Amazon Virtual Private Cloud (Amazon VPC)

 Overview:
o Allows provisioning of an isolated section of the AWS cloud.
o Launch AWS resources in a custom-defined virtual network.
o Full control over networking (IP address ranges, subnets, route tables, gateways).
o Option to connect VPC to corporate datacenter using a hardware VPN connection.
 Customization:
o Create public-facing subnets (e.g., web servers with Internet access).
o Create private subnets (e.g., backend systems without Internet access).
o Multiple layers of security: security groups, network access control lists.

Amazon VPC Components:

 VPC: A logically isolated network in the AWS cloud.

 Subnet: A segment within a VPC’s IP address range for isolated resource groups.
 Internet Gateway: Connects VPC to the public Internet.
 NAT Gateway: Managed service for private subnet resources to access the Internet.
 Virtual Private Gateway: VPC side of a VPN connection.
 Peering Connection: Routes traffic privately between two peered VPCs.
 VPC Endpoints: Private connectivity to AWS services without Internet, VPN, or NAT.
 Egress-only Internet Gateway: Provides egress-only IPv6 traffic access to the Internet.

Why Use Amazon VPC:

 Build virtual networks in AWS without hardware or datacenters.

 Full control over network exposure to the Internet.
 Enhanced security options for granular access control to EC2 instances.

Getting Started with Amazon VPC:

 AWS resources are automatically in a default VPC.

 Create additional VPCs via AWS Management Console using "Start VPC Wizard".
 Four basic architecture options:
1. VPC with a single public subnet.
2. VPC with public and private subnets.
3. VPC with public and private subnets + AWS Site-to-Site VPN access.
4. VPC with a private subnet + AWS Site-to-Site VPN access.
Types of VPC Endpoints:

 VPC Endpoints: Enable private connection to AWS services without

Internet/NAT/VPN.
o Gateway Type Endpoints: For AWS services like S3 and DynamoDB.
 Routes traffic via a private network to supported services.
o Interface Type Endpoints: Private connectivity to services via PrivateLink.
 Supports AWS services, custom services, and SaaS solutions.

Billing for Amazon VPC:

 VPC itself: No additional charges for creating/using the VPC.

 Other AWS services: Standard charges apply (e.g., Amazon EC2, data transfer).
 VPN connection:
o Pricing per VPN connection-hour (time in "available" state).
o Partial hours billed as full hours.
o Data transferred over VPN charged at standard AWS Data Transfer rates.
 Usage Charges for Other AWS Services:
o Standard usage rates apply (e.g., Amazon S3, EC2).
o No data transfer charges when accessing AWS services (e.g., S3) via VPC’s
Internet Gateway.
o VPN connections incur standard Internet data transfer charges.

Connectivity Options for Amazon VPC:

 Internet: Via an Internet Gateway.

 Corporate Datacenter: Using AWS Site-to-Site VPN (via virtual private gateway).
 Both Internet & Corporate Datacenter: Utilize both Internet gateway and virtual
private gateway.
 Other AWS Services: Via Internet gateway, NAT, virtual private gateway, or VPC
endpoints.
 Other VPCs: Via VPC peering connections.

Connecting VPC to the Internet:

 Internet Gateway:
o Allows Amazon EC2 instances to access the Internet.
o Egress-only Internet Gateway available for outbound IPv6 traffic only.
o No bandwidth limits, horizontally-scaled, redundant, and highly available.
 Accessing the Internet from VPC Instances:
 o Use public IP addresses (e.g., Elastic IPs, IPv6 Global Unique Addresses) for
direct communication and inbound traffic.
o Modify route tables to route traffic through Internet Gateway.
 Instances Without Public IPs:
o Use a NAT gateway/instance to route traffic using the NAT's public IP.
o Alternatively, route traffic through a virtual private gateway to a datacenter for
egress to the Internet.

Public IP Address:

 Any IP that can be accessed over the Internet (e.g., public IPv4, Elastic IPs, IPv6 GUA).

