VPC and Accompanying Features - Logical Separation on AWS

VPC and Accompanying Features

Amazon Virtual Private Cloud (Amazon VPC) enables the creation of a logically separate network enclave within the Amazon Elastic Compute Cloud (Amazon EC2) network that can house compute and storage resources. This environment can be connected to a customer’s existing infrastructure through various means including a virtual private network (VPN) connection over the Internet, or through AWS Direct Connect, a service that provides private connectivity into the AWS Cloud. Use of a VPC provides organizations with flexibility, security, and complete control of their network presence in the cloud. The customer controls the private environment including IP addresses, subnets, network access control lists, security groups, operating system firewalls, route tables, VPNs, and internet gateways. Amazon VPC provides robust logical isolation of all customer resources, including their access paths to each other and with AWS services. 

Every packet flow on the network is individually authorized against a rule to validate the correct source and destination before it is transmitted and delivered. It is highly improbable for information to arbitrarily pass between entities without specifically being authorized by both the transmitting and receiving entity. If a packet is being routed to a destination without a rule that matches it, the packet is dropped. Reply addresses must be valid or the packet is dropped. Moreover, while address resolution protocol (ARP) packets trigger an authenticated database look-up, ARP packets never hit the network as they are not needed for discovery of the virtual network topology. This means ARP spoofing is highly improbable on the AWS network. Also, promiscuous mode does not reveal any traffic other than traffic bound to and from the customer operating system. Customers can set precise rules for traffic ingress and egress which allow for increased connectivity flexibility, and enable more customer control over traffic segmentation and routing.

VPC connectivity options include the ability for the customer to:

  • Connect to the Internet using network address translation (NAT) for private subnets — Private subnets can be used for instances that should not have direct access to or from the Internet. Instances in a private subnet can access the Internet without exposing their private IP address by routing their traffic through a NAT gateway in a public subnet.

  • Connect securely to the corporate data center — All traffic to and from instances in a VPC can be routed to the customer’s corporate data center over an industry standard, encrypted IPsec hardware VPN connection.

  • Connect privately to other VPCs — Peer VPCs together to share resources across multiple virtual networks across multiple AWS accounts.

  • Privately connect internal services across different accounts and VPCs within an AWS Organization, significantly simplifying internal network architecture.

  • Use AWS Transit Gateway as a single, unified central gateway where connections can be created to many VPCs and on-premises systems while being able to manage authentication and access to the services with AWS IAM.

  • Use VPC features like AWS PrivateLink to create private connections to resources outside of the customer’s VPC. These private connections do not traverse the public Internet and can provide secure connectivity between VPCs, AWS services, and on-premises applications.

Additionally, all traffic within a VPC and inter-region peering is transparently encrypted when using supported instance types. From an infrastructure standpoint, physical network encryption is used by AWS to encrypt network traffic on any link outside of AWS physical control such as between data-centers.