January 16, 2016

AWS – Virtual Private Cloud (VPC) overview

VPC is a way to group all your resources (e.g. ec2 instances) into a network, i.e. a virtual network. This means that resources in the same vpc can communicate with each other via their private ip addresses (irrespective of which subnet’s their in).


You can find all my latest posts on medium.

Consequently when you create a new VPC, you have to specify a range of ip addresses, in the form of a CIDR block.

Note: the tenancy setting here, let’s you define at the vpc level whether resources should be fixed to specific hardware.

For example a cidr block of equates to an IP range of:

Source: subnet-calculator

Note, the range you pick can’t overlap with the range of one of your other VPCs.

Within this VPC range, you can break down your range into smaller ranges, called subnets.

When you create a new resource, e.g. instance, e.g. an EC2 instance, you will get prompted to provide what vpc it should be created in followed by which subnet it is created in:

Once you have selected the subnet, and started the launch, your instance will get an IP address  assigned to it that’s within the subnet range. This address is called the “private IP address”.

Note: Private IP address are only unique inside your aws account.

You can also assign a public ip address to your vm, so that your instance ends up with 2 ip address, a public ip address, and a private ip address.

The public address is unique across the internet and is used to access your instance form the internet, whereas the private address is used by your other aws resource to connect to eachother.

Your resources can communicate with eachother via public adddresses as well, but it is better to use private ip address for performance reasons and security reasons.


Public and Private Subnets

You have the option to attach an “Internet gateway” to your subnet. A subnet that has an internet gateway attached to it, is referred to as a public subnet. Whereas a private subnet is a subnet that doesn’t have an internet gateway attached it. Also you attach internet gateway to a subnet via the subnet’s  route table.

Before you can associate an Internet Gateway to a a vpc’s subnet. You need to first associate the internet gateway to the vpc itself. You can only associate one Internet gateway to a VPC. Onc’e that’s done, you can then associate this Internet Gateway to one or more of the VPC’s route table, which turns them into “public route tables“. You can attach a route table to a subnet. Note, all subnets must have exactly one route table, you can’t have more than that, or less than that. If you attach a public route table  to a subnet, then that subnet becomes a public subnet. However if you want to ssh into an instance in this public subnet, then you also need to meet the following conditions:

  • Necessary firewalls are open at the Network ACL level, so public traffic can enter the public subnet on the allowed port numbers.
  • Necessary firewalls are open at the security group level
  • instance has a public ip or elastic public ip address attache to it
  • Instance level: necessary firewalld allow rules are in place
  • Instance level: necessary services, e.g. httpd, ssh, ..etc are listening on the appropriate ports.


If you want to ssh into an ec2 instance (from your home laptop) then your instance must be inside a public subnet and have a public ip address assigned to it.

If you have to use a private subnet, for security reasons, then you can still ssh into your instance by one of the following ways:

  • ssh into another (publically accessible) ec2 instance that happens to reside in the same vpc, and then ssh into your  target instance, using the private IP address. This middle instance can be thought of as a bastion host.
  • set up a vpn, so that your home laptop effectively is a member of the vpc, i.e. it is already part of the internal network.


Virtual Private Network (VPN)

With a VPC, it is possible to connect your home router to the vpc, so that it appears like just another subnet in your vpc. Doing this essentially ends up creating a virtual private network.

To create a VPN, you need to attach a Virtual Private Gateway to your VPC. Therefore the only main gateways into a vpc is the Virtual Private Gateaway, or a Internet Gateway, since you can only have one Internet Gateway attached to a VPC, see diagram in:


Benefits of VPC

  • Good way to organise your resources  inside subnets. It’s a bit like how you organise files into folders
  • You can allow resources from different subnets to communicate with eachother by configuring route tables
  • You can control which subnet’s resources have internet access, by setting up public subnets.
  • You can set which subnets are private, which improves security
  • we can  make our home routeer part of the vpc, i.e. create a vpn
  • You can improve security by using instnace security groups


The Default VPC

A VPC can be a bit tricky to setup for a a begginer. That’s why a newly created AWS account comes with a default vpc created for you.

