Virtual Private Cloud

Posted on Posted in AWS

VPC – Virtual Private Cloud, is your network configuration for your AWS resources

  • public subnet by default means you have one subnet in your route tables whose target is a Internet Gateway enabling access to the public
  • on there other hand private subnet for you private resources that shouldn’t be available to public

VPC Wizard:

  • can opt for vpc with public/private subnet/ and with Hardware VPN accese

VPC Security Groups

  • Configuration of inbound and outbound traffic for your resources
  • All outbound traffic by default is allowed when you create a new one
  • Security groups is stateful – if you enable an inbound traffic, traffic will also flow outbound regardless of the security group
  • You can specify allow rules, but not deny rules.

VPC Network ACL (Access Control List)

  • By default allows all inbound and outbound
  • ACL is stateless – contrast to Security group
  • Associated to subnet
  • Evaluated per order

Route Table

A routing table is a set of rules, often viewed in table format, that is used to determine where data packets traveling over an Internet Protocol (IP) network will be directed. All IP-enabled devices, including routers and switches, use routing tables.

NETWORK ACL vs Security Groups

Security groups filters which traffic goes in and out to your instances, ie which ports can be access, in contrast Network ACL operates at a subnet level, ie which IP can SSH to your instance

  • Network ACL – applies to network level, that it can apply to many instances
  • Security Group – applies only to instance level, so if you need it in one instance only may need to apply to Security group only

VPN Connections

  • By default, instances that you launch into a virtual private cloud (VPC) can’t communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC
  • AWS Hardware VPN – enables customers to connect between VPC and remote network
  • AWS Direct Connect – provides private connection to AWS without internet
  • CloudHub – more than one remote network
  • Software VPN – can be setup via software VPN


  • Virtual Private Gateway – VPN connector on AWS side
  • Customer Gateway – customer side


  • Route Tables – determine where traffic is determined

NAT – Network Address Translation

  • Enables private instances to connect to the internet, but prevents the internet from initiating connection with instances

How it works:

NAT Key points

  •  needs to be launched in public subnet
  • needs to be assocaited with public/elastic ip address
  • disable source/destination flag check – this flag directly conflics with how NAT works as per above
  • Security group should allow inbound/outbound
  • Route table should configured to have an internet gateway

NAT Gateway vs NAT Instance

NAT Gateway NAT Instance
AWS managed instance User created instance, configured to be NAT
10 gbps burst availability and bandwith depends on the instance type
no Security Group must have security group
one elastice IP address associated manually disable source/destination check
  • specific AZ, with redundancy
  • TCP, UDP, ICMP support
  • ports – 1024- 65535
  • cannot send through VPC endpoints

High Availabiltiy NAT Instance design:

  • one NAT instance per AZ
  • all private subnet route teables to the same zone NAT instance
  • configure AutoScaling for instances
  • have it grow if CPU reaches a certain threshold
  • create bootstrap scripts for updating NAT instances


  • structure for fortication to protect things behind it
  • in AWS also known as a Jump Server
  • used to access instances in private subnet

How it works:

There is no direct access available to connect to your Web Server, you would have to SSH to bastion instance first, users access your server through load balancer.

Leave a Reply