UNIT – 4 AWS VPC

PART-I
- Prof. Prachi Jain
 SYLLABUS
• What is VPC
• Architecture of VPC
• VPC Direct Connect
• NAT Gateways
• How to create NAT Gateway
• VPC Private and Public Subnet
• What are a Bastion Host
• Architecture of Bastion Host
• VPC Endpoint and VPC Flow Log.
• VPC NACL
 Amazon VPC (Virtual Private Cloud)
• Amazon VPC (Virtual Private Cloud) is like your own private data
center inside the AWS cloud. It lets you launch servers (EC2 instances)
in an isolated, secure network that you fully control.
• Within a VPC, you can:
• Create public or private subnets,
• Set access rules using security groups and network ACLs,
• Control IP addresses, route tables, and internet gateways,
• Decide whether your servers connect to the internet or stay private.
• It is a customizable and secure environment to run your applications,
databases, and services just like building your own network inside the
cloud.
 EXAMPLE
• The entire office building = VPC (a private space where everything is managed
securely)
• Different departments like Editorial, Development, HR = Subnets (some open for
external interaction, some private for internal work)
• Security guards at every gate = Security Groups and Firewalls (deciding who can enter
or leave)
• The internet connection for employees and visitors = Internet Gateway (allowing
public access where needed)
• Private tunnels connecting to partner companies = VPN or Direct Connect (secure,
private connections to other trusted networks)
 Core Components of Amazon VPC
The following are the components of Amazon VPC:
• 1. VPC
• You can launch AWS resources into a defined virtual network using Amazon Virtual Private
Cloud (Amazon VPC). With the advantages of utilizing the scalable infrastructure of AWS, this
virtual network closely mimics a conventional network that you would operate in your own
data center. /16 user-defined address space maximum (65,536 addresses)

• 2. Subnets
• A subnet divides the large network into smaller, logically separated networks
• You can create up to 200 subnets.
• Some subnets can be public (accessible from the internet), and some can be private (only
internal communication).
• This helps you control traffic and increase security within your VPC.
• 3. Route Tables
• Route Tables are mainly used to Define the protocol for traffic routing between the subnets.
They tell data where to go inside your VPC. For example, whether to stay within a private
network or head out to the internet.
• Each subnet must be associated with a route table.
• Routes define the direction of traffic based on IP addresses.
• 4. Network Access Control Lists
• Network Access Control Lists (NACL) for VPC serve as a firewall by managing both inbound
and outbound rules. There will be a default NACL for each VPC that cannot be deleted.
• 5. Internet Gateway(IGW)
• The Internet Gateway (IGW) will make it possible to link the resources in the VPC to the
Internet allowing resources like web servers to be accessed publicly. Without an IGW, your
VPC cannot communicate with the internet.
• 6. Network Address Translation (NAT)
• A NAT Gateway allows instances in private subnets to initiate outbound internet connections,
without allowing inbound access from the internet. It allows instances in a private subnet to
access the internet outbound (like downloading updates) while keeping them hidden from
outside users.
• Amazon Virtual Private Cloud (Amazon VPC) lets customers provision
a private, isolated section of the Amazon Web Services (AWS) Cloud
where they can launch AWS resources in a virtual network using
customer-defined IP address ranges.

• Amazon VPC provides customers with several options for connecting

their AWS virtual networks with other remote networks.
• Amazon VPC provides multiple network connectivity options for you
to use, depending on your current network designs and
requirements.

• These connectivity options include using either

• the internet or
• an AWS Direct Connect connection as the network backbone and
• terminating the connection into AWS or user-managed network endpoints.
 AWS Direct Connect
• AWS Direct Connect enables a direct, dedicated connection between your
internal network and AWS, bypassing internet service providers for a faster,
more secure link.

• This setup uses a high-speed Ethernet fiber-optic cable which connects

directly from your network's router to an AWS Direct Connect router at an
AWS location.

