AWS Your VPC and Subnets

#48

Your VPC and Subnets

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud.You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. When you create a VPC, you specify the set of IP addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block (for example, 10.0.0.0/16).

Your New VPC:

The following diagram shows a new VPC with a default route table.

You need to add a subnet before you can launch an instance into your VPC.

49#

VPC Sizing:

You can assign a single CIDR block to a VPC. The allowed block size is between a /28 netmask and

/16 netmask. In other words, the VPC can contain from 16 to 65,536 IP addresses.You can't change

the size of a VPC after you create it. If your VPC is too small to meet your needs, create a new, larger VPC, and then migrate your instances to the new VPC.To do this, create AMIs from your running instances, and then launch replacement instances in your new, larger VPC..You can then terminate your old instances, and delete your smaller VPC.

50#

Connections with Your Local Network and OtherVPCs

You can optionally set up a connection between your VPC and your corporate or home network. If you have an IP address prefix in your VPC that overlaps with one of your networks' prefixes, any traffic to the network's prefix is dropped.

You can also create a VPC peering connection between your VPCs, or with a VPC in another AWS account. A VPC peering connection enables you to route traffic between the VPCs using private IP addresses; however, you cannot create a VPC peering connection between VPCs that have overlapping CIDR blocks.

Creating a VPC:

There are two ways to create a VPC using the Amazon VPC console: the Create VPC ( which creates only the VPC;you'd need to subsequently add subnets, gateways, and routing tables) dialog box and the VPC wizard.

51#

Deleting Your VPC:

You can delete your VPC at any time (for example, if you decide it's too small). However, you must

terminate all instances in the VPC first. When you delete a VPC using the VPC console, we delete all its components, such as subnets, security groups, network ACLs, route tables, Internet gateways, VPC peering connections, and DHCP options.

If you have a VPN connection, you don't have to delete it or the other components related to the VPN

(such as the customer gateway and virtual private gateway). If you plan to use the customer gateway

with another VPC, we recommend you keep the VPN connection and the gateways. Otherwise, your

network administrator must configure the customer gateway again after you create a new VPN connection.

Subnets in Your VPC:

You can create a VPC that spans multiple Availability Zones.After creating a VPC, you can add one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span zones. Availability Zones are distinct locations that are engineered to be isolated from failures in other Availability Zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single location. AWS assigns a unique ID to each subnet.

52#
Your VPC with Subnets:

The following diagram shows a VPC that has been configured with subnets in multiple Availability Zones.You can optionally add an Internet gateway to enable communication over the Internet, or a virtual private network (VPN) connection to enable communication with your network, as shown in the diagram.

If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. In this diagram,subnet 1 is a public subnet. If you want your instance in a public subnet to communicate with the Internet, it must have a public IP address or an Elastic IP address.

If a subnet doesn't have a route to the Internet gateway, the subnet is known as a private subnet. In this diagram, subnet 2 is a private subnet.

If a subnet doesn't have a route to the Internet gateway, but has its traffic routed to a virtual private gateway, the subnet is known as a VPN-only subnet. In this diagram, subnet 3 is a VPN-only subnet.

Note

Regardless of the type of subnet, the internal IP address range of the subnet is always private

— we do not announce the address block to the Internet.

53#
Subnet Sizing:

When you create a subnet, you specify the CIDR block for the subnet. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset (to enable multiple subnets). The allowed block size is between a /28 netmask and /16 netmask. If you create more than one subnet in a VPC, the CIDR blocks of the subnets must not overlap.

Calculate subnet CIDR blocks : http://www.subnet-calculator.com/cidr.php

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24,

the following five IP addresses are reserved:

• 10.0.0.0: Network address.

• 10.0.0.1: Reserved by AWS for the VPC router.

• 10.0.0.2: Reserved by AWS for mapping to the Amazon-provided DNS.

• 10.0.0.3: Reserved by AWS for future use.

• 10.0.0.255: Network broadcast address.We do not support broadcast in a VPC, therefore we reserve this address.

Subnet Routing:

By design, each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC.You can change the association, and you can change the contents of the main route table.

In the previous diagram, the route table associated with subnet 1 routes all traffic (0.0.0.0/0) to an

Internet gateway (for example, igw-1a2b3c4d). Because instance V1 has an Elastic IP address, it can

be reached from the Internet.

Note

The Elastic IP address or public IP address that's associated with your instance is accessed

through the Internet gateway of your VPC. Traffic that goes through a VPN connection between your instance and another network traverses a virtual private gateway, not the Internet gateway, and therefore does not access the Elastic IP address or public IP address.

