with...
AWS's WaitCondition can be used with CloudFormation templates to ensure required resources are running.As you may already be aware, AWS CloudFormation is used for infrastructure automation by allowing you to write JSON templates to automatically install, configure, and bootstrap your ...
As companies increasingly shift workloads to the public cloud, cloud computing has moved from a nice-to-have to a core competency in the enterprise. This shift requires a new set of skills to design, deploy, and manage applications in cloud computing.As the market leader and most ma...
The announcements at re:Invent just keep on coming! Let’s look at what benefits these two new EC2 instance types offer and how these two new instances could be of benefit to you. If you're not too familiar with Amazon EC2, you might want to familiarize yourself by creating your first Am...
Google Cloud Platform (GCP) has evolved from being a niche player to a serious competitor to Amazon Web Services and Microsoft Azure. In 2018, research firm Gartner placed Google in the Leaders quadrant in its Magic Quadrant for Cloud Infrastructure as a Service for the first time. In t...
In order to understand AWS VPC egress filtering methods, you first need to understand that security on AWS is governed by a shared responsibility model where both vendor and subscriber have various operational responsibilities. AWS assumes responsibility for the underlying infrastructur...
Is it possible to create an S3 FTP file backup/transfer solution, minimizing associated file storage and capacity planning administration headache?FTP (File Transfer Protocol) is a fast and convenient way to transfer large files over the Internet. You might, at some point, have conf...
Microservices are a way of breaking large software projects into loosely coupled modules, which communicate with each other through simple Application Programming Interfaces (APIs).Microservices have become increasingly popular over the past few years. The modular architectural style,...
There are many use cases for tags, but what are the best practices for tagging AWS resources? In order for your organization to effectively manage resources (and your monthly AWS bill), you need to implement and adopt a thoughtful tagging strategy that makes sense for your business. The...
Amazon S3 is the most common storage options for many organizations, being object storage it is used for a wide variety of data types, from the smallest objects to huge datasets. All in all, Amazon S3 is a great service to store a wide scope of data types in a highly available and resil...
One of the main promises of cloud computing is access to nearly endless capacity. However, it doesn’t come cheap. With the introduction of Spot Instances for Amazon Web Services’ Elastic Compute Cloud (AWS EC2) in 2009, spot instances have been a way for major cloud providers to sell sp...
A Comparison of Machine Learning Services on AWS, Azure, and Google CloudArtificial intelligence and machine learning are steadily making their way into enterprise applications in areas such as customer support, fraud detection, and business intelligence. There is every reason to beli...