Software VPN:

 You can use a third-party software VPN to establish a site-to-site or remote access VPN
via the Internet gateway.

Traffic Between Instances or AWS Services:

 Traffic between instances or AWS services using public IP addresses stays within AWS’s
private network (not routed over the Internet).
 Data is automatically encrypted at the physical layer across AWS’s global network.
 Cross-region peering traffic and customer/service-to-service TLS connections add extra
encryption.

AWS Site-to-Site VPN:

 Connects your VPC to a datacenter using IPSec VPN.

 Data transfer over VPN is encrypted, ensuring confidentiality and integrity.
 An Internet Gateway is not required for a Site-to-Site VPN connection.

IP Addressing in Amazon VPC

 IP Address Ranges for VPC:

o Use any IPv4 address range (RFC 1918 or publicly routable) for the primary
CIDR block.
o Restrictions apply for secondary CIDR blocks.
 o Publicly routable IP blocks are reachable only via Virtual Private Gateway, not
Internet Gateway.
o Up to 5 Amazon-provided or BYOIP IPv6 GUA CIDR blocks can be allocated.
 Assigning IP Address Ranges:
o Primary CIDR block assigned during VPC creation, up to four secondary CIDR
blocks can be added later.
o Avoid overlapping IP ranges to connect VPCs to a common network (e.g., using
VPN).
o Up to 5 IPv6 CIDR blocks can be added.
 Default VPC IP Address Range:
o Default VPCs: CIDR range of 172.31.0.0/16.
o Subnets in default VPCs: /20 netblocks within the CIDR range.
 Using Your IP Addresses:
o You can bring your own public IPv4 and IPv6 GUA addresses.
o Internet access requires advertising from your on-premises network and routing
through AWS DX or VPN.
 VPC Size:
o VPC supports 1 primary and 4 secondary IPv4 ranges, each between /28 and /16
in size.
o IPv6 VPC size is fixed at /56.
 Changing VPC Size:
o Expand by adding up to 4 secondary IPv4 ranges or 5 additional IPv6 ranges.
o Shrink by deleting secondary CIDR blocks.
 Subnets per VPC:
o Maximum of 200 subnets per VPC, more possible with a support case.
 Subnet Size:
o IPv4: Minimum /28 (14 IPs), max size determined by the VPC.
o IPv6: Fixed at /64 per subnet.
 Reserved IP Addresses:
o First 4 and last 1 IP address in each subnet are reserved for networking purposes.

IP Address Assignment in EC2 Instances

 Private IP Assignment:
o You can specify the primary private IPv4 address during instance launch or AWS
assigns one automatically.
o Secondary private IPv4 addresses can be assigned anytime.
o For IPv6-only subnets, instances receive an IPv6 GUA automatically.
 Changing Private IP:
o Primary private IPv4 is static for the instance's lifetime.
o Secondary private IPv4 and IPv6 GUAs can be reassigned or removed at any
time.
 Reusing IP Addresses:
o IPv4 addresses cannot be reused until the instance is terminated.
 o IPv6 addresses can be reused after removal.
 Assigning IP Addresses:
o Only one instance can have a specified IP address at launch.
o You can assign multiple secondary IP addresses based on the instance type.
 Elastic IP (EIP) Addresses:
o Assignable only for IPv4 and reachable from the Internet.
o Each EIP must be tied to a unique private IP.
o EIPs cannot be used in subnets configured with a NAT gateway/instance.
o EIPs are not supported for IPv6 in VPCs.

Bring Your Own IP (BYOIP) Feature Overview:

1. What is BYOIP? BYOIP (Bring Your Own IP) allows you to move your existing publicly
routable IPv4 or IPv6 address space to AWS for use with AWS resources while maintaining
ownership of the IP addresses. You can create Elastic IPs from your IPv4 space for use with EC2
instances, NAT Gateways, and Network Load Balancers. Similarly, IPv6 CIDR blocks can be
assigned to VPCs.

