Amazon Virtual Private Cloud (Amazon VPC) lets you define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. Within this virtual private cloud, you can launch AWS resources such as, ELB load balancers and EC2 instances.
This section covers information that is specific to creating and managing your load balancers launched within Amazon VPC and provide procedural instruction and examples.
To use load balancers to monitor and route traffic to your EC2 instances launched within VPC, you must create your load balancer within the same VPC as your EC2 instances.
Before you can create your load balancer within a VPC, you must first create a VPC. You define your Amazon VPC by assigning IP address in the classless inter-domain routing (CIDR) range of your choice (for example, 10.0.0.0/16). For more information on CIDR and what ‘/16’ means, see Classless Inter-Domain Routing.
You can create a VPC that spans multiple Availability Zones then add one or more subnets in each Availability Zone. A subnet in Amazon VPC is a subdivision within an Availability Zone defined by a segment of the IP address range of the VPC. A subnet resides entirely within the Availability Zone it was created in. You launch your EC2 instances and load balancers into a subnet you select.
You create a subnet by specifying the CIDR block for the subnet. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset (to enable multiple subnets). When you add a new subnet to your VPC, you can optionally set up the routing and security you want for the subnet.
To enable communication between the Internet and the load balancer in your subnet, you must create and attach an Internet gateway (IGW) to your VPC. An Internet gateway enables your load balancer within the subnet to connect to the Internet through the Amazon EC2 network edge. Communication between the clients and your load balancer and also between the load balancer and your back-end instances uses Internet Protocol version 4 (IPv4). Internet Protocol version 6 (IPv6) is currently not available for load balancers in Amazon VPC.
Each subnet you create is automatically associated with a route table. The route table controls the routing for the internet. By default, the subnet is associated with a main route table that enables communication within the VPC. You can change the association of the route table for your subnet at any time. To enable a subnet to communicate with the Internet, you must associate the subnet's route table with the Internet gateway.
If a subnet's traffic is routed to an Internet gateway, the subnet is known as a public subnet. If a subnet's traffic is not routed to an Internet gateway, the subnet is known as a private subnet. Use a public subnet for load balancer that must be connected to the Internet, and a private subnet for load balancer that need not be connected to the Internet.
The following figure shows an example of Elastic Load Balancing within Amazon VPC.
In this example, the Availability Zone 1A has load balancer in its own subnet and the EC2 instances in another subnet. The load balancer is in a public subnet. It means that the traffic from the subnet is routed to the Internet gateway which allows the load balancer to communicate with the Internet. The EC2 instances are in a private subnet. It means that the traffic from the subnet is not routed to the Internet gateway. The EC2 instances in the private subnet cannot communicate with the Internet.
In Availability Zone 1B, the load balancer and the EC2 instances are both in the same public subnet. The traffic from the subnet is routed to the Internet gateway. Both the load balancer and EC2 instances can communicate with the Internet. You can configure your VPC architecture either way, depending on your specific security and routing requirements.
If you are planning on creating more than one subnets in your VPC, be sure to configure the security group rules and network ACLs to allow traffic to be routed between the subnets in your VPC. If your rules are not configured correctly, instances in other subnets may not be reachable by load balancer nodes in a different subnet.
A security group acts as a virtual firewall that controls the traffic allowed into an instance. You create security group by adding a set of rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. There is a significant difference between the way the security groups function on Amazon VPC and Amazon EC2. In Amazon EC2, Elastic Load Balancing provides a special Amazon EC2 source security group that you can use to ensure that a back-end Amazon EC2 instance receives traffic only from the ELB load balancers. You cannot modify the source security group. Within Amazon VPC, you have control over the security groups assigned to your load balancer. Having control over your load balancer's security groups allows you to choose the ports and protocols to accept. For example, in Amazon VPC you can open Internet Control Message Protocol (ICMP) connections for the load balancer to respond to ping requests (however, ping requests will not be forwarded to any registered instances). When creating your load balancer if you don't specify a particular security group, your load balancer automatically belongs to the VPC's default security group.