The instance V2 can't reach the Internet, but can reach other instances in the VPC.You can allow an

instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound

connections from the Internet using a network address translation (NAT) gateway or instance. Because you can allocate a limited number of Elastic IP addresses, we recommend that you use a NAT device if you have more instances that require a static public IP address.

The route table associated with subnet 3 routes all traffic (0.0.0.0/0) to a virtual private gateway (for

example, vgw-1a2b3c4d). Instance V3 can reach computers in the corporate network over the VPN connection.

54#
Subnet Security:
AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level. Security groups alone can meet the needs of many VPC users. However, some VPC users decide to use both security groups and network ACLs to take advantage of the additional layer of security that network ACLs provide.
By design, each subnet must be associated with a network ACL. Every subnet that you create is
automatically associated with the VPC's default network ACL.You can change the association, and you can change the contents of the default network ACL.
You can create a flow log on your VPC or subnet to capture the traffic that flows to and from the network interfaces in your VPC or subnet.You can also create a flow log on an individual network interface. Flow logs are published to CloudWatch Logs.

55#
Deleting Your Subnet: You must terminate any instances in the subnet first.

CLI Overview:
You can perform the tasks described on this page using a command line interface (CLI). For more
information, including a list of available API actions, see Accessing Amazon VPC (p. 6).
Create a VPC

• create-vpc (AWS CLI)

• ec2-create-vpc (Amazon EC2 CLI)

• New-EC2Vpc (AWS Tools for Windows PowerShell)

Create a Subnet
• create-subnet (AWS CLI)
• ec2-create-subnet (Amazon EC2 CLI)
• New-EC2Subnet (AWS Tools for Windows PowerShell)
Describe a VPC
• describe-vpcs (AWS CLI)
• ec2-describe-vpcs (Amazon EC2 CLI)

Amazon Virtual Private Cloud User Guide
Deleting Your Subnet
• Get-EC2Vpc (AWS Tools for Windows PowerShell)

56#
Describe a Subnet
• describe-subnets (AWS CLI)
• ec2-describe-subnets (Amazon EC2 CLI)
• Get-EC2Subnet (AWS Tools for Windows PowerShell)
Delete a VPC
• delete-vpc (AWS CLI)
• ec2-delete-vpc (Amazon EC2 CLI)
• Remove-EC2Vpc (AWS Tools for Windows PowerShell)
Delete a Subnet
• delete-subnet (AWS CLI)
• ec2-delete-subnet (Amazon EC2 CLI)
• Remove-EC2Subnet (AWS Tools for Windows PowerShell)


Your Default VPC and Subnets
When we create a default VPC, we do the following to set it up for you:
• Create a default subnet in each Availability Zone.
• Create an Internet gateway and connect it to your default VPC.
• Create a main route table for your default VPC with a rule that sends all traffic destined for the Internet
to the Internet gateway.
• Create a default security group and associate it with your default VPC.
• Create a default network access control list (ACL) and associate it with your default VPC
• Associate the default DHCP options set for your AWS account with your default VPC.

The following figure illustrates the key components that we set up for a default VPC.

Instances that you launch into a default subnet receive both a public IP address and a private IP address.Instances in a default subnet also receive both public and private DNS hostnames. Instances that you launch into a nondefault subnet in a default VPC don't receive a public IP address or a DNS hostname. You can change your subnet's default public IP addressing behavior.


59#
Default Subnets:
The CIDR block for a default VPC is always a /16 netmask, for example, 172.31.0.0/16. This provides up to 65,536 private IP addresses. The netmask for a default subnet is always /20, which provides up to 4,096 addresses per subnet, a few of which are reserved for our use.
By default, a default subnet is a public subnet, because the main route table sends the subnet's traffic that is destined for the Internet to the Internet gateway.You can make a default subnet a private subnet by removing the route from the destination 0.0.0.0/0 to the Internet gateway. However, if you do this, any EC2 instance running in that subnet can't access the Internet.

60#
Launching an EC2 Instance into Your Default VPC:
When you launch an EC2 instance without specifying a subnet, it's automatically launched into a default subnet in your default VPC. By default, we select an Availability Zone for you and launch the instance into the corresponding subnet for that Availability Zone. Alternatively, you can select the Availability Zone for your instance by selecting its corresponding default subnet in the console, or by specifying the subnet or the Availability Zone in the CLI.