2. Benefits of BYOIP:

 IP Reputation: Maintain the reputation of your IP addresses, especially for services like
outbound email.
 Customer Whitelisting: Avoid re-establishing whitelists when moving workloads to
AWS.
 Hardcoded IP Dependencies: Ease migration when IPs are hardcoded in devices or
architecture.
 Regulatory/Compliance: Comply with regulations requiring specific IPs.
 On-Prem IPv6 Network: Route IPv6 traffic via your on-premises network using
BYOIP.

3. BYOIP Elastic IP Release:

 If you release a BYOIP Elastic IP, it is returned to your BYOIP IP pool for future
allocation.

4. BYOIP Availability and Limits:

 Available in several AWS regions (see AWS documentation).

 You can bring up to five IP ranges.
 The most specific IPv4 prefix is /24, and for IPv6, the most specific is /56.

5. Regional Flexibility:

 You can move a BYOIP prefix between AWS regions by de-provisioning from one and
provisioning it in another.
VPC IP Address Manager (IPAM) Overview:

1. What is IPAM? Amazon VPC IP Address Manager (IPAM) is a service to help plan, track,
and monitor IP addresses across AWS workloads. It streamlines IP address management by
automating allocations, tracking usage, troubleshooting issues, and auditing IPs.

2. Key Features of IPAM:

 Automated IP Allocation: Allocates IPs for networks across multiple accounts and
VPCs using configurable rules.
 Monitoring and Alerts: Monitors IP usage, detects potential issues like IP depletion or
conflicts, and provides alerts.
 Network Troubleshooting: Quickly identifies issues like IP misconfigurations.
 Auditing: Retains up to three years of monitoring data for retrospective analysis and
auditing.

3. Components of IPAM:

 Scopes: Containers representing IP space, including a private and a public scope for IP
pools.
 Pools: Collections of contiguous IP ranges organized based on routing and security
needs.
 Allocations: CIDR assignments from an IPAM pool to VPCs or other resources.

4. BYOIP Support in IPAM:

 IPAM supports managing both BYOIPv4 and BYOIPv6 addresses. Existing BYOIP
customers can migrate to IPAM for simplified management.

5. Sharing IPAM Pools:

 You can share IPAM pools with other AWS accounts within or outside your organization
via AWS Resource Access Manager (RAM).
 Bring Your Own IP (BYOIP) in AWS allows you to bring your own publicly routable IP
address space (IPv4 or IPv6) to AWS for use with AWS resources such as EC2 instances, NAT
Gateways, and Network Load Balancers. BYOIP helps in maintaining IP reputation, enabling
customer whitelisting, supporting hardcoded IP dependencies, meeting compliance regulations,
and routing IPv6 traffic from on-prem networks.

You retain ownership of the IP addresses and can manage them like any other AWS resource.
Key features include Elastic IP allocation, support for IPv4 and IPv6, and the ability to share
prefixes across VPCs within an account.

VPC IP Address Manager (IPAM) is a managed AWS service that helps to plan, track, and
manage IP addresses for AWS workloads. It organizes and automates IP address allocation
across VPCs and accounts, detects IP conflicts, and provides monitoring and auditing
capabilities. IPAM integrates with BYOIP and supports Amazon-provided contiguous IPv6
CIDR blocks for more efficient IP address management.

Security and Filtering within a VPC is handled using security groups (stateful filtering) and
network ACLs (stateless filtering). Security groups control inbound and outbound traffic at the
instance level, while ACLs filter traffic entering or exiting a subnet. AWS supports both types
for added layers of network security.

Monitoring is done through VPC Flow Logs, which capture IP traffic information for analysis
and troubleshooting, and Traffic Mirroring, which allows deeper inspection of actual traffic
content for threat monitoring and troubleshooting. Flow logs are useful for high-level network
insights, while traffic mirroring is more detailed for packet-level analysis.

