Ref: https://learn.cantrill.io/courses/1820301/lectures/41301619

• Summary
• Contents:

Amazon VPC - Key Concepts

• 🔧 Create and manage VPNs inside an AWS account
  • A Virtual Private Cloud (VPC) is a virtual private NW (VPN) inside AWS
    • VPC CIDR = range of addresses of the VPN (e.g. 172.31.0.0/16)
  • Many other AWS services and resources (in fact, all private AWS services) run inside VPCs (e.g. EC2 instances)
• A VPC is within 1 AWS account & 1 region → VPCs are regionally resilient
  • VPCs can deploy subnets (smaller NWs) in the different AZs of their region
    • 💡 If an AZ fails, the VPC is still functional in other AZs of the region
  • Subnet CIDR = slice of the (whole) VPC CIDR
    • Can never be changed once configured
• Types of VPCs
  • Default VPC (0-1 per region)
    • Always has the same static configuration
  • Custom VPCs (0+ per region)
    • Need to be configured
    • 100% private by default
• 🔧 (Custom) VPCs are private & isolated by default
  • By default, can not communicate with anything outside the VPC (including other VPCs!)
    • Custom VPCs have a default boundary, blocking all traffic IN and OUT of the VPC
  • Specific configuration is needed for Custom VPCs to communicate with outside entities:
    • Other VPCs
    • On-premises NWs in hybrid environments
    • Other cloud platforms in a multi-cloud deployment
    • Public internet
  • 💡 Default privacy and isolation doesn't apply to the Default VPC (exception)

Default VPC

• 🔧 Automatically created by AWS, always pre-configured in the same, very specific way
  • 👍 Predictable → great for quick testing
  • 👎 Inflexible → not good for PROD environments
• ‼️ Default VPC CIDR = 172.31.0.0/16 (ALWAYS!!) → memorize it
• 0-1 per region
  • Can be deleted and recreated
    • ❗ ”Create VPC” creates a Custom VPC ≠ Recreate the Default VPC (different action)
  • 💡 Some AWS services assume the Default VPC exists, so it's good practice to keep it around. Be careful if you decide to delete it!
• One /20 subnet is deployed in each AZ in the region
  • Currently us-east-1 (N. Virginia) region has 6 AZs → Default VPC has 1 subnet in each
• ❗ Preconfigured with IGW, Security Group (SG) & NACL
  • 💡 SGs and NACLs are security features that limit incoming/outgoing data transfer
  • ❗ By default, resources inside the Default VPC get assigned a public IPv4 address, which makes them accessible from the public internet!
    • Unlike Custom VPCs, the Default VPC is not private nor isolated by default!!
• Default VPC - Summary Diagram