When you are creating resources in AWS, such as an EC2 instance, you may notice that resources must be placed within a VPC. A VPC, or Virtual Private Cloud, is a logically-isolated network for you and your resources. What’s amazing about a VPC is that it’s fully customizable! You can define your own security groups, route tables, IP address range, and much more. This helps you create your own web applications that are in a secure, isolated network where you can control access to all resources.
Each VPC occupies one Region, but can span multiple Availability Zones. If you have multiple VPCs in different Regions, they can be connected using services like VPC Peering or AWS PrivateLink.
Creating your own VPC
When creating your own custom VPC, there are a few steps to consider. After logging into your AWS account, navigate to the VPC console page. From here, you’ll be instructed to configure the VPC. The page shows a preview of the VPC setup, including any subnets, route tables, and even network configurations. It also shows the number of resources you can initially create. It’s important to note that resources can always be added and removed, so the number of resources at initial creation is not permanent. (In this blog post, we are assuming that we will not create any additional resources within our VPC).
After VPC configuration, you’ll need to create an IPv4 CIDR block. This is the IP range that is used for communication with resources within your account and the internet. AWS even allows you to use your own IP address block! As a final note, AWS also gives you the option to create an IPv6 CIDR block. The same rules apply to the IPv4 CIDR block.
Once the IPv4 CIDR block is created, you’ll need to select the tenancy of the VPC. The tenancy is how EC2 instances are distributed across Amazon’s physical hardware, which affects instance pricing. For a VPC, this refers to whether the EC2 instances launched in the VPC should have shared or dedicated tenancy.
After defining tenancy, it’s a simple matter of naming your VPC (be specific if you’re creating multiple VPCs) and adding any additional tags needed for tracking purposes. Then you’re all set!
What if you don't have the time or the understanding to create your own VPC? Amazon already has you covered by providing all AWS accounts with a default VPC. Within the VPC, there is a public subnet in each Availability Zone, an Internet Gateway, a route table that sends all traffic to the Internet Gateway, and DNS settings. You can specify public IP addresses and DNS hostnames for any launched EC2 instances. You can add to the default VPC, by creating more subnets, security groups, or perhaps setting up some network ACLs. You can also use the VPC with its default configurations. A simple solution for a simple need!
What’s great about a VPC is that your network security is customizable. As mentioned earlier, you can add more subnets to your VPC. If you decide to create a database to store sensitive information, private subnets can protect this data from being accessible to the internet.
To protect your subnets, you’ll want to create security groups and network ACLs. Security groups control access to your instances, while network ACLs control access to your subnets. In most cases, using a few security groups will be enough for your needs, but each subnet must have a network ACL associated. You can customize the network ACL settings to create the right security measures for your needs.
There are plenty of other security measures for VPCs to keep unknown or malicious persons from getting to your private information. It’s a good idea to follow the AWS Best Practices when creating your VPC, such as ensuring IAM users and roles are managed with the principle of least privileged. This ensures only those privileged can access the VPC and its resources.
One final note about security: your VPC can connect to other resources or other VPCs to communicate. There are multiple ways to do this, depending on your use case. There is, of course, opening up your VPC to the internet, but this is a huge security risk. For a more secure connection through the internet, you could use a VPN. There are several options ranging from Amazon’s own VPN service to a third-party service. For a deeper dive into VPNs, check out 'What is an AWS Virtual Private Network?'. There is also Direct Connect for solutions that require the connection of your cloud resources to an on-premises datacenter, bypassing the internet via a private network connection. Finally, there is AWS Transit Gateway, a service that can connect your VPC to many different resources all at the same time without the mess of creating multiple connections to multiple resources.
Free to use anytime, anywhere!
The best part about VPC? It’s completely free to use! The VPC service is free to all users, though fees still apply to any resources that you mount, at their own rate. There’s no better time to experiment with a VPC.
Contact us for more information.