These tools are designed to help manage complex AWS networking environments efficiently and
securely, allowing scalability while maintaining visibility and control over network traffic.

Regions and Zones

Amazon EC2 is hosted in multiple locations world-wide. These locations are composed of AWS Regions,
Availability Zones, Local Zones, AWS Outposts, and Wavelength Zones.

 Each Region is a separate geographic area.

 Availability Zones are multiple, isolated locations within each Region.
 Local Zones provide you the ability to place resources, such as compute and storage, in multiple locations
closer to your end users.
 AWS Outposts brings native AWS services, infrastructure, and operating models to virtually any data center,
co-location space, or on-premises facility.
 Wavelength Zones allow developers to build applications that deliver ultra-low latencies to 5G devices and end
users. Wavelength deploys standard AWS compute and storage services to the edge of telecommunication
carriers' 5G networks.

AWS operates state-of-the-art, highly available data centers. Although rare, failures can occur that affect the
availability of instances that are in the same location. If you host all of your instances in a single location that is
affected by a failure, none of your instances would be available.

 Availability and Zone Constraints:

 VPCs can span multiple Availability Zones, but subnets cannot. Each subnet must
reside within a single Availability Zone.
 When launching an EC2 instance, you specify the subnet, determining which Availability
Zone the instance will be placed in.

 Network Bandwidth Costs:

 Data transfer between instances in different subnets (if in different Availability Zones)
incurs a cost of $0.01 per GB.

 Default VPCs:

 Default VPCs are automatically created the first time you provision EC2 resources and
offer features similar to EC2-Classic.
 Each default VPC has one default subnet in each Availability Zone.
 You can still create additional VPCs, subnets (including private subnets), or delete
default VPCs and subnets.

 EC2-Classic vs. EC2-VPC:

 Default VPCs offer advantages like ease of use and advanced features (e.g., security
group egress filtering, multiple IPs, and interfaces).
 You can switch from EC2-Classic to EC2-VPC by requesting to convert your account.

 Connectivity and Routing:

 Instances in a default VPC are automatically connected to an Internet gateway and

receive public IP addresses.
 You can add a VPN connection to a default VPC if needed, but it's not required.

Regions
  Available Regions: AWS is divided into different regions, each with its own
infrastructure for resource management. A region is a physical location that contains
Availability Zones (AZs).
 Regional endpoints: Each AWS region has its own API endpoint for services to interact
with. These endpoints are specific to the region.

Availability Zones (AZs)

 AZ IDs: Each AZ is identified by a unique ID within a region (e.g., us-east-1a), and

AZs are isolated from each other to ensure redundancy.
 Available Availability Zones: AWS offers multiple Availability Zones within a region
to ensure high availability for EC2 instances and other resources.
 Instances in Availability Zones: When you launch an EC2 instance, you choose a
subnet that corresponds to an AZ, defining the physical location of the instance.

Local Zones

 Available Local Zones: These are extensions of an AWS Region that provide low-
latency access to AWS services closer to specific locations.
 Instances in Local Zones: EC2 instances can also be launched in Local Zones to serve
applications requiring low-latency access to end users in those areas.

Wavelength Zones

 Available Wavelength Zones: AWS Wavelength Zones are designed for ultra-low-
latency applications by providing infrastructure closer to 5G networks.
 Instances in Wavelength Zones: EC2 instances can be deployed in these Wavelength
Zones to optimize for applications like gaming or media streaming.

AWS Outposts

 Instances on an Outpost: AWS Outposts bring AWS services to on-premise locations.

You can launch and manage instances on an AWS Outpost just like in a regular AWS
region.
 Volumes on an Outposts rack: These represent EBS volumes that are attached to
instances running on Outposts racks, providing local storage and management.
 Volumes on an Outposts server: Similar to Outposts racks, but specific to server-level
deployments of AWS infrastructure.

