Amazon Virtual Private Cloud (VPC) is the concept of a logically isolated network system. An Amazon user can implement own network design which will be totally isolated from the public network.Users can complete control over their virtual networking environment; for example, selection of their own IP address range, subnet creation, and route table configuration for network traffic, and gateway of the network.
Therefore; Amazon VPC is giving its clients a provision of an isolated area where they can launch AWS resources in a virtual network that they define. Amazon VPC is the customised network service. VPC provide amazon users to access their private virtual instances from the real physical machine through Internet, but still, the private subnet is isolated from Internet services.
Suppose, You can create public-facing subnet which is known NAT machine for a web server and able to access the Internet. On the other hand, you have private-facing subnet which has not public IP and no Internet access. You place your backend system such as databases, application servers in the private-facing subnet. Now you want to access private database or application servers from your machine.As those servers are the virtual private network, you can not directly access them from your machine without the internet. Therefore, VPC customised network system will give you the provision to access your virtual private network from your physical machines.
VPC is customised with multiple security layers; for instance, security group and network access controls, and route table. Users can control and manage security policies, permission and users role in the network.
In this lab, I will demonstrate you how to configure VPC with Linux and windows server. The following contents I will cover:
- Create an Amazon VPC
- Setup routing for the amazon VPC
- Setting up a security group
- Deploy an Amazon EC2 instance running Linux and windows server into the amazon VPC
- Attach an Internet gateway to the Amazon VPC
- Delete an Amazon VPC
Steps for the task: Create an Amazon VPC
- In the AWS management console homepage, select VPC from Networking and content Delivery services. Click VPC, You will get VPC dashboard. fo
- On the VPC dashboard, click on Start VPC Wizard. In the VPC Configuration step, you will see four options VPC with a Single Public subnet, VPC with public subnets and private subnets, VPC with public and private subnets and hardware VPN access, and VPC with a private only and Hardware VPN Access. In this lab, I am going to demostrate VPC with a Single Public Subnet. VPC with a single subnet means your instance is running in a private isloated section of the AWS cloud with direct access to the internet. For controlling inbound and outbound traffic and strict control security , Network ACL and Security groupwill be used wiith this configuration.
- Step2 shows the VPC with a single public subnet’s IP configuration. You can either choose /16 or /24 CIDR range for the VPC or subnet repspectively. In this lab, I chose Class A IPv4 CIDR blocl 10.10.0.0/16 for VPC Network ID and 10.10.0.0/24 for public subnet’s IPv4 CIDR.Note that You can use any customised IP address for configuring VPC with CIDR /16 and /24 respectively.
- Select Hardware tenancy: Default and availablity Zone: No preference (You can choose your own preference availablity zone near to you). Click on Create VPC. You will get newly configure VPC details under AWS VPC service with internet gateway, route table and network ACl, DNS resolution and DNS hostaneme “YES”by default.
- In this step, we will see the Internet gateway details for myVPC. In the navigator panel, click on Internet Gateways. You will able to view gateway information which is attached with myVPC ID.
Steps for task: Setup routing for the amazon VPC
- Now we will discover myVC route table which has been created during VPC configuration. Click on Route Table from left navigator pannel. We can see there is two route tables. The VPC came with a main route table by default and the VPC Wizard created a custom route table in addtion.Our subnet is assoicated with the custom route table. That custom route table we use to determine how the traffic will flow for the subnet. Note that: If you add a new subnet to your VPC , it uses the moan route table by default.
- Now Select the custom route table with the main Column value “No“. Click on “Routes” tab to view the information of this route table. The first row in the table is contains local route details, that means enables instance within the vpc to communicate. It’s by deafult setting and remeber that you cant not delete it. The second row shows the Internet gatway traffic. Vpc enables traffic destined for an Ip address outside the VPC (0.0.0.0/0) to flow from the subnet tointernet gateway. We called it public subnet because all traffic from the subnet goes to the Internet gateway.