• With this dedicated connection, you can create virtual interfaces to access
AWS services, such as Amazon S3 or Amazon VPC in a streamlined manner.
 What is AWS Direct Connect?
• AWS Direct Connect is a cloud service that provides businesses with
a secure, high-bandwidth, and low-latency connection from their on-
premises infrastructure directly to AWS services.
• By bypassing the public internet, it ensures private, more reliable, and
secure data transfer.
• This direct connection is typically set up using fiber-optic cables or
Ethernet links to AWS Direct Connect locations, ensuring better
network performance and security for mission-critical applications.
 How AWS Direct Connect Works
• AWS Direct Connect works by creating a dedicated physical connection
between your on-premises network and an AWS Location.

• This connection uses fiber and ethernet cables to link your network directly
to an AWS router, avoiding the public internet.

• Once the physical connection is in place, a virtual interface (VIF) is set up to

create a secure connection between your network and AWS, allowing you to
access AWS services easily and securely.
Setting Up AWS Direct Connect
The following are steps to be followed to set up a Direct Connect connection to your on-premises network or data
center:

Step 1: Connect an AWS Direct Connect Location

Select an AWS Direct Connect location that is closest to your infrastructure. AWS provides a list of available
locations on the Direct Connect portal.

Step 2: Select a Network Service Provider

• Pick a network service provider from the AWS Direct Connect Partners page.
• This provider will bridge the connection between your on-premises network and AWS.
• When choosing, consider factors like bandwidth and location.

Step 3: Provision a Dedicated Network Connection

• Provision a dedicated network connection between your infrastructure and the chosen service provider’s
location.
• This physical link ensures the high performance and reliability of your AWS connection.

Step 4: Configure the Virtual Interface

• Log in to the AWS Management Console and navigate to Direct Connect.
• Create a virtual interface by providing the VLAN ID, routing, and other configuration details.
• Once completed, your AWS Direct connect connection will be ready to access AWS services such as Amazon
VPC and Storage Services.
AWS Management Console -> Direct Connect -> Create virtual
interface
[Link] in to the AWS Management Console
[Link] to the Direct Connect section
[Link] a virtual interface by providing the VLAN ID, routing and
other required details.

After configuring the virtual interface you can now access the various
AWS services such as creating VPC (Virtual Private Cloud), storage and
many more.
Components of AWS Direct Connect
• Direct Connect Location: Physical data centers where the Direct
Connect connection is established.
• Cross Connect: The physical cable linking your network to the Direct
Connect location.
• Virtual Interface (VIF): Logical connections over Direct Connect for
accessing AWS services, either private or public.
• Direct Connect Gateway: Routes traffic between your on-premises
network and multiple VPCs across AWS regions.
• Router/Customer Gateway: On-premises router connecting to Direct
Connect, typically using BGP for routing.
Benefits of Using AWS Direct Connect

• It provides a connection with high bandwidth and low latency, hence

reliability and performance are increased.
• Since a dedicated private connection is established completely
bypassing the public internet hence adds to the security of your
connection.
• Data transfer over AWS Direct Connect is very cost-effective as
compared to using the typical public network.
 Monitoring Tools
• To ensure optimal performance, AWS offers several monitoring tools for Direct
Connect:

• Tagging: Apply key-value tags to organize and manage your Direct Connect
resources.

• CloudTrail Integration: Track all Direct Connect API calls as events for auditing
and troubleshooting.

• CloudWatch Metrics and Alarms: Monitor key metrics like bandwidth usage and
latency, and set up alerts for any unusual activity.
 Pricing of AWS Direct Connect
• There is no minimum setup fee for AWS Direct Connect, you have to pay for what you
use.
• Pricing is based on following factors:

• 1. Capacity: It is the maximum rate at which can be transferred through the network,
capacity of a connection is measured in megabits per second(Mbps) or gigabits per
second(Gbps).

• 2. Data transfer out (DTO): It refers to the total traffic out of the AWS from your network
and is charged per gigabyte (GB).

• 3. Data Transfer In (DTI): Just opposite of the DTO, it is the total traffic received in the
network from outside the AWS.
• 4. Port hours: It measures the time for which a port is allocated for use with AWS, even
when do transfer is happening at that time you are charged for port hours, Port hours
depend on two factors namely, dedicated connection or hosted connection.
• Dedicated connections: physical connections from your premises port to the AWS network port. These
are billed as long as they are allocated for use, you can request for dedicated connection through the
AWS Direct Connect section of the AWS Management Console.

