Amazon Virtual Private Cloud (VPC) is a foundational AWS service that enables you to launch AWS resources in a logically isolated virtual network that you define. Understanding VPC fundamentals is essential for the SysOps Administrator certification.
**Core Components:**
**Subnets** divide your V…Amazon Virtual Private Cloud (VPC) is a foundational AWS service that enables you to launch AWS resources in a logically isolated virtual network that you define. Understanding VPC fundamentals is essential for the SysOps Administrator certification.
**Core Components:**
**Subnets** divide your VPC's IP address range into smaller segments. Public subnets have routes to an Internet Gateway, while private subnets typically route through NAT Gateways for outbound internet access.
**Internet Gateway (IGW)** provides a target for internet-routable traffic, enabling communication between VPC resources and the internet.
**Route Tables** contain rules (routes) that determine where network traffic is directed. Each subnet must be associated with a route table.
**Network Access Control Lists (NACLs)** act as stateless firewalls at the subnet level, evaluating inbound and outbound traffic separately. They process rules in numerical order.
**Security Groups** function as stateful firewalls at the instance level. When you allow inbound traffic, the response is automatically permitted.
**NAT Gateway/Instance** allows private subnet resources to access the internet while preventing inbound connections from the internet.
**VPC Peering** enables routing between two VPCs using private IP addresses, as if they were part of the same network.
**VPC Endpoints** provide private connectivity to AWS services, keeping traffic within the AWS network. Gateway endpoints support S3 and DynamoDB, while Interface endpoints use Elastic Network Interfaces.
**Key Considerations:**
- CIDR blocks cannot be modified after VPC creation, though you can add secondary CIDRs
- Default VPC includes default subnets, internet gateway, and route table
- VPC spans all Availability Zones in a region
- Subnets exist within a single Availability Zone
**Best Practices:**
Plan IP addressing carefully, implement defense-in-depth using both NACLs and Security Groups, and use VPC Flow Logs for monitoring network traffic patterns and troubleshooting connectivity issues.
Amazon Virtual Private Cloud (VPC) is the foundational networking service in AWS. It enables you to launch AWS resources in a logically isolated virtual network that you define. Understanding VPC is essential because nearly every AWS resource you deploy will reside within a VPC. For the SysOps Administrator exam, VPC knowledge is critical as it underpins security, connectivity, and architecture decisions.
What is Amazon VPC?
Amazon VPC allows you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including:
• Selection of your own IP address range • Creation of subnets • Configuration of route tables and network gateways • Security settings through security groups and network ACLs
Key VPC Components
Subnets: Segments of a VPC's IP address range where you place resources. Subnets can be public (with internet access) or private (no internet access).
Internet Gateway (IGW): Allows communication between instances in your VPC and the internet. It is horizontally scaled, redundant, and highly available.
NAT Gateway: Enables instances in private subnets to connect to the internet while preventing inbound connections from the internet.
Route Tables: Contain rules (routes) that determine where network traffic is directed. Each subnet must be associated with a route table.
Security Groups: Virtual firewalls that control inbound and outbound traffic at the instance level. They are stateful - return traffic is allowed regardless of rules.
Network Access Control Lists (NACLs): Optional layer of security that acts as a firewall at the subnet level. They are stateless - return traffic must be explicitly allowed.
How VPC Works
When you create a VPC, you specify a CIDR block (e.g., 10.0.0.0/16). This defines the IP address range for your VPC. You then create subnets within this range, typically dividing them into public and private subnets across multiple Availability Zones for high availability.
Traffic Flow Example: 1. An instance in a public subnet receives traffic from the internet through the Internet Gateway 2. The route table directs traffic to the appropriate destination 3. NACLs filter traffic at the subnet boundary 4. Security groups filter traffic at the instance level
VPC Peering and Connectivity
VPC Peering enables you to connect two VPCs privately using AWS's network. Peered VPCs can communicate as if they were on the same network. Important rules: • No transitive peering - if VPC A peers with B, and B peers with C, A cannot communicate with C through B • CIDR blocks cannot overlap • Can peer across regions and accounts
VPC Endpoints
Gateway Endpoints: Support S3 and DynamoDB. Free to use and configured in route tables.
Interface Endpoints: Use AWS PrivateLink and support many AWS services. They create an Elastic Network Interface (ENI) in your subnet.
VPC Flow Logs
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. They can be created at VPC, subnet, or network interface level and stored in CloudWatch Logs or S3.
Exam Tips: Answering Questions on Amazon VPC Fundamentals
1. Understand the difference between Security Groups and NACLs: • Security Groups are stateful and operate at instance level • NACLs are stateless and operate at subnet level • If a question mentions blocking specific IP addresses, think NACLs
2. Know your gateways: • Internet Gateway = public internet access for public subnets • NAT Gateway = outbound internet for private subnets • Virtual Private Gateway = VPN connections
3. CIDR notation matters: • /16 gives you 65,536 addresses • /24 gives you 256 addresses • AWS reserves 5 IP addresses per subnet
4. Remember VPC Peering limitations: • No overlapping CIDR blocks • No transitive routing • Route tables must be updated in both VPCs
5. For troubleshooting connectivity: • Check route tables first • Verify security group rules • Review NACL rules (remember both inbound AND outbound) • Confirm Internet Gateway is attached for public access
6. Default VPC characteristics: • Created by default in each region • Has a default subnet in each AZ • Instances get public IP addresses by default • Has an Internet Gateway attached
7. When questions mention private connectivity to AWS services: • Think VPC Endpoints • Gateway endpoints for S3 and DynamoDB • Interface endpoints for other services
8. High availability design: • Distribute subnets across multiple AZs • Use separate public and private subnets • Deploy NAT Gateways in each AZ for redundancy