- Now select the main route table with Main Column value is “Yes”, subnet value is zero. This main route table represents local route but no pther routes. It is a private subnet and not able to access the internet. If you want to expose a new subnet as a public subnet, you have to either change the routeing in the main table or assocaite the subnet with a custome route table.
Now our VPC “myVPc” is successfully setup!
Steps for the task: Setting up a Security Group
- Selete the Security Group under Security of VPC dashboard pannel. Then Click on Security Group. We are going to create a new Security group for our VPC instance. Click the Create Security Group button. Povide the Name Tag and Group Name: “WebServerSG” and Description. Select the VPC from drop-down list “myVPC”. You will see a security group named WebserverSG sucessfully created in the Security Group tab.
- Now select the WebServerSg security group that we have just created. In the below, there is the deatil panel with the summary of the security group, Inbound and outbound rules and tags tabs. Click on Inbound rules tab. By default, we will see there is no protocal setup for inbound traiffic. For allowing protocol types into the inbound tab, click “Edit”. Selete “HTTP, HTTPS, SSH, RDP” from typy drop-down list and 0.0.0.0/0 source filed. and click Save.
Note: If you use 0.0.0.0/0, that means you are enabling all IP address to access your instance using SSH and RDP. It is unsafe practice in a real environment. In the Enterprise practice, We will only allow and authorise the specific IP range which is only allowed to access our instance.
Steps for the task: Deploy an Amazon EC2 instance running Linux and windows server into the amazon VPC
Launching an Amazon Ec2 Linux instance: Now we will create Ec2 Linux Instance in our VPC (myVPC).
- Click Services from AWS Management console homepage. Then click EC2 to open AWS EC2 console. From the console, click “Launch Instance“. Select “Quick Start” and Amazon Linux AMI (64bits) on the Step1: Choose an Amazon Machine Image (AMI). then click Select.
- Select “General purpose from the family tab, and type:t2.micro, vCPU (1), Memory (1Gib), Instance storage EBS only. Those are only virtual hardware configuration of this instance. You can any based on your purpose. Then click “Next: Configure Instance Details”.
- Select VPC network which we have created (myVPC)from Network drop-down list on the configuration instance details page. Note: You can also create the IM role and other configuration based on how you want to manage your instance.
- Click “Nex: Add storage“. You will get Step4: Add storage page. In this case, I choose by default size 8 GB as root volume type. But You can customise it. Then Click “Next: Add Tags“.
- On the add tags page, provide the name for tag instance. In this lab, I provide this Amazon EC2instance “myec2instance” and then click Next: Configure Security Group.
- On the Security Group page, we can see two options for assigning security group under amazon EC2 instance such as Create a new security group or Select an existing security group. As we already created our security group, we go with “Select an existing security group” options. and select the WebServerSg security id from the Security group ID. Then Click on “Review and Launch“.
- Now review the details of the Ec2 instance. If everything is okay, click on Launch. You will get Key pair page.
- Select an existing key pair or create a new key pair, you will get a new dialogue box with those two options. then specify which one you want to do. In this lab- I chose to create a new key pair and I provided key pair name “myVPC”. and Download key pair. Note: If you lost your key pair, you’d not able to access EC2 instance anymore. In this case, you have only option to kill your instance and create the new instance.
- When you are ready to launch your Amazon Ec2 instance. click launch instance. It will take a few minutes to launch. You can now see your instance EC2 dashboard. After initiating, instance state = running, status check =2/2 checks passed. and your Amazon Ec2 instance is ready to use.
Launching an Amazon Ec2Windows instance: Now we will create Ec2 Linux Instance in our VPC (myVPC)
- Click on EC2 to open Amazon Ec2 console from the AWS management console homepage. Click on “Launch Instance”. Then choose “Microsoft Windows Server 2012 R2 Base on the “Step1: Choose an Amazon Machine image(AIM) page.Note: You will get here other windows AMI’s servers version and SQL servers.
