Amazon VPC Notes

Amazon Virtual Private Cloud (VPC)

Customer define virtual network isolated section of AWS

VPC is the network layer for EC2

Creation needs IPv4 address range CIDR and should not be address that will overlap with other networks



  • AWS reserves the 1st four IPs and the last IP
  • Public, Private, VPN

Route tables

  • Determine where traffic is sent and applied to all subnets
  • Default route called local route
  • VPC has an implicit router
  • VPC automatically comes with a main route table
  • Each subnet must e associated with a route table. Subnets will use the main route table if not assigned
  • Can replace main route table with custom table
  • Each route table specifies a destination CIDR and a target

Internet Gateways

  • horizontally scaled
  • redundant
  • highly available
  • provides a target for internet traffic
  • Creation
    • Attach and IGW
    • create a subnet route table to send all non local ( traffic to IGW
    • configure network ACL and Security Groups
    • EC2 instance must have a public ip to send and receive traffic through the IGW

DHCP Options

  • Name servers
  • domain name
  • NTP servers
  • Netbios name servers
  • Netbios node type

Elastic IP Addresses (EIP)

  • Allocate then assign them
  • Specific to region
  • 1 to 1 relationship with  network interfaces
  • can move EIPs
  • Stays with account until explicitly release

Elastic Network Interfaces (ENI)

  • virtual network interface you can assign to an instance
  • associate with a subnet
  • instance can be dual homed


  • enables you to create a private connection between your VPC and another AWS service without going over the internet or through a NAT, VPN, or Direct Connect
  • Creation
    • Specify VPC
    • Specify service (com.amazonaws.<region>.<service>)
    • Specify policy – full or custom
    • Specify route tables
      • service-destination
      • endpoint-target


  • connection between two VPCs
  • within the same region
  • request/accept protocol for setup
  • 1 to 1 relationship
  • no overlapping CIDR
  • cannot be different regions
  • no transitive routing

Security Groups

  • stateful firewall
  • inbound and outbound connections
  • all instances have a SG
  • cannot delete the default SG
  • Deny by default
  • 500 SG for each  VPC
  • 50 inbound and 50 outbound rules per SG
  • only allow rules
  • default outbound – all traffic allowed

Network Access Control Lists (ACL)

  • stateless firewall
  • creation of an ACL has a default deny inbound and outbound

Network Address Translation (NAT)

  • private subnets cannot talk to internet
  • NAT  Instance
    • create SG for NAT outbound
    • launch NAT AMI (linux)
    • Disable source/destination  check
    • configure route table of private subnet to direct internet traffic to the NAT instance
    • Allocate EIP and assign to NAT instance
  • NAT Gateway (Preferred)
    • simpler
    • HA
    • configure route table of private subnet to direct Internet  traffic to NAT gateway
    • Allocate EIP and assign to NAT gateway

Virtual Private Gateways (VPG) Customer Gateway (CGW) Virtual Private networks (VPN)

  • Create VPG
  • Create CGW
  • Create VPN
  • customer must initiate traffic to bring tunnel up. Customer should use keep alive on their side
  • CGW supports BGP ( Dynamic and static )
  • Supports man CGW to one VPG
  • VPN has tow tunnels for HA