Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.1
Table of contents
- Amazon Virtual Private Cloud Getting Started Guide - Provides a hands-on introduction to Amazon VPC.
- Amazon Virtual Private Cloud User Guide - Provides detailed information about how to use Amazon VPC.
- Amazon Virtual Private Cloud Network Administrator Guide - Helps network administrators configure your customer gateway.
- What is Amazon VPC? Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon Web Services (AWS) resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
- Benefits of Using a VPC
- 25 Best Practice Tips for architecting your Amazon VPC
- VPC Best Configuration Practices
- Amazon AWS Best practices - Enterprise Perspective
By launching your instances into a VPC instead of EC2-Classic, you gain the ability to:2
- Assign static private IPv4 addresses to your instances that persist across starts and stops
- Optionally associate an IPv6 CIDR block to your VPC and assign IPv6 addresses to your instances
- Assign multiple IP addresses to your instances
- Define network interfaces, and attach one or more network interfaces to your instances
- Change security group membership for your instances while they're running
- Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering)
- Add an additional layer of access control to your instances in the form of network access control lists (ACL)
- Run your instances on single-tenant hardware
Scenarios for Amazon VPC3
- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario1.html Scenario 1: VPC with a Public Subnet Only - Run a single-tier, public-facing web application such as a blog or simple web site.
- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html Scenario 2: VPC with Public and Private Subnets -Run a public-facing web application, while still maintaining non-publicly accessible back-end servers in a second subnet.
- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario3.html Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access - Extend your data center into the cloud, and also directly access the Internet from your VPC.
- http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario4.html Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access - Extend your data center into the cloud, and leverage Amazon's infrastructure without exposing your network to the Internet.
You can use a NAT device to enable instances in a private subnet to connect to the internet (for example, for software updates) or other AWS services, but prevent the internet from initiating connections with the instances. A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances. When traffic goes to the internet, the source IPv4 address is replaced with the NAT device’s address and similarly, when the response traffic goes to those instances, the NAT device translates the address back to those instances’ private IPv4 addresses.4
AWS offers two kinds of NAT devices—a NAT gateway or a NAT instance. We recommend NAT gateways, as they provide better availability and bandwidth over NAT instances. The NAT Gateway service is also a managed service that does not require your administration efforts. A NAT instance is launched from a NAT AMI. You can choose to use a NAT instance for special purposes.5
You can optionally connect your VPC to your own corporate data center using an IPsec AWS Site-to-Site VPN connection, making the AWS Cloud an extension of your data center.6
A Site-to-Site VPN connection consists of a virtual private gateway attached to your VPC and a customer gateway located in your data center. A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. A customer gateway is a physical device or software appliance on your side of the Site-to-Site VPN connection.7