- Click select.Select general purpose and t2.micro from Step2: Choose an instance type. I chose by default one. you can change as per your requirement. Then click “Next Configure Instance Details”.
- Click on “Next: Add storage” and configure your storage size or you can go with the defualt setup of amazon. In this lab, I chose default storage size. Click on tag instance and write the name of tag value: webserver.
- Click Next: Security Group.Select an existing Security group from configuring Security Group.Then click Review and Launch. You will get key pair dialogue box. In this lab, I selected exiting key-pair. Then Click “Launch”. Your instance will be ready to launch.
- Now our Ec2 Windows server instance is ready.For verification we need to check instance state = running, status checks = 2/2 checks passed.
Steps for the task: Attach an Internet gateway to the Amazon VPC
You have to create an Elastic IP address to attach an internet Gateway to VPC , that Elastic IP address is known as a Public IP address that belongs to your AWS account and you need to associate it with your instance to make it accessible from the Internet.
- We need to go VPC Management Console. Under the VPC dashboard, click Elastic IPs from left Navigator panel.then Click on “Allocate new address“.
- It will ask you a question. Do you want to allocate new address? Press yes. You will get a new public IP address like this following IP for this lab practice.
- Now go to the Action tab to associate your Elastic IP address with instance. From the Associate with list click Instance or Network interface , and then choose either the network is or instance id. Then, choose the private IP to associate the Elastic IP address with from the private IP address list. Click Associate. Your Instance will be accessable from Internet. In addition, You will also able to access the Ec2 instance through SSH or RDP by the Elastic IP address of the associate instanceas the address to conect to.
Problem You may face: You can not associate two instances with an Elastic IP address. If you try, the following error will be show
Recommendation: You have to disassociate previous AWS instance , and then associate new instance with that Elastic IP for accessing Internet or you have to create a new Elastic IP address. But your cost will be increased if you use individual elastic IP for each AWS instance. My suggestion is that Associate your NAT machine with an Elastic IP and then using VPC, Access Internet from your private virtual instance through NAT machine. It will give you strict security and able reduce your cost of usage AWS resources.
Steps for the task : Deleting Amazon VPC
If you wnat to delete your Amazon VPC, the following steps you have to follow:
- You must terminate your instance which is running under the VPC that you want to delete
Note: Remember that deleteing VPC means you are deleting all resoucces that is associate with that VPC such as subnets, network ACl, DHCP, security group,route table , and Internet gateway.
2. For terminating your EC2 instance, Click Instance in the navigation pannel of Amazon EC2 console. Select the instance which one you want to terminate. then go to action tab; move your mouse over Instance state and select Terminate.
Note: Once you terminated your instance, you can not able to use it further. You will lose all data inside of this instance.
3. After terminated your instance, Go to VPC console to delete VPC. Click Your VPCs in the Navigator panel, Select the VPC which one you want to delete. Click Delete VPC from the Action drop-down list. Click Yes, Delete when prompted for confirmation.
Testing VPC connection using Linux SSH Terminal windows RDP:
Log in SSH through Putty by giving log in credential of Linux Instance, You can see now I can access internet from my private IP10.10.0.179. I pinged eitf.org. I got replied from the eitf.org. That means I can access internet from my private IP through my public IP gateway.
I can also use the Internet from windows server which belongs to private IP: 10.0.0.67 through VPC configuration. Testing is successful.
Question: What is the purpose of security group setup in VPC, and how it works?
Answer: Amazon security group is the virtual firewall for instance to control inbound and outbound traffic. It works as a filter for the amazon Virtual Network. You can assign Five security group when you launch any instance in your AWS services account.
Security group always works on instance level, not subnet level.As a result, In your VPC, each instance in a subnet could be assigned to a different set of security groups. Each instance security group could be diffrent from each other even through they are under the same VPC. If you do not assign any security group during instance launce, It will automatically assign a default security for the VPC.