• Hosted connections: logical and you can request for hosted connection by directly contacting your
Delivery Partner

[ Dedicated = direct, physical, owned by you.

Hosted = indirect, shared, provided via a partner.]
 NAT Gateways
• Network Address Translation (NAT) is a process in which one or more local IP address
is translated into one or more Global IP address and vice versa in order to provide Internet
access to the local hosts.

• NAT generally operates on a router or firewall.

• A Router is a networking device that
connects multiple networks, directing
data traffic between them by finding
the best path.
• Routers focus on connectivity and
data routing.

• Whereas a firewall is a security

device that monitors and filters
network traffic, blocking unauthorized
access based on predefined rules.
• Firewalls focus on protecting the
network from threats.
Types of Network Address Translation (NAT)

• Static NAT
• One-to-one mapping: single private IP
↔ single public IP.
• Commonly used for web hosting
(where one server needs to be reachable
from outside).
• Not practical for large organizations
(requires one public IP per device).
• Example: 3000 devices → 3000 public
IPs needed → very costly.
• Dynamic NAT
• Maps private IPs to a pool of public IPs.
• Only works if a public IP is available in the pool.
• If all public IPs in the pool are in use → extra requests are
dropped.
• Example: Pool of 2 public IPs → only 2 private IPs can
access Internet at the same time.
• Used when number of users needing Internet access is fixed
but limited.
• Still costly (organization must buy multiple global IPs).

• Port Address Translation (PAT) / NAT

Overload
• Many private IPs mapped to one public IP using
different port numbers.
• Port numbers identify which traffic belongs to which
device.
• Most common and cost-effective NAT type.
• Thousands of users can share a single public IP address.
 Port Address
Feature Static NAT Dynamic NAT
Translation (PAT)
Many private IPs ↔ one
One private IP ↔ one One private IP ↔ one
Mapping public IP (1:1) public IP from a pool
public IP (via different
ports)
Public IP Needs one public IP per Needs only one public IP
Needs a pool of public IPs
Requirement device for many devices
Not scalable (costly for Limited scalability Highly scalable (supports
Scalability large orgs) (depends on pool size) thousands of devices)
Very costly (large number Costly (still requires Cost-effective (only one
Cost of public IPs needed) multiple public IPs) public IP required)
Common in web hosting Used when fixed/limited Most commonly used in
Usage (server access) users need access organizations & ISPs
Not applicable (always Packets dropped when Not an issue (different
If IPs Exhausted one-to-one) pool is full ports handle traffic)
Provides basic privacy Provides privacy but Provides privacy +
Security (hides internal IPs) limited by pool efficient traffic handling
 Network Address Translation Examples
• Here are some examples of Network Address Translation.
• Scenario 1 – Connecting a Private Network to the Internet
• A router uses Network Address Translation (NAT) to connect private networks to
the internet.
• NAT converts private IP addresses of internal devices into a public IP address.
• Internal devices can communicate with external systems without exposing their
original IP.
• Privacy and security are enhanced since internal IP addresses remain hidden.

• Scenario 2 – Linking Multiple Office Locations

• NAT helps connect multiple office locations into a unified network.
• NAT translates the IP addresses of devices at each site.
• Employees at different sites can interact as if on a single network.
• Internal IP structures remain private and secure.
• Ensures seamless collaboration across office locations.
 Network Address Translation Techniques
• The Network Address Translation (NAT) mechanism often called "natting"
is a router feature commonly integrated into corporate firewalls.
• NAT gateways can map IP addresses in various ways, including:

• Static Mapping: Mapping a specific local IP address to a single global IP

address.
• IP Masquerading: Hiding an entire range of private IP addresses behind a
single public IP address.
• Translation Table Mapping: Using a translation table to allow a large
private network to share a single public IP address.
• Port Address Translation (PAT): Mapping a local IP address and a
specific TCP/UDP port to a global IP address or a pool of public IP
addresses.
• Round-Robin Mapping: Distributing incoming connections from a single
global IP address to a pool of local IP addresses in a round-robin fashion.
 Benefits Of AWS NAT Gateway
• NAT Gateways provide several benefits for users of Amazon Web Services (AWS). Some of the key benefits
include:
• Improved security: NAT Gateways enable instances in private subnets to access the Internet while
preventing Internet-based access to those instances. This helps to improve security by reducing the attack
surface of your VPC.