The default vpc comes with a several subnets already created for you, and each of these subnets, are public subnets, which makes life easier for beginners.

New instances created inside the default vpc automatically gets assigned with 2 ip address, a public ip address and a private ip address.


Elastic Network Interface

A normal linux vm, has network interfaces, e.g. eth0.

However instance inside a vpc comes with Elastic Network Interfaces  (ENI)  instead. These ENI’s only have private ip addresses associated with them. Traffic going to/from an instance’s public ip address is actually rerouted (behind the scenes) through to the private ip address. Therefore public IP addresses are not actually attached to any network instances, that explains why public ip addresses doesn’t appear when you do an “ip addr show”:


[root@ip-10-0-0-159 ~]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
 inet scope host lo
 valid_lft forever preferred_lft forever
 inet6 ::1/128 scope host
 valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP qlen 1000
 link/ether 0e:a6:d2:74:06:57 brd ff:ff:ff:ff:ff:ff
 inet brd scope global dynamic eth0
 valid_lft 3191sec preferred_lft 3191sec
 inet6 fe80::ca6:d2ff:fe74:657/64 scope link
 valid_lft forever preferred_lft forever

Here we only see the private ip address.


This auto-rerouting of public ip address to the private ip address is referred to as Network Address Translation (NAT).



Default VPC limits

Each aws account comes with the following limits, all of which can be increased by sending a request to aws:

  • 5 VPCs per region
  • 5 internet gateways per region, since you are only allowed one internet gateway per VPC, this means that all public subnets in the same vpc must all have the same internet gateway attached. Note, that a
  • 50 VPN connections per region
  • 50 customer gateways per region – customer gateways are used to set up VPN connections
  • 200 route tables per region
  • 50 entries per route table
  • 5 Elastic IP Addresses
  • 100 security groups
  • 50 rules per security groups
  • 5 security groups per network interface





Inside this vpc, it will get assigned with an ip address that’s fall within this range.






When creating a new resource, e.g. ec2 instance, you’ll get prompted to specify what vpc to create it in.

The main advantage of vpc is that resources that are created in a single vpc will be part of the same network and can communicate internally without any further netowrking configuration.

VPC themselve does not cost anything, you only pay for the costs of the resources that a vpc houses.


Here’s an overview example:



Source: Amazon

When creating VPC via the aws web console, you need to provide just the following info:

Note: you can only attach one Internet Gateway to a vpc at a time.



DNS server

By default each VPC that you create comes with a dns server. This dns server assigns hostnames to all the hosts that are created inside your VPC:


This means the that an instance’s fqdn looks like:

[centos@ip-10-0-0-159 ~]$ hostnamectl
 Static hostname: ip-10-0-0-159.ec2.internal
 Icon name: computer
 Chassis: n/a
 Machine ID: 0af04d3c78a943ae8f3cc26602e374f2
 Boot ID: 6fd874e6b35b40568f53c7c0540259cd
 Operating System: CentOS Linux 7 (Core)
 CPE OS Name: cpe:/o:centos:centos:7
 Kernel: Linux 3.10.0-229.14.1.el7.x86_64
 Architecture: x86_64
[centos@ip-10-0-0-159 ~]$



If you don’t want to use this default dns server, and instead you have your own dns server, then you can use  this by creating a custom DHCP option set:



Route tables

A route table helps your vpc to traffic.

When you create a VPC, a route table automatically get’s created along with it and this route table is the vpc’s “main” route table.


By being “main” it means that this route table get’s automatically attached to each private/public subnet that get’s created in the vpc. This Main route table has an inital route rule called “local” as shown above. This rule makes it makes it possible for your VPC’s resources to communicate with each other via the private IP, irrespective of which private/public subnets the resources are in.

You can’t delete this “local” route rulem and any new route tables that you create will always have this vpc wide “local” route rule.

Note: A subnet always has exactly one route table attached to it, it can’t have more than that, or less than that, this means that you can switch route tables.

You can only attach one Internet Gateway to a route table. In doing so, any private subnet associated with this route table, become public subnets.

Note, you can only have one active internet gateway per vpc.


Amazon vpc