You can assign two different security group rules for a security group. One rule is to control inbound traffic and another rule is control outbound traffic. Remember that, you can specify allow rules but not deny rules.A security group is stateful and it is associate with a network interface.
Question: What is the purpose of Elastic IP?
Answer: An Elastic IP is that static IPv4 address which is specially designed for dynamic cloud computing. Each AWS account is associated with the Elastic IP. It is a public IP address, through this Elastic IP, your islocated VPC instance could able to communicate over Internet. That means, If you do not have public IP address, you can associate your instance with elastic IP to enable communication with the internet. For example; We can access our cloud private instance from our local machine. An Elastic IP can only use in a specific one region.
The benefit of Elastic IP is that you cam mask failure of an instance by rapidly mapping the address to another instance in your AWS account. Another benefit is that you can use your one Elastic IP in several instances by disassociated with the instance of previous allocated.
What are the connectivity options for my VPC?
The following Options are aviable in AWS cloud to establish a connection for VPC:
- The Internet via an Internet gateway
- Corporate data center using a Hardware VPN connection via the virtual private gateway
- Both the Internet and corporate data center by utilizing both an Internet gateway and a virtual private gateway
- Other AWS services via Internet gateway, NAT, virtual private gateway, or VPC endpoints
- Other VPCs via VPC peering connections
Cost Analysis for VPC
There is no additional cost for creating and using VPC itself. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources, including data transfer charges.Data transferred over VPN connections will be charged at standard AWS Data Transfer rates
VPN Connection Pricing
- $0.05 per VPN Connection-hour
- $0.048 per VPN Connection-hour for connections to the Tokyo region
Note: If you decide to create a Hardware VPN Connection to VPC using a Virtual Private Gateway, you are charged for each “VPN Connection-hour”. The charge will be incured untill your VPN connection is provisioned and available. Each partial VPN Connection-hour consumed is billed as a full hour. Suppose, You used your VPN connection 5 hours 30 minutes, Still you have to pay for 6 hours.
Avoid Charge method: If you don’t want to pay for a VPN connection, better options to terminate VPN connection. Otherwise, you will be charged until your connection is available.
NAT Gateway Pricing
Nat Gateway pricing is different based on regions. AWS has changed two ways for NAT Gateway: Price per NAT gateway ($/hour) and price per GB data processed ($). Each partial NAT Gateway-hour consumed is billed as a full hour.
Data collection date: 19th March 2017, source: https://aws.amazon.com/vpc/pricing/. AWS prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax
|Region||Price per NAT gateway ($/hour)||Price per GB data processed ($)|
|US East (N.Virginia)||0.045||0.045|
|US East (Ohio)||0.045||0.045|
|US West (Oregon)||0.045||0.045|
|US West (N. California)||0.048||0.048|
|Asia Pacific (Singapore)||0.059||0.059|
|Asia Pacific (Tokyo)||0.062||0.062|
|Asia Pacific (Seoul)||0.059||0.059|
|Asia Pacific (Sydney)||0.059||0.059|
|Asia Pacific (Mumbai)||0.056||0.056|
|South America (São Paulo)||0.093||0.093|
Data Transfer Charge: AWS uses standard EC2 Data transfer charge. If you transfer 1 GB data from EC2 instance to S3 via NAT gateway; AWS services will not charge you for the data transfer from EC2 to S3 as it is the same region. and there is also no charge for data transfer between the NAT gateway and EC2 if the traffic stays in the same availiability zone. AWS wil be charged you if data transfer between NAT Gateway and EC2 in the different availability zone.
Avoid charge method: To avoid the NAT Gateway Data Processing charge you need to setup a VPC endpoint and route the traffic to/from AWS services, for example, S3 through the VPC endpoint instead of going through the NAT Gateway. There is no data processing or hourly charges for using VPC endpoints.
Thank you 🙂