EC2-Classic Overview

 What is EC2-Classic?: Launched in 2006, EC2-Classic allowed instances to run in a flat

network shared with other customers. In 2009, Amazon introduced Virtual Private Cloud
(VPC) for better network isolation and security. EC2-Classic is now deprecated, with the
majority of AWS users migrating to VPC.
Retirement of EC2-Classic

 Retirement Date: EC2-Classic was officially retired on August 15, 2022. AWS
requested customers to migrate any resources still running on EC2-Classic to VPC before
this date.
 Impact on Accounts: Accounts using EC2-Classic are affected, but AWS will
automatically disable EC2-Classic for regions without activity since January 2021. To
check if EC2-Classic is enabled, you can use the AWS Console or AWS CLI.

Migration to VPC

 Benefits of Amazon VPC: Migrating to VPC offers advantages like logical isolation,
configurable subnets, management of route tables, network gateways, and access to
newer instances and services. VPC also allows better control over network security.
 How to Migrate:
o Use scripts to identify EC2-Classic resources across regions.
o Follow specific migration guides for instances, security groups, load balancers,
databases, Elastic Beanstalk, and other AWS services.
o AWS Application Migration Service (AWS MGN) can be used for automated
migration, simplifying the process.
 Runbook for Simple EC2 Migrations: AWS Systems Manager Automation offers a
runbook AWSSupport-MigrateEC2ClassicToVPC, automating the process by creating an
AMI of the EC2-Classic instance, launching it in VPC, and optionally terminating the
EC2-Classic instance.

Key Dates

 October 30, 2021: AWS stopped issuing reserved instances (RIs) for EC2-Classic.
 August 15, 2022: AWS no longer allowed the creation of instances or services in EC2-
Classic.

Elastic Network Interfaces (ENI) Overview

 Attaching/Detaching ENIs: Secondary ENIs can be attached or detached from running

instances, but the primary interface (eth0) cannot be detached.
 Availability Zone (AZ) Restrictions: ENIs can only be attached to instances within the
same AZ and same VPC.
 Multiple Websites on One Instance: Additional private IP addresses can be assigned to
a single instance, with Elastic IPs (EIPs) mapped as needed. This method is preferable to
attaching multiple ENIs for hosting multiple websites.

VPC Peering Connections

1. Inter-Region Peering:
 o Peering connections can be established between VPCs in different regions
globally (excluding China).
2. Cross-Account Peering:
o VPCs belonging to different AWS accounts can be peered, provided the owner of
the other VPC accepts the peering request.
3. Costs:
o No charges for creating VPC peering connections; however, data transfer across
peering connections incurs costs. Refer to the EC2 Pricing page for rates.
4. Internet Gateway Requirement:
o An Internet Gateway is not needed for VPC peering connections.
5. Traffic Encryption:
o Traffic between instances in peered VPCs is not encrypted by default, but it
remains private and isolated.
6. Peering Connection Termination:
o If one side of a peering connection is deleted, the other side will lose access to the
VPC.
7. Transitive Peering:
o Transitive peering (A to B and B to C implies A to C) is not supported.
8. Connection Reliability:
o AWS infrastructure supports VPC peering connections, providing redundancy and
eliminating single points of failure.
9. Bandwidth Limitations:
o Bandwidth for peering connections is similar to that between instances within the
same VPC, but full-bisection bandwidth is not guaranteed across peered VPCs.
10. Traffic Encryption for Inter-Region Peering:
o Traffic is encrypted using modern AEAD algorithms.
11. DNS with Inter-Region VPC Peering:
o Public hostname queries resolve to public IP addresses by default, but Route 53
private DNS can resolve to private IPs.
12. Security Group References:
o Security groups cannot reference each other across Inter-Region VPC Peering
connections.
13. IPv6 Support:
o Inter-Region VPC Peering supports IPv6.
14. EC2-Classic Link:
o Inter-Region VPC Peering cannot be used with EC2-Classic Link.

