AWS Your VPC and Subnets

#48

Your VPC and Subnets

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud.You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. When you create a VPC, you specify the set of IP addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block (for example, 10.0.0.0/16).

Your New VPC:

The following diagram shows a new VPC with a default route table.

You need to add a subnet before you can launch an instance into your VPC.

49#

VPC Sizing:

You can assign a single CIDR block to a VPC. The allowed block size is between a /28 netmask and

/16 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses.You can't change

the size of a VPC after you create it. If your VPC is too small to meet your needs, create a new, larger VPC, and then migrate your instances to the new VPC.To do this, create AMIs from your running instances, and then launch replacement instances in your new, larger VPC..You can then terminate your old instances, and delete your smaller VPC.

50#

Connections with Your Local Network and OtherVPCs

You can optionally set up a connection between your VPC and your corporate or home network. If you have an IP address prefix in your VPC that overlaps with one of your networks' prefixes, any traffic to the network's prefix is dropped.

You can also create a VPC peering connection between your VPCs, or with a VPC in another AWS account. A VPC peering connection enables you to route traffic between the VPCs using private IP addresses; however, you cannot create a VPC peering connection between VPCs that have overlapping CIDR blocks.

Creating a VPC:

There are two ways to create a VPC using the Amazon VPC console: the Create VPC ( which creates only the VPC;you'd need to subsequently add subnets, gateways, and routing tables) dialog box and the VPC wizard.

51#

Deleting Your VPC:

You can delete your VPC at any time (for example, if you decide it's too small). However, you must

terminate all instances in the VPC first. When you delete a VPC using the VPC console, we delete all its components, such as subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options.

If you have a VPN connection, you don't have to delete it or the other components related to the VPN

(such as the customer gateway and virtual private gateway). If you plan to use the customer gateway

with another VPC, we recommend you keep the VPN connection and the gateways. Otherwise, your

network administrator must configure the customer gateway again after you create a new VPN connection.

Subnets in Your VPC:

You can create a VPC that spans multiple Availability Zones.After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. AWS assigns a unique ID to each subnet.

52#
Your VPC with Subnets:

The following diagram shows a VPC that has been configured with subnets in multiple Availability Zones.You can optionally add an Internet gateway to enable communication over the Internet, or a virtual private network (VPN) connection to enable communication with your network, as shown in the diagram.

If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. In this diagram,subnet 1 is a public subnet. If you want your instance in a public subnet to communicate with the Internet, it must have a public IP address or an Elastic IP address.

If a subnet doesn't have a route to the Internet gateway, the subnet is known as a private subnet. In this diagram, subnet 2 is a private subnet.

If a subnet doesn't have a route to the Internet gateway, but has its traffic routed to a virtual private gateway, the subnet is known as a VPN-only subnet. In this diagram, subnet 3 is a VPN-only subnet.

Note

Regardless of the type of subnet, the internal IP address range of the subnet is always private

— we do not announce the address block to the Internet.

53#
Subnet Sizing:

When you create a subnet, you specify the CIDR block for the subnet. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset (to enable multiple subnets). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets must not overlap.

Calculate subnet CIDR blocks : http://www.subnet-calculator.com/cidr.php

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24,

the following five IP addresses are reserved:

• 10.0.0.0: Network address.

• 10.0.0.1: Reserved by AWS for the VPC router.

• 10.0.0.2: Reserved by AWS for mapping to the Amazon-provided DNS.

• 10.0.0.3: Reserved by AWS for future use.

• 10.0.0.255: Network broadcast address.We do not support broadcast in a VPC, therefore we reserve this address.

Subnet Routing:

By design, each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC.You can change the association, and you can change the contents of the main route table.

In the previous diagram, the route table associated with subnet 1 routes all traffic (0.0.0.0/0) to an

Internet gateway (for example, igw-1a2b3c4d). Because instance V1 has an Elastic IP address, it can

be reached from the Internet.

Note

The Elastic IP address or public IP address that's associated with your instance is accessed

through the Internet gateway of your VPC. Traffic that goes through a VPN connection between your instance and another network traverses a virtual private gateway, not the Internet gateway, and therefore does not access the Elastic IP address or public IP address.

