AWS Virtual Private Cloud (VPC)

The following is the summary of the various features/capabilities of VPC:

Has a Region scope
Can span all Availability Zones in a Region
MUST have an associated IPv4 Classless Inter-Domain Routing CIDR block
Can have additional IPv4 CIDR block(s) and IPv6 CIDR block(s)
Has a maximum limit of 5 CIDRs per Region
Allowed CIDR block netmask size is between /16 to /28 and must NOT overlap with another existing and assigned CIDR block
CANNOT change the CIDR block size of an existing and assigned CIDR block
Only private IP address ranges (as specified in RFC 1918) are allowed: (10.0.0.0 - 10.255.255.255), (172.16.0.0 - 172.31.255.255), (192.168.0.0 - 192.168.255.255)
Can have one or more private/public Subnets, whose IP addresses must be from the associated CIDR block(s)
A Subnet is a logical container that holds the resources (such as EC2 Instances)
A Subnet helps isolate resources from each other
A Subnet must reside entirely within one Availability Zone and cannot span to two or more Availability Zones
One Availability Zone is made up of multiple data centers so the Subnet can span data centers within an Availability Zone
AWS reserves 5 IP addresses from the assigned Subnet IP and CANNOT be used - the first 4 and the last 1 (the first for Network Address, second for VPC Router, the third for DNS Server, the fourth for future use and the last for Network Broadcast)
The implicit VPC Router, visible as a MAIN Route Table, handles all the routing within and outside the VPC
All Subnets must be associated with either the MAIN Route Table or a custom Route Table
A Subnet MUST be associated with only one Route Table
A Route Table can have multiple Subnets associated with it
All AWS Accounts have a default VPC created in a Region, with a public Subnet in each Availability Zone
The default VPC is assigned a IPv4 CIDR block of 172.31.0.0/16 with a Subnet IP address range of 172.31.0.0 - 172.31.255.255
The default VPC Subnet has IPv4 Internet connectivity ENABLED
For two Subnets in different Availability Zones to communicate with each other, their Route Table must be configured

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between a VPC and the Internet.

The following is the summary of the various features/capabilities of IGW:

Must be created separately and attached to a VPC
Only one VPC can be attached to it
Is a VPC resource with no management IP address
Supports both IPv4 and IPv6
Allows resources in the public Subnet(s) (such as EC2 instances) to connect to the Internet if the resource has a public IPv4 address or an IPv6 address
Allows resources from the Internet to initiate a connection with resources in VPC Subnet using the public IPv4 address or IPv6 address
The Routing Table on the VPC Subnet must be edited to route traffic to the IGW

The following are some of the features/capabilities of a NAT Instance:

Allows EC2 Instances in private Subnet to connect to the resources on the Internet or other AWS services, but PREVENTs resources from the Internet to initiate connection
Is a normal EC2 instance that uses a preconfigured Linux-based AMI
Must be created and launched from the public Subnet of the VPC
One must DISABLE the Source/Destination Check in the EC2 Instance for NAT to work
It MUST have a fixed Elastic IP attached to it
The Route Table must be configured to route traffic from private Subnet to NAT Instance
Is customer managed and does NOT automatically scale to accommodate the increased bandwidth requirements

The following are some of the features/capabilities of a NAT Gateway:

Is an AWS managed NAT service
Is a higher bandwidth, highly availabile and scalable service
Associated with a particular Availability Zone only
It MUST have an Elastic IP address assigned
Must be created and launched from the public Subnet of the VPC for Internet access
Bandwidth of 5 Gbps with auto scaling to up to 45 Gbps
Does not use an ENI and hence there is no Security Group to manage
Is resilient only within a single Availability Zone. For higher resiliency, create a NAT Gateway in each Availability Zone

The following are some of the features/capabilities of NACL:

Works at the Subnet level and acts like a firewall to control both the incoming and the outgoing traffic to and from the Subnet
It is STATELESS meaning if an incoming request is accepted, the outgoing response is NOT automatically allowed and vice versa. Note a Security Group on the other hand is STATEFUL meaning if an incoming request is allowed, the outgoing is automatically allowed and vice versa
One Subnet can only be associated with one NACL
The Default NACL accepts every inbound/outbound request for the Subnet it is associated with
Unlike the Security Group, the NACL has both ALLOW and DENY rules
NACL rules have a number from 1 to 32766; higher precedence with lower numbers
The first NACL rule that matches will drive the decision
The last rule is an asterisk (*) and denies a request in case of no rule match
Newly created NACL will deny everything by default
Are great for blocking a specific IP address at a Subnet level
Automatically applies to all the EC2 Instances in the Subnet

A VPC Peering connection is a networking connection between two VPCs that enables one to route traffic between them privately. A VPC peering connection is a point-to-point connection between two and only two VPCs.

The following are some of the features/capabilities of a VPC Peering:

Support both IPv4 and IPv6
Can connect two VPCs in the same AWS Account or different AWS Accounts
Can connect two VPCs in different Regions
Makes the VPCs behave as though they are in the same network
The two VPCs MUST have non-overlapping CIDR
The Peering connection between two VPC is not transitive, meaning if VPC A is Peered with VPC B and VPC B is Peered with VPC C, then VPC A and VPC C are not connected - a Peering connection must be established for each VPC pair
For the EC2 Instances in each of the VPC Subnets to communicate with each other, the Route Tables in each Subnet must be updated
Cannot use VPC Peering connection to share the Internet Gateways or NAT Services

A AWS PrivateLink endpoint (referred to as VPC Endpoint) allows a VPC to communicate with the other AWS services that are publicly accessible such as AWS S3 (or AWS Lambda, Amazon DynamoDB, etc) using the AWS private network and NOT go through the public Internet.