ClassicLink

1. Overview:
o ClassicLink allows EC2 instances in the EC2-Classic platform to communicate
with instances in a VPC using private IP addresses. You must enable it for a VPC
and associate a VPC Security Group with the EC2-Classic instance.
2. Cost:
 o No additional charges for ClassicLink, but cross-AZ data transfer charges apply.
3. Usage:
o Enable a VPC for ClassicLink, then associate a Security Group from the VPC
with the EC2-Classic instance. An EC2-Classic instance can only be linked to one
VPC at a time.
4. Membership:
o The EC2-Classic instance becomes a member of the associated VPC Security
Group, but it does not become a member of the VPC itself.
5. DNS Resolution:
o EC2 public DNS hostnames will not resolve to private IPs between EC2-Classic
and EC2-VPC instances.
6. VPC Limitations:
o ClassicLink cannot be enabled for VPCs with specific CIDR ranges, particularly
those within 10.0.0.0/8, unless they are exceptions.
7. Traffic Routing:
o Traffic from EC2-Classic instances can only reach private IP addresses within the
VPC and cannot egress to the Internet or peered VPCs.
8. Access Control:
o ClassicLink does not change access control defined by existing EC2-Classic
Security Groups.
9. Persistence of Settings:
o ClassicLink settings do not persist through stop/start cycles; the EC2-Classic
instance needs to be linked back after being restarted.
10. Security Group References:
o EC2-Classic Security Group rules cannot reference VPC Security Groups, and
vice versa.

Name Default Adjustable Comments

VPCs per Region 5 Yes Increasing this quota increases the quota on internet
gateways per Region by the same amount.

You can increase this limit so that you can have

hundreds of VPCs per Region.

Subnets per VPC 200 Yes

IPv4 CIDR blocks 5 Yes This primary CIDR block and all secondary CIDR blocks
per VPC (up to 50) count toward this quota.

IPv6 CIDR blocks 5 Yes The number of CIDRs you can allocate to a single VPC.
per VPC (up to 50)
DNS
Each EC2 instance can send 1024 packets per second per network interface to Route 53 Resolver (specifically
the .2 address, such as 10.0.0.2 and 169.254.169.253). This quota cannot be increased. The number of DNS
queries per second supported by Route 53 Resolver varies by the type of query, the size of the response, and
the protocol in use. For more information and recommendations for a scalable DNS architecture, see the AWS
Hybrid DNS with Active Directory Technical Guide.

Elastic IP addresses

Name Default Adjustable Comments

Elastic IP addresses per 5 Yes This quota applies to individual AWS

Region account VPCs and shared VPCs.

Elastic IP addresses per 2 Yes You can request a quota increase up to 8.

public NAT gateway

Gateways

Name Default Adjustable Comments

Egress-only internet 5 Yes To increase this quota, increase the quota for
gateways per Region VPCs per Region.

You can attach only one egress-only internet

gateway to a VPC at a time.
Internet gateways 5 Yes To increase this quota, increase the quota for
per Region VPCs per Region.

You can attach only one internet gateway to

a VPC at a time.
NAT gateways per 5 Yes NAT gateways only count toward your quota in
 Name Default Adjustable Comments

Availability Zone the pending, active,

and deleting states.

Private IP address 8 Yes

quota per NAT
gateway

Carrier gateways per 1 No

VPC

Customer-managed prefix lists

While the default quotas for customer-managed prefix lists are adjustable, you cannot request an increase
using the Service Quotas console. You must open a service limit increase case using the AWS Support Center
Console.

Name Default Adjustable Comments

Prefix lists per 100 Yes

Region

Versions per 1,000 Yes If a prefix list has 1,000 stored versions and you add a
prefix list new version, the oldest version is removed so that
the new version can be added.