• Simplified network architecture: NAT Gateways allow you to simplify your network architecture by
eliminating the need for a bastion host or VPN connection to access instances in private subnets.

• Automatic scaling: NAT Gateways are automatically scaled based on your usage, so you don't have to worry
about managing the service yourself.

• High availability: NAT Gateways are designed for high availability, with multiple redundant gateways in
each Availability Zone to ensure that traffic continues to flow even if one gateway goes offline.

• Cost-effective: NAT Gateways are cost-effective, with pay-as-you-go pricing and no upfront costs. They also
offer a lower-cost alternative to using (Vitual Private Network) VPNconnection or a bastion host to access
private instances.
 Pricing Of AWS NAT Gateway

• The NAT Gateway will be charged on an hourly basis and the amount of
data processed and also some of the things NAT Gateway will be set.

• Data Transfer: AWS NAT Gateway will be charged based on the amount
of data is transferring out of the private subnet to the internet with the help
of NAT Gateway.

• NAT Gateway Endpoints: AWS NAT Gateway will be charged based on

the no. of endpoints available even if they are in use or not it will be
charged.
 How to create NAT Gateway
• Basic Terms:
• NAT Gateway: NAT gateway is a service that allows private subnets in
VPC to connect to outside networks and services preventing outside access.

• VPC(Virtual Private Cloud): Virtual Private Cloud is an isolated cloud

environment hosted within the public cloud.

• Inbound Traffic: Inbound traffic is the Traffic generated outside networks

towards internal services.

• Outbound Traffic: Outbound traffic is the Traffic generated in inside

networks accessing outside services.
How to create NAT Gateway
• Step 1: Open the Amazon VPC console.
• Step 2: In the navigation pane, choose "NAT Gateways".
• Step 3: Choose "Create NAT Gateway".
• Step 4: Select the subnet where you want to create the NAT Gateway.
• Step 5: Choose an existing Elastic IP address or create a new one.
• Step 6: Choose "Create NAT Gateway".
• Step 1: Open the Amazon VPC console.
• Step 2: In the navigation pane, choose
"NAT Gateways".
 Step 3: Choose "Create NAT Gateway".

Step 4: Select the subnet where you want to create the NAT Gateway.
 • Step 5: Choose an existing Elastic IP address or create a new one.

Step 6: Choose "Create NAT Gateway".

 VPC Private and Public Subnet
Feature Public Subnet Private Subnet

A subnet that has a route to the internet via an A subnet that does not have a direct
Definition
Internet Gateway. route to the internet.

Direct access to the internet via Internet No direct access; can connect via a
Internet Access
Gateway. NAT Gateway for outbound traffic.

-Web Servers - Databases

Use Cases - Bastion Hosts - Internal Application Servers
- Load Balancers - Batch Processing

Route Table Route table includes a route to an Internet Route table does not include a route to
Configuration Gateway ([Link]/0). the Internet Gateway.
 VPC Private and Public Subnet
Feature Public Subnet Private Subnet
More secure as it is isolated from the
Security Less secure due to direct internet exposure.
internet.

NAT Gateway Usage Not required for internet access. Required for outbound internet access.

- Backend databases
- Public-facing web applications
Examples of Resources - Internal APIs
- VPN servers
- Application servers

Not directly accessible from the

Accessibility Accessible from the internet.
internet.

A public-facing EC2 instance hosting a A database server in backend subnet

Example
website. accessible only by app servers.
• An Internet Gateway (IGW) is a horizontally scaled, redundant, highly available
AWS VPC component that allows communication between resources in your VPC
(like EC2 instances) and the public internet.

Analogy:
• Think of your VPC as a house:
• Inbound access = someone knocking on your door to visit you.
• Outbound access = you stepping outside to visit someone else.
• Internet Gateway (IGW) = the main gate of your house.
• NAT Gateway = a private tunnel that lets you go out but keeps others from entering
directly.
 Bastion Host
• A Bastion Host is a special-purpose EC2 instance designed to provide secure access to resources
(like EC2 instances) in a private subnet.