The following are some of the features/capabilities of a VPC Endpoint:

Is a highly available, scalable technology
Eliminates the need for Internet Gateway, NAT Gateway, etc to access the other AWS public services using the private network

The following are the two types of VPC Endpoints:

Interface Endpoint

Provisions an ENI with a private IP address as an entry point
Uses DNS entries to redirect traffic
MUST have an attached Security Group
Provides support for most AWS services
Cost per hour of usage and per GB of data processed
This is the ONLY option if access required from customer on-prem systems

Gateway Endpoint

Provisions a Gateway and MUST be used as a target in the Route Table
Uses Prefix Lists in the Route Table to redirect traffic
Does NOT use a Security Group but VPC Endpoint Policies
Only supports services S3 and DynamoDB
There is NO associate cost - it is free

A VPC Sharing allows multiple AWS accounts to create their application resources, such as EC2 instances, RDS databases, Redshift clusters, and Lambda functions, into shared, centrally-managed VPCs.

The following are some of the features/capabilities of a VPC Sharing:

Account that owns the VPC (owner) shares one or more subnets with other Accounts (participants) that belong to the same Organization
Participants can view, create, modify, and delete the resources they OWN in the subnets shared with them
Participants CANNOT view, modify, or delete resources that belong to other participants or the VPC owner
By sharing VPCs one can leverage the implicit routing within a VPC for resources that require a high degree of interconnectivity and are within the same trust boundaries
Sharing VPCs reduces the number of VPCs one needs to create and manage, while using separate accounts for billing and access control

The following are some of the features/capabilities of Site-to-Site VPN:

Uses an IPsec VPN connection between a customer's VPC and their remote network
Need need a Virtual Private Gateway in the VPC connecting to a Customer Gateway in the on-prem data center
The connection is secured using SSL/TLS certificates and is encrypted end-to-end
The Customer Gateway is a either a physical device or a software application on the customer side of the VPN connection
To connect the Virtual Private Gateway to the Customer Gateway, need a public Internet routable IP address
The Route Propagation option in the VPC needs to be enabled for this to work
Uses a single tunnel of 1.25 Gbps bandwidth that is duplexed
To ping the EC2 Instances from the on-prem, enabled the ICMP protocol on the inbound of the Security Groups

The following are some of the features/capabilities of Direct Connect:

Is a Regional service
Is a dedicated private connection from a VPC to on-prem data center and the data in transit is NOT encrypted
For secure encrypted traffic, need to add IPSec VPN on top
Dedicated connection must be setup between on-prem data center to a AWS Direct Connect location
Need to use a Private VIF (VLAN/BGP) to connect on-prem to a VPC
To access the public AWS services, we need a Public VIF (VLAN/BGP)
Need to setup a Virtual Private Gateway on the VPC side
Allows access public resources such as S3 as well as EC2 Instances in a VPC using the same connection
Provides more consistent network performance
Is more expensive and has a lead time of about a month
Enables support of hybrid environment - on-prem + cloud
Supports both IPv4 and IPv6
For maximum resiliency, add another Direct Connection between on-prem and cloud
Another option for maximum resiliency is to add a backup Site-to-Site VPN connection between on-prem and cloud
Dedicated Connection bandwidth - 1 Gbps, 10 Gbps, 100 Gbps
Hosted Connection bandwidth - 50 Mbps, 500 Mbps, 10 Gbps

The following are some of the features/capabilities of Transit Gateway:

Is a Regional service and can work cross Region
Allows for simpler way to connect multiple VPCs to either Site-to-Site VPN or Direct Connect for on-prem integration
Can peer Transit Gateways across Regions
To restrict which VPC can communicate with which, need to configure its associated Route Table
Can have a blackhole route to drop traffic
ONLY service that support IP Multicast
Can be used to increase the bandwidth of the Site-to-Site VPN using Equal-Cost Multi-Path Routing (ECMP)
Allows for creation of multiple VPN connections with on-prem
Creates two separate tunnels - one for outgoing traffic and one for incoming traffic with 1.25 Gbps each for a total of 2.5 Gbps
Cost by the GB of data processed

The following are some of the features/capabilities of IPv6 for VPC:

Every IPv6 address is public and Internet-routable (there is no private range)
Has the format xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx.xxxx (where xxxx is a hexadecimal in the range 0000 to ffff)
IPv6 can be enabled in a VPC to operate in a dual-stack mode
EC2 Instances will get at least a private IPv4 and a public IPv6 address
Allows connectivity to Internet via Internet Gateway for both IPv4 and IPv6
VPC needs to use an IPv6 CIDR Block of 2406:da1c:f7b:ae00::/56
Subnets should be created with the 2406:da1c:f7b:ae10::/64 or the 2406:da1c:f7b:ae11::/64 CIDR

The following are some of the features/capabilities of Transit Gateway:

Allows one to capture information about IP traffic going in and out of interfaces
Can be enabled at the VPC level, Subnet level, or ENI level
Helps one monitor and/or troubleshoot connectivity issues with VPCs
Helps one troubleshoot connectivity issues with NACLs and/or Security Groups
Can be sent to destinations - S3 or CloudWatch Logs
Allows one to query Flow Logs using AWS Athena on S3 or CloudWatch Logs Insights