Amazon Virtual Private Cloud - Amazon EC2 Overview and Networking Introduction for Telecom Companies

Amazon Virtual Private Cloud

Amazon Virtual Private Cloud (Amazon VPC) is the virtual data center in the AWS Cloud. A VPC closely resembles the traditional network that an organization might operate in their own data center, but with all the benefits of elastic and on-demand scaling. Like a traditional data center, VPCs can have public and/or private subnets. Private subnets do not have routes to the internet gateway, but public subnets do. You have complete control over your virtual networking environment, including the selection of your IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

As in traditional data centers, you can control the flow of inbound and outbound traffic by using network access control lists (NACLs). NACLs act as a firewall for associated subnets and are stateless. To control traffic flow at the instance level, use security groups. Security groups act as firewalls for associated EC2 instances and are stateful, which automatically allows return traffic without needing to define special rules.

In addition to public and private IP addresses, it's important to understand the concept of an Elastic IP address and elastic network interface (ENI). An ENI is analogous to a virtual network interface card (NIC), and you can apply multiple ENIs to an instance. You can also move an ENI to another instance in the same subnet. An Elastic IP address is a static public IP address that is applied to an ENI and it can be associated to another instance after an instance is terminated. The main reason why we have Elastic IP addresses is so that rules such as ACLs, DNS entries, and similar do not have to change if an instance fails. Multiple EIPs can be applied to an ENI. The concept of Elastic IP addresses is particularly useful when designing high availability workloads, where an Elastic IP address gets assigned as a secondary IP address of an active instance. That instance is then continuously monitored through CloudWatch tools, and that Elastic IP address can be switched through a script or API call to another instances, should failure occur.

External connectivity options for VPCs include the following:

  • An internet gateway is a horizontally scaled, highly available VPC component that allows communication between your instances in a VPC and the internet.

  • A NAT gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents an internet request from initiating a connection with those instances.

  • A virtual private gateway represents the anchor of the AWS side of a VPN connection between Amazon VPC and the customer environment. In case of a VPN connection between VPC and on-premises environment, VGW connects to the customer gateway, which can be a hardware or software appliance.

All of these building blocks have been represented in the following figure to illustrate how they relate to traditional networking constructs and connectivity.

Reference architecture diagram showing a sample connectivity diagram between Amazon VPC and on-premises environment with DX and VPN connectivity

Figure 11 – Sample connectivity diagram between Amazon VPC and on-premises environment with DX and VPN connectivity

You can establish connectivity between two different VPCs by using a VPC peering connection. VPC peering allows instances in either VPC to communicate with each other as if they were within the same network. VPCs can be in different Regions and belong to different accounts. Since VPC peering is effectively point-to-point connectivity, it can be operationally costly and cumbersome to use without the ability to centrally manage the connectivity policies. That was the primary reason for introducing AWS Transit Gateway.