The instance V2 can't reach the Internet, but can reach other instances in the VPC.You can allow an

instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound

connections from the Internet using a network address translation (NAT) gateway or instance. Because you can allocate a limited number of Elastic IP addresses, we recommend that you use a NAT device if you have more instances that require a static public IP address.

The route table associated with subnet 3 routes all traffic (0.0.0.0/0) to a virtual private gateway (for

example, vgw-1a2b3c4d). Instance V3 can reach computers in the corporate network over the VPN connection.

54#
Subnet Security:
AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level. Security groups alone can meet the needs of many VPC users. However, some VPC users decide to use both security groups and network ACLs to take advantage of the additional layer of security that network ACLs provide.
By design, each subnet must be associated with a network ACL. Every subnet that you create is
automatically associated with the VPC's default network ACL.You can change the association, and you can change the contents of the default network ACL.
You can create a flow log on your VPC or subnet to capture the traffic that flows to and from the network interfaces in your VPC or subnet.You can also create a flow log on an individual network interface. Flow logs are published to CloudWatch Logs.

55#
Deleting Your Subnet: You must terminate any instances in the subnet first.

CLI Overview:
You can perform the tasks described on this page using a command line interface (CLI). For more
information, including a list of available API actions, see Accessing Amazon VPC (p. 6).
Create a VPC

• create-vpc (AWS CLI)

• ec2-create-vpc (Amazon EC2 CLI)

• New-EC2Vpc (AWS Tools for Windows PowerShell)

Create a Subnet
• create-subnet (AWS CLI)
• ec2-create-subnet (Amazon EC2 CLI)
• New-EC2Subnet (AWS Tools for Windows PowerShell)
Describe a VPC
• describe-vpcs (AWS CLI)
• ec2-describe-vpcs (Amazon EC2 CLI)

Amazon Virtual Private Cloud User Guide
Deleting Your Subnet
• Get-EC2Vpc (AWS Tools for Windows PowerShell)

56#
Describe a Subnet
• describe-subnets (AWS CLI)
• ec2-describe-subnets (Amazon EC2 CLI)
• Get-EC2Subnet (AWS Tools for Windows PowerShell)
Delete a VPC
• delete-vpc (AWS CLI)
• ec2-delete-vpc (Amazon EC2 CLI)
• Remove-EC2Vpc (AWS Tools for Windows PowerShell)
Delete a Subnet
• delete-subnet (AWS CLI)
• ec2-delete-subnet (Amazon EC2 CLI)
• Remove-EC2Subnet (AWS Tools for Windows PowerShell)


Your Default VPC and Subnets
When we create a default VPC, we do the following to set it up for you:
• Create a default subnet in each Availability Zone.
• Create an Internet gateway and connect it to your default VPC.
• Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet
to the Internet gateway.
• Create a default security group and associate it with your default VPC.
• Create a default network access control list (ACL) and associate it with your default VPC
• Associate the default DHCP options set for your AWS account with your default VPC.

The following figure illustrates the key components that we set up for a default VPC.

Instances that you launch into a default subnet receive both a public IP address and a private IP address.Instances in a default subnet also receive both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don't receive a public IP address or a DNS hostname. You can change your subnet's default public IP addressing behavior.


59#
Default Subnets:
The CIDR block for a default VPC is always a /16 netmask, for example, 172.31.0.0/16. This provides up to 65,536 private IP addresses. The netmask for a default subnet is always /20, which provides up to 4,096 addresses per subnet, a few of which are reserved for our use.
By default, a default subnet is a public subnet, because the main route table sends the subnet's traffic that is destined for the Internet to the Internet gateway.You can make a default subnet a private subnet by removing the route from the destination 0.0.0.0/0 to the Internet gateway. However, if you do this, any EC2 instance running in that subnet can't access the Internet.

60#
Launching an EC2 Instance into Your Default VPC:
When you launch an EC2 instance without specifying a subnet, it's automatically launched into a default subnet in your default VPC. By default, we select an Availability Zone for you and launch the instance into the corresponding subnet for that Availability Zone. Alternatively, you can select the Availability Zone for your instance by selecting its corresponding default subnet in the console, or by specifying the subnet or the Availability Zone in the CLI.

