VPC

Question 1

Q. What is Amazon Virtual Private Cloud (Amazon VPC)?

Answer 1

Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can also create a hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.

You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Question 2

Q. What are the components of Amazon VPC?

Answer 2

A Virtual Private Cloud (VPC), Subnet, Internet Gateway, NAT Gateway, Hardware VPN Connection, Virtual Private Gateway, Customer Gateway, Router, Peering Connection, VPC Endpoint, Egress-only Internet Gateway

Question 3

Virtual Private Cloud (VPC)

Answer 3

A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from a range you select.

Question 4

Subnet

Answer 4

A segment of a VPC’s IP address range where you can place groups of isolated resources.

Question 5

Internet Gateway

Answer 5

The Amazon VPC side of a connection to the public Internet

Question 6

NAT Gateway

Answer 6

A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.

Question 7

Hardware VPN Connection

Answer 7

A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.

Question 8

Virtual Private Gateway

Answer 8

The Amazon VPC side of a VPN connection.

Question 9

Customer Gateway

Answer 9

Your side of a VPN connection.

Question 10

Router

Answer 10

Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.

Question 11

Peering Connection

Answer 11

A peering connection enables you to route traffic via private IP addresses between two peered VPCs

Question 12

VPC Endpoint

Answer 12

Enables Amazon S3 and Amazon DynamoDB access from within your VPC without using an Internet gateway or NAT, and allows you to control the access using VPC endpoint policies.

Question 13

Egress-only Internet Gateway

Answer 13

A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet

Question 14

Q. Why should I use Amazon VPC?

Answer 14

Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs, hardware, or physical datacenters required. You can define your own network space and control how your network, and the Amazon EC2 resources inside your network, is exposed to the Internet. You can also leverage the greatly enhanced security options in Amazon VPC to provide more granular access both to and from the Amazon EC2 instances in your virtual network.

Question 15

Q. How do I get started with Amazon VPC?

Answer 15

Your AWS resources are automatically provisioned in a ready-to-use default VPC. You can choose to create additional VPCs by going to the Amazon VPC page in the AWS Management Console and selecting “Start VPC Wizard”.

You’ll be presented with four basic options for network architectures. After selecting an option, you can modify the size and IP address range of the VPC and its subnets. If you select an option with Hardware VPN Access, you will need to specify the IP address of the VPN hardware on your network. You can modify the VPC to add more subnets or add or remove gateways at any time after the VPC has been created.

The four options are:

VPC with a Single Public Subnet Only
VPC with Public and Private Subnets
VPC with Public and Private Subnets and Hardware VPN Access
VPC with a Private Subnet Only and Hardware VPN Access

Question 16

Q. How will I be charged and billed for my use of Amazon VPC?

Answer 16

There are no additional charges for creating and using the VPC itself. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources, including data transfer charges. If you connect your VPC to your corporate datacenter using the optional hardware VPN connection, pricing is per VPN connection-hour (the amount of time you have a VPN connection in the “available” state.) Partial hours are billed as full hours. Data transferred over VPN connections will be charged at standard AWS Data Transfer rates.

Question 17

Q. What defines billable VPN connection-hours?

Answer 17

VPN connection-hours are billed for any time your VPN connections are in the “available” state. You can determine the state of a VPN connection via the AWS Management Console, CLI, or API. If you no longer wish to use your VPN connection, you simply terminate the VPN connection to avoid being billed for additional VPN connection-hours.

Question 18

Q. What usage charges will I incur if I use other AWS services, such as Amazon S3, from Amazon EC2 instances in my VPC?

Answer 18

Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources. Data transfer charges are not incurred when accessing Amazon Web Services, such as Amazon S3, via your VPC’s Internet gateway.

If you access AWS resources via your VPN connection, you will incur Internet data transfer charges.

Question 19

Q. What are the connectivity options for my VPC?

Answer 19

You may connect your VPC to:

The Internet (via an Internet gateway)
Your corporate data center using a Hardware VPN connection (via the virtual private gateway)
Both the Internet and your corporate data center (utilizing both an Internet gateway and a virtual private gateway)
Other AWS services (via Internet gateway, NAT, virtual private gateway, or VPC endpoints)
Other VPCs (via VPC peering connections)

Question 20

Q. How do I connect my VPC to the Internet?

Answer 20

Amazon VPC supports the creation of an Internet gateway. This gateway enables Amazon EC2 instances in the VPC to directly access the Internet.

Question 21

Q. Are there any bandwidth limitations for Internet gateways? Do I need to be concerned about its availability? Can it be a single point of failure?

Answer 21

No. An Internet gateway is horizontally-scaled, redundant, and highly available. It imposes no bandwidth constraints.

Question 22

Q. How do instances in a VPC access the Internet?

Answer 22

You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet (e.g., web servers). You can also use the solutions in the next question.

Question 23

Q. How do instances without public IP addresses access the Internet?

Answer 23

Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

Question 24

Q. Can I connect to my VPC using a software VPN?

Answer 24

Yes. You may use a third-party software VPN to create a site to site or remote access VPN connection with your VPC via the Internet gateway.

Question 25

Q. How does a hardware VPN connection work with Amazon VPC?

Answer 25

A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a hardware VPN connection.

Question 26

Q. What is IPsec?

Answer 26

IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

Question 27

Q. Which customer gateway devices can I use to connect to Amazon VPC?

Answer 27

There are two types of VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to:

Establish IKE Security Association using Pre-Shared Keys
Establish IPsec Security Associations in Tunnel mode
Utilize the AES 128-bit or 256-bit encryption function
Utilize the SHA-1 or SHA-2 (256) hashing function
Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in “Group 2” mode, or one of the additional DH groups we support
Perform packet fragmentation prior to encryption

In addition to the above capabilities, devices supporting dynamically-routed VPN connections must be able to:

Establish Border Gateway Protocol (BGP) peerings
Bind tunnels to logical interfaces (route-based VPN)
Utilize IPsec Dead Peer Detection