• It is also called a Jump Box because users “jump” through it to reach private servers.

• It acts as a gateway between an external network (internet) and the private network (VPC
private subnet).

• Main Function:
Allows administrators or authorized users to securely connect to private instances that do not
have public IP addresses.

• Location in VPC:
The Bastion Host is deployed in a Public Subnet so it can be accessed from the internet.

• It allows the user to connect a private network from an external network and act as a proxy to other
instances.
• SSH (Secure Shell) : It is a cryptographic network protocol that is
used for transferring encrypted data over the network.

• RDP (Remote Desktop Protocol) is a Microsoft-developed network

communication protocol that allows a user to remotely connect and
control another Windows-based computer or server over a network
connection.
Bastion host Architecture
•Purpose:
A Bastion Host provides a secure entry point into the private network from an
external network (internet).

•It acts as a gateway that allows administrators to access instances in private

subnets safely.

•Dual IP Configuration:
The Bastion Host has both:
•External (Public) IP → for internet access.
•Internal (Private) IP → to connect to internal instances in private subnets.

•Connection Flow:
•User connects to the Bastion Host using SSH or RDP (via public IP).
•Then, from the Bastion Host, the user connects to private EC2 instances that
have no public IPs.
•Architecture Requirements:

• A VPC configured with Public and Private Subnets.

• An Internet Gateway (IGW) attached to the VPC, allowing the Bastion Host to communicate with the
internet.
• The setup can span multiple Availability Zones for high availability.
• Auto Scaling Group for Bastion EC2 instances to maintain availability and scalability.
• Elastic IP addresses — one for each Bastion instance.
• Amazon CloudWatch — to monitor and store Bastion Host shell logs for auditing and troubleshooting.
• Security Groups — to strictly control inbound (SSH/RDP) and outbound (private subnet) access,
ensuring secure operations.

•Working Summary:
•Users first log in to the Bastion Host (public subnet).
•From there, they access internal EC2 instances (private subnet).
 VPC Endpoint
• Before introducing VPC Endpoint, even if your resources were in a private subnet,
they had to go through the internet or use a NAT Gateway to reach AWS services.

• This increases cost, security risks, and slows down connections.

• For solving these issues, AWS VPC comes in.

• With AWS VPC Endpoint, your application can connect to AWS services privately
and securely without using the internet, a NAT gateway, VPN, or Direct Connect.

• Now, everything will stay within the AWS network, which makes it faster, more
secure, and cheaper.

• It’s a great way to improve your cloud setup, especially for businesses that need
strong performance and security.
• Advantages of using VPC Endpoints:
• Cost Reduction
• Increased Security
• Improved Performance
• Simple Configuration

• VPC endpoints use Elastic Network Interfaces (ENIs) to securely connect

resources inside your VPC to AWS services.

• These endpoints essentially act as virtual network devices, providing high

availability and scalability within your VPC.

• There are two types of VPC endpoints we've:

• Gateway Endpoints
• Interface Endpoints
1. Gateway Endpoints
• A VPC Gateway Endpoint is a way to connect your VPC to an AWS service
like S3 or DynamoDB without going through the public internet or need to
set up a VPN connection.
• This helps improve security and can also improve network performance
since the traffic stays within the AWS network.
• So if we want to utilize S3 or DynamoDB services inside VPC then Gateway
Endpoints is recommended over Internet Gateway, NAT, or any other
service, as this method also improves security, and latency for the
application traffic.
2. Interface Endpoints

• Interface endpoints enable connectivity to services over AWS Private Link.

• These services include some AWS managed services, services hosted by

other AWS customers and partners in their own Amazon VPCs (referred to
as endpoint services), and supported AWS Marketplace partner services.

• The owner of a service is a service provider.