Maximum 1,000 Yes You can resize a customer-managed prefix list up

number of to 1000. For more information, see Resize a
entries per prefix list. When you reference a prefix list in a
prefix list resource, the maximum number of entries for the
prefix lists counts against the quota for the
number of entries for the resource. For example,
if you create a prefix list with 20 maximum
 Name Default Adjustable Comments

entries and you reference that prefix list in a

security group rule, this counts as 20 security
group rules.
References to a 5,000 Yes This quota applies per resource type that can
prefix list per reference a prefix list. For example, you can have
resource type 5,000 references to a prefix list across all of your
security groups plus 5,000 references to a prefix list
across all of your subnet route tables. If you share a
prefix list with other AWS accounts, the other
accounts' references to your prefix list count toward
this quota.

Network ACLs

Name Default Adjustable Comments

Network 200 Yes You can associate one network ACL to one or more
ACLs per subnets in a VPC.
VPC

Rules per 20 Yes This quota determines both the maximum number of
network inbound rules and the maximum number of outbound
ACL rules. This quota can be increased up to a maximum
of 40 inbound rules and 40 outbound rules (for a total
of 80 rules), but network performance might be
impacted.
Network interfaces

Name Default Adjustable Comments

Network Varies by No For more information, see Network interfaces per

interfaces per instance instance type.
instance type

Network 5,000 Yes This quota applies to individual AWS account VPCs
interfaces per and shared VPCs. This limit is enforced per
Region Availability Zone (AZ). If, for example, the network
interfaces are in three AZs, each AZ will have a limit
of 5,000 limit and the Region will have a limit of
15,000.

Route tables

Name Default Adjustable Comments

Route tables per 200 Yes The main route table counts toward this quota.
VPC Note that if you request a quota increase for route
tables, you may also want to request a quota
increase for subnets. While route tables can be
shared with multiple subnets, a subnet can only be
associated with a single route table.

Routes per route 50 Yes You can increase this quota up to a maximum of
table (non- 1,000; however, network performance might be
propagated impacted. This quota is enforced separately for IPv4
routes) routes and IPv6 routes.

If you have more than 125 routes, we

recommend that you paginate calls to describe
 Name Default Adjustable Comments

your route tables for better performance.

Propagated 100 No If you require additional prefixes, advertise a
routes per route default route.
table

Security groups

Name Default Adjustable Comments

VPC security 2,500 Yes This quota applies to individual AWS account VPCs and
groups per shared VPCs.
Region
If you increase this quota to more than 5,000
security groups in a Region, we recommend that
you paginate calls to describe your security groups
for better performance.
Inbound or 60 Yes This quota is enforced separately for inbound and
outbound outbound rules. For an account with the default quota
rules per of 60 rules, a security group can have 60 inbound rules
security group and 60 outbound rules. In addition, this quota is
enforced separately for IPv4 rules and IPv6 rules. For
an account with the default quota of 60 rules, a
security group can have 60 inbound rules for IPv4
traffic and 60 inbound rules for IPv6 traffic. For more
information, see Security group size.

A quota change applies to both inbound and

outbound rules. This quota multiplied by the quota
for security groups per network interface cannot
exceed 1,000.
Security 5 Yes This quota multiplied by the quota for rules per
 Name Default Adjustable Comments

groups per (up to 16) security group cannot exceed 1,000.

network
interface

VPC subnet sharing

All standard VPC quotas apply to shared VPC subnets.

Name Default Adjustable Comments

Participant 100 Yes The maximum number of distinct participant

accounts per VPC accounts that subnets in a VPC can be shared
with. This is a per VPC quota and applies across all
the subnets shared in a VPC.

VPC owners can view the network interfaces

and security groups that are attached to the
participant resources.
Subnets that can 100 Yes This is the maximum number of subnets that can
be shared with an be shared with an AWS account.
account

Network Address Usage

Network Address Usage (NAU) is comprised of IP addresses, network interfaces, and CIDRs in managed
prefix lists. NAU is a metric applied to resources in a VPC to help you plan for and monitor the size of your
VPC. For more information, see Network Address Usage.