AWSFundas

**     VPCNetworkAdminGuide    **


Difference between Public IP and Static IP:
When you launch an EC2 instance, you recieve a Public IP address by which that instance is reachable.
Once you stop that instance and restart the you get a new Public IP for the same instance's.

So, Public IP get's changed everytime for an instance after stop/start.

To overcome with this problem, we attach an Elastic IP to an Instance which doesn't change after you stop / start the instance as many times.

Advantage of Having Elastic IP
-> It is kind of static IP for your Instance.
-> Doesn't change after stop/start.

If you have Elastic IP in your account and  it's not in use, then you will be charged for it.

Ref: Vikash Jha
https://www.quora.com/Whats-the-difference-between-a-public-IP-and-an-elastic-IP-in-AWS-EC2

__________________
Internet Gateway :
Route Tables.
-----------------------------------
Route Table:
then we prioritize the routes as follows in your VPC, from most preferred to least preferred:

• Local routes for the VPC
• Static routes whose targets are an Internet gateway, a virtual private gateway, a network interface, an instance ID, a VPC peering connection, or a VPC endpoint
• Any propagated routes from a VPN connection or AWS Direct Connect connection 

If you have overlapping routes within a VPN connection and longest prefix match cannot be applied, then we prioritize the routes as follows in the VPN connection, from most preferred to least preferred:

• BGP propagated routes from an AWS Direct Connect connection
• Manually added static routes for a VPN connection
• BGP propagated routes from a VPN connection

Note

When you use the wizard in the console to create a VPC with a gateway, the wizard automatically updates the route tables to use the gateway. If you're using the command line tools or API to set up your VPC, you must update the route tables yourself.
=================================================



________________________________________________________________________
7
A main route table that all VPCs have by default, and a custom route table that was created by the wizard. The custom route table is associated with your subnet, which means that the routes in that table determine how the traffic for the subnet flows.If you add a new subnet to your VPC, it uses the main route table by default.

11
A security group acts as a virtual firewall to control the traffic for its associated instances.To use a security group, you add the inbound rules to control incoming traffic to the instance, and outbound rules to control the outgoing traffic from your instance. To associate a security group with an instance, you specify the security group when you launch the instance. If you add and remove rules from the security group, we apply those changes to the instances associated with the security group automatically.
Your VPC comes with a default security group. Any instance not associated with another security group  during launch is associated with the default security group.

14
A public subnet — a subnet that has a route to an Internet gateway. However, the instance in your subnet also needs a public IP address to be able to communicate with the Internet. By default, an instance in a nondefault VPC is not assigned a public IP address.


18,19
An Internet gateway. This connects the VPC to the Internet and to other AWS products.
An instance with a private IP address in the subnet range (example: 10.0.0.6), which enables the
instance to communicate with other instances in the VPC, and an Elastic IP address (example:
198.51.100.2), which enables the instance to be reached from the Internet.
A route table entry that enables instances in the subnet to communicate with other instances in the VPC, and a route table entry that enables instances in the subnet to communicate directly over the Internet.

Tip
If you'd like instances in your VPC to communicate over the Internet without having to assign
each instance an Elastic IP address, you can use a NAT gateway.

Your VPC has an implied router (shown in the configuration diagram for this scenario.) For this scenario, the VPC wizard creates a route table that routes all traffic destined for an address outside the VPC to the Internet gateway, and associates this route table with the subnet. Otherwise, you'd need to create and associate the route table yourself.
The following table shows what the route table looks like for the example addresses used in the
configuration diagram for this scenario. The first row shows the entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other.The second row shows the entry for routing all other subnet traffic to the Internet gateway, which is specified using its AWS-assigned identifier.

---------------------------------------------------------------------------------------------------------------------

19
AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level.
Security groups alone can meet the needs of many VPC users. However, some VPC users decide to use both security groups and network ACLs to take advantage of the additional layer of security that network ACLs provide.

Recommended Security Group Rules
Your VPC comes with a default security group whose initial settings allow all outbound traffic and allow all traffic between instances assigned to the security group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to the default security group for the VPC.