• The principal creating the interface endpoint and using that service is a
service consumer.
 Feature Gateway Endpoint Interface Endpoint (PrivateLink)
An elastic network interface (ENI) with a
A gateway that provides a route to specific AWS
private IP that connects your VPC to
Definition services within your VPC without using the public
supported AWS services, other AWS
internet.
accounts, or on-premises apps.
Uses PrivateLink via ENI (Elastic Network
Connection Type Routed through the VPC route table. Interface).
Supports many AWS services (e.g.,
Supported
Limited — only Amazon S3 and DynamoDB. CloudWatch, SNS, SQS, KMS, etc.) and
Services custom/private services.
Add an entry in the route table pointing to the Creates an ENI in your subnet to connect
Configuration gateway. privately.
Cost Free (no additional data processing charges). Charged per endpoint and data processed.

Data also stays within AWS network, but via

Traffic Flow Data stays within AWS network using routing.
a private IP interface.

Security Uses route tables; does not support Security [Link] be protected using Security Groups.

Best for private access to S3 or DynamoDB without Best for private access to most other AWS
Use Case internet gateway or NAT. services using PrivateLink.
 AWS VPC Flow Logs
• Amazon VPC Flow Logs is a feature that enables you to capture and log the information about the network
traffic going to and from the designated network interfaces within your VPC.
• It can be used as a centralized, single source of information to monitor different network aspects of your
VPC.

• Kinds of VPC Flow Logs

• It is very much important to understand what is monitored and how the logs compile the data. Amazon Web
Service (AWS) Offers flow logging at three separate levels:
• Virtual Private Cloud (VPC): Flow logs can be enabled to a particular VPC and can monitor all the activity
within your cloud environment.
• Subnet: VPCs are often divided into subnets spanning multiple availability zones in a region. A subnet is a
range of IP addresses in your VPC. It can be a private or a public one. Flow Logs can be created for a specific
subnet to monitor all the activity within your subnet.
• Elastic Network Interface (ENI): ENIs are virtual network cards you can attach to your EC2 instances.
They are used to enable network connectivity for your instances. One can monitor and capture full flow logs
from these interfaces to stay ahead of issues like latency and malicious activities.
• VPC Flow Logs Use Cases:
• Network Monitoring: It provides you with real-time visibility into network
throughput and performance
• Network Usage and optimizing network expenses: You can analyze the
network usage and based on the analysis, you can optimize the network traffic
expenses.
• Network Forensics: You can find out any compromised IPs by analyzing all
the incoming and outgoing network flows In case of any incidents.
 VPC NACL
Key Concepts and Terminologies
• Rule Number:
• Rules can be numbered starting from 1 to 32766.
• It is evaluated in ascending order, which means from lower to higher.
• If a lower numbered rule is matched with the traffic, it is applied regardless of any higher numbered
rule, contradicting it.
• Protocol:
• You can specify the protocol of the traffic that should match (EX: ICMP,TCP).
• Port Number:
• To specify the listening port.(Ex: Port 80 for HTTP)
• Source:
• This is for inbound rules only to specify the source with what CIDR value is allowed.
• Destination:
• This is for outbound rules only to specify the destination with what CIDR value is allowed.
• Type:
• The type of traffic can be All traffic or specific such as "SSH".
• Allow/Deny:
• To Specify whether to allow or deny the traffic.
CIDR stands for
• Classless Inter-Domain Routing
• It is a method used to allocate IP addresses and define network
boundaries more efficiently than traditional IP classes.
• CIDR notation specifies:
• The network address, and
• How many bits are used for the network part of the address.
• Eg: [Link]/24
• A Network Access Control List (NACL) is a virtual firewall that
controls inbound and outbound traffic at the subnet level in an
Amazon VPC.

• It acts as a stateless layer of security, providing an additional level of

protection to the resources inside subnets.

• Purpose of NACL:
• NACLs allow or deny network traffic to and from subnets in your
VPC.
• They serve as the first line of defense before traffic reaches
individual instances.
• Each subnet in a VPC must be associated with exactly one NACL.
 Characteristics of NACLs
Feature Description

Works at the subnet level (unlike Security Groups, which work at the instance
Level of Control
level).

Responses to allowed inbound traffic must be explicitly allowed in outbound rules

Stateless
(and vice versa).

Automatically created with every VPC; it allows all inbound and outbound traffic
Default NACL
by default.

Custom NACL Starts with all inbound and outbound traffic denied until rules are added.

Rules are evaluated in ascending order (by rule number). The first matching rule
Rule Evaluation
is applied.