The course is part of these learning paths
VPC Networking Basics
VPC Practical Applications
The VPC - Virtual Private Network - lies at the core of most significant deployments on AWS. VPCs allow you to create the balance between secure isolation and resource integration that fits your unique needs best. You have complete control over traffic coming into and out of your network and, using AWS route tables, network gateways, and subnets, you can permit only the access you need and nothing more.
This course - part of Cloud Academy's networking series from the Intermediate level of the AWS Core Services Track - explores the architecture and function of a VPC, giving you everything you'll need to design and use VPCs productively in your own infrastructure.
If you're not yet comfortable with some of the AWS cloud computing basics, try taking some of our introductory AWS courses.
Welcome to this lesson on Amazon Web Services, AWS, Virtual Private Cloud, VPC. This intermediate course will deliver in depth discussions as well as demonstrations that you can follow along with, on building and configuring your own VPC. It will cover an overview of the building blocks that make up your VPC, to set the foundation before we proceed with actually building a custom VPC from scratch. We will then proceed to securing and applying the necessary configuration settings to meet your most demanding business needs. What is a VPC? The Amazon Virtual Private Cloud, VPC, gives you the ability to create a logically isolated network in the AWS Cloud, from which you can launch resources such as EC2, based on the configuration that you choose. A VPC gives you complete control over your virtual network, starting with defining your subnets, the IP addressing scheme, configuring routing tables and network gateways. Another way to consider a VPC is that it's similar to your traditional private data center or corporate network, and by extending out your corporate or home network, you are actually creating a hybrid cloud where you are able to access resources both in the VPC and on your corporate or home network.
So now that you understand what a VPC is, what are the benefits that this provides to you? The benefits of having a VPC are it provides you with a multitude of connectivity options to address the needs of your business and applications, such as public and private subnets, connecting to your data center, VPC peering, VPN connections, or just connecting to the internet. It provides you with the ability to define your own subnets and IP addressing scheme, control routing through the use of custom route tables, as well as being able to assign multiple IP addresses to your instances, if required. Advanced security. Through the application of a layered security model, and the use of network ACLs to control ingress and egress filtering of traffic and security groups, to give you total control from the subnet level, all the way down to the instance level. The choice of single tenant hardware, which are instances that run on dedicated hardware assigned to a single customer for additional isolation. And of course, Amazon VPC provides the same reliability and scalability as the rest of the platform. What is the default VPC? So we now understand what a VPC is, and the benefits of them. But if your AWS account was created after March 18th, 2013, you would notice that the first time you went to provision a resource, you already had a VPC. This is the default VPC that AWS created for you the first time you provisioned a resource. The default VPC is a logically isolated virtual network in the AWS cloud that is configured and connected to an internet gateway, which means that your instances will automatically receive public IP addresses when they're provisioned into the default VPC. There are a number of differences which you need to understand, and we will discuss these, covering the subtle differences between EC2 classic, for those accounts created before March 2013, the default VPC created by AWS, and of course, a custom VPC that you will create later in this lesson. If your AWS account has EC2 classic, you have the option of launching your instances into either EC2 classic or a VPC on a per region basis.
This table summarizes the differences between EC2 classic, the default VPC that AWS created, and the custom VPC that you created.
The key areas for you to note major differences are in relation to the number of security groups and the association of these to your environment, which we will cover in greater detail later in the lessons. But this is something important to keep note of as we progress in the lessons. When you build your VPC, a logical question is how do I connect and use other AWS services? To answer this, we need to consider the ways that the services are provisioned. There are those AWS services that you assign an IP address to within your VPC when you provision them, such as EC2 instances, Amazon RDS and Amazon Redshift. And then there are other services, such as Amazon S3, which are accessible via the internet or a virtual gateway. By using the security features of AWS, such as identity and access management, IAM, and security groups, you are able to manage access to these resources, to access connections or requests that only originate from within your VPC. VPC pricing. There are no charges for creating and using a VPC.
However, there are charges for other services, such as EC2, which still apply at their published rate. There are associated costs with a VPC which you need to be aware of, which are VPN connections and data transfer charges. VPN connections are billed at five cents per VPN connection hour, 4.8 cents for the Tokyo region, when the connection is provisioned and available. Please note that this is billed on a per hour basis, so a part hour is billed the full hour. Data transfer charges. Accessing AWS resources via your VPC internet gateway doesn't incur charges. However, if you access via a VPN connection, you will incur internet data transfer charges. Instances that reside in different availability zones are charged at one cent per gigabyte for data transfer. There is no charge for creating a VPC peering connection. However, data transfer across the peering connection is charged at the published rate. There is no charge for using classic link. However, cross availability zone data charges do apply at the published rate. For the latest pricing information, please check the AWS pricing page. VPC peering. VPC peering is a network connection between two or more VPCs in the same region, belong to either yourself or another AWS account that allows you to route traffic between them, using private IP addresses.
AWS uses existing infrastructure to create the VPC peering connection. It is neither a gateway or a VPN, and as such, it doesn't rely on separate physical hardware, which means that it essentially has no single point of failure for communication or bandwidth bottlenecks. A VPC can have a one to one peering connection, with up to 50 other VPCs in the same region. This provides a multitude of scenarios, such as accessing a single shared resource from a VPC, whilst not being able to access other connected VPCs, as peering connections are not transitive to extending your network to other business partners. We will go into detail on this and how to configure it in the Cloud Academy Advanced Networking Course.
When you first build your VPC, it has no mechanism to communicate with your network or other VPCs, and we will discuss the options that you have to address this in the next lesson.
About the Author
Andrew is an AWS certified professional who is passionate about helping others learn how to use and gain benefit from AWS technologies. Andrew has worked for AWS and for AWS technology partners Ooyala and Adobe. His favorite Amazon leadership principle is "Customer Obsession" as everything AWS starts with the customer. Passions around work are cycling and surfing, and having a laugh about the lessons learnt trying to launch two daughters and a few start ups.