#20
By default, new security groups start with only an outbound rule that allows all traffic to leave the instances.You must add rules to enable any inbound traffic or to restrict the outbound traffic.
The default security group for a VPC has rules that automatically allow assigned instances to communicate with each other. To allow that type of communication between the instances in your VPC, you must add a rule like the following to your security groups.

#23
The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the
instances in the private subnet can't. The instances in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the private subnet can access the Internet by using a network address translation (NAT) gateway that resides in the public subnet. The database servers can connect to the Internet for software updates using the NAT gateway, but the Internet cannot initiate connections to the database servers.
Note
You can also use the VPC wizard to configure a VPC with a NAT instance; however, we
recommend that you use a NAT gateway. For more information, see NAT Gateways.

#24A NAT gateway with its own Elastic IP address. This enables instances in the private subnet to send
requests to the Internet (for example, for software updates)

A route table associated with the public subnet.This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC, and an entry that enables instances in the subnet to communicate directly with the Internet.

The main route table associated with the private subnet. The route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC, and an entry that enables instances in the subnet to communicate with the Internet through the NAT gateway.

25#
Tip:
To help manage the instances in the private subnet, you can set up bastion servers in the public
subnet to act as proxies. For example, you can set up SSH port forwarders or RDP gateways
in the public subnet to proxy the traffic going to your database servers from your own network.

In this scenario, all traffic from each subnet that is bound for AWS (for example, to the Amazon EC2 or Amazon S3 endpoints) goes over the Internet gateway. The database servers in the private subnet can't receive traffic from the Internet directly because they don't have Elastic IP addresses. However, the database servers can send and receive Internet traffic through the NAT device in the public subnet.

Any additional subnets that you create use the main route table by default, which means that they are private subnets by default. If you'd like to make a subnet public, you can always change the route table that it's associated with.


26#
Your VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances assigned to the group. If you don't specify a security group when you launch an instance, the instance is automatically assigned to this default security group.
The instances assigned to a security group can be in different subnets.

30#
By default, instances launched into a nondefault VPC are not assigned a public IP address.
To be able to connect to your instance in the public subnet, you can assign a public IP address now,
or allocate an Elastic IP address and assign it to your instance after it's launched.To assign a publicIP address now, ensure that you choose Enable from the Auto-assign Public IP list.You do not
need to assign a public IP address to an instance in the private subnet.
Note
You can only assign a public IP address to a single, new network interface with the device

index of eth0. For more information, see Assigning a Public IP Address During Launch (p. 123).

31#
You will also require a security group for your NAT instance (NATSG), which allows the NAT instance to receive Internet-bound traffic from instances in the private subnet, as well as SSH traffic from your network. The NAT instance can also send traffic to the Internet, so that instances in the private subnet can get software updates.

33#
Scenario 3:VPC with Public and Private Subnets and Hardware VPN Access
The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel.We recommend this scenario if you want to extend your network into the cloud and also directly access the Internet from your VPC. This scenario enables you to run a multi-tiered application with a scalable web front end in a public subnet, and to and to house your data in a private subnet that is connected to your network by an IPsec VPN connection.

34#
A VPN connection between your VPC and your network. The VPN connection consists of a virtual
private gateway located on the Amazon side of the VPN connection and a customer gateway located on your side of the VPN connection.

Instances with private IP addresses in the subnet range (examples: 10.0.0.5 and 10.0.1.5), which
enables the instances to communicate with each other and other instances in the VPC. Instances in the public subnet also have Elastic IP addresses (example: 198.51.100.1), which enables them to be
reached from the Internet. The instances can have public IP addresses assigned at launch instead of
Elastic IP addresses. Instances in the VPN-only subnet are back-end servers that don't need to accept incoming traffic from the Internet, but can send and receive traffic from your network.

A custom route table associated with the public subnet. This route table contains an entry that enables instances in the subnet to communicate with other instances in the VPC, and an entry that enables instances in the subnet to communicate directly with the Internet.

The main route table associated with the VPN-only subnet. The route table contains an entry that
enables instances in the subnet to communicate with other instances in the VPC, and an entry that
enables instances in the subnet to communicate directly with your network.