Notes from initial research on VPC

Amazon Virtual Private Cloud


In 2006 Amazon EC2 was launched.

Later they also provided

In 2009 Amazon VPC was launched.

In 2011 marked enhancements to EC2.

The same year also saw updates to VPC.

March 2013 saw the launch of default VPC to EC2.


Notes from the AWS ReInvent video



Internet Gateway

Authorizing Traffic: Network ACLs Security Groups

Network ACLs

Security Groups

Example Rule:

For the web server instances

Type      Protocol    Port    Source 
HTTP(80)  TCP         80

For the backend services

Type            Protocol    Port    Source 
Custom Rule     TCP         2365    sg-123456


Connectivity Options for VPC (aside from just internet connections)

Three examples

Subnet Routing

In the example given above you can put your web server instances and backend servers into different subnets. In one subnet you can have a route to the internet and the other subnet has no route to the internet. This allows you to be sure that your backend end instances will have no way of being accessible from the internet. It may happen that you may want to allow internet traffic to your backend servers. What you can then do is setup an EC2 instance on the internet connected subnet and have it function as a NAT (Network address translation). Then your backend subnet can have a route of to your NAT EC2 instance which is on your public subnet. Instead of manually setting up your NAT EC2 instance, there is already a NAT AMI for that (amzn-ami-vpc-nat).

Connecting to other VPCs: VPC Peering

There are some scenarios which you may want to run multiple VPCs.

In a large corporate network you may want to give individual teams their own VPC. But you also have commone/core services (such as scanning, logging, monitoring, authentication) in which all teams would have access to.

Connecting to your network: AWS Hardware VPN, AWS Direct Connect

Extend your network to your VPC


A VPN consists of a Customer Gateway which is a network device on one end of the VPN connection and a Virtual Gateway on the VPC side of the VPN connection.

Once you have these setup you get a pair of IPSEC tunnels.

On your VPC create a route to your Corporate Data Center.

Direct Connect

A dedicated line with lower per GB data transfer rates For highest availability use both

DNS in a VPC

In your VPC settings:

Note: When set to yes, your VPC uses Amazon DNS servers

EC2 instances in a VPC using Amazon DNS gets two hostnames:

Amazon Route 53 can allow you to create private hosted zones Private hosted zone - your own world of dns in your VPC Basically you can create a private hosted zone assign it to your VPC and map a domain name to an ip address within your vpc.

VPC Flow Logs

Full meta data dump of all packets to your EC2 instances, not only the packets that succeed but also the packets your security groups are rejecting.

Amazon VPC Endpoints for S3

A wormhole from your VPC to your S3