The resources that make up the NAU count have their own individual service quotas. Even if a VPC has NAU
capacity available, you won't be able to launch resources into the VPC if the resources have exceeded their
service quotas.
 Name Default Adjustable Comments

Network 64,000 Yes (up to to The maximum number of NAU units per VPC.
Address Usage 256,000)

Peered 128,000 Yes (up to The maximum number of NAU units for a VPC and
Network 512,000) all of its intra-Region peered VPCs. VPCs that are
Address Usage peered across different Regions do not contribute
to this number.

AWS PrivateLink

1. Overview:
o AWS PrivateLink allows customers to privately access services hosted on AWS
without exposing traffic to the public Internet. It keeps all network traffic within
the AWS network, ensuring high availability and scalability.
2. Service Users:
o Users need to create interface type VPC endpoints for PrivateLink-enabled
services. These endpoints appear as Elastic Network Interfaces (ENIs) with
private IPs in their VPCs. Traffic destined for these IPs is routed privately to the
corresponding AWS services.
3. Service Owners:
o Service providers must register their services by establishing a Network Load
Balancer (NLB) in front of their services and creating a PrivateLink service linked
to the NLB. They must also whitelist customer accounts and IAM roles to allow
access.
4. Supported Services:
o AWS services that currently support PrivateLink include:
 Amazon EC2
 Elastic Load Balancing (ELB)
 Kinesis Streams
 Service Catalog
 EC2 Systems Manager
 Amazon SNS
 AWS DataSync
o Many third-party SaaS solutions also support AWS PrivateLink. AWS
Marketplace provides a selection of these products.
5. Integration with Direct Connect:
o Yes, on-premises applications can connect to AWS PrivateLink service endpoints
over AWS Direct Connect. The service endpoints automatically direct traffic to
the relevant AWS services.
Additional Questions about Amazon VPC

1. Management Console:
o You can use the AWS Management Console to manage Amazon VPC objects,
including VPCs, subnets, route tables, Internet gateways, and IPSec VPN
connections. A wizard is also available for creating a VPC.
2. Resource Limits:
o For information on VPC limits (number of VPCs, subnets, Elastic IP addresses,
and Internet gateways), refer to the Amazon VPC user guide.
3. AWS Support:
o Yes, AWS provides support for Amazon VPC. More information is available
through AWS support channels.
4. ElasticFox:
o ElasticFox is no longer officially supported for managing Amazon VPC.
Management is available via AWS APIs, command line tools, the AWS
Management Console, and various third-party utilities.

Amazon S3 Overview

 What is Amazon S3?

o Amazon S3 (Simple Storage Service) is an object storage service designed for
storing and retrieving any amount of data from anywhere, offering durability,
availability, performance, security, and scalability at low costs.

Key Features and Benefits

 Usage:
o S3 provides a web service interface for storing and retrieving data, enabling the
development of cloud-native applications. It scales easily, allowing users to start
small and grow without compromising performance or reliability.
 Flexibility:
o You can store any type and amount of data, from small files to large datasets,
supporting various applications, including FTP and sophisticated web
applications.
 No Upfront Investment:
o Unlike on-premises solutions, S3 allows you to leverage Amazon’s infrastructure
without upfront costs, ensuring quick, secure, and always available data access.

Getting Started

 To start using Amazon S3, you need an AWS account. You can sign up through the S3
console and access documentation and resources to assist with your setup.
Data Storage Capacity

 Types of Data:
o Virtually any kind of data can be stored in any format, subject to AWS licensing
agreements.
 Storage Limits:
o There are no limits on total data volume or object count. Individual objects can
range from 0 bytes to 5 TB, with single PUT uploads capped at 5 GB (use
multipart uploads for larger objects).

Bucket Types

 General Purpose Buckets:

o The original bucket type supporting all storage classes except S3 Express One
Zone, recommended for most use cases.
 Directory Buckets:
o Allow only S3 Express One Zone storage, optimized for low-latency applications,
and can support high transaction rates.

Data Privacy

 Amazon stores your data for usage tracking and billing, but will not access it for other
purposes unless required by law, as outlined in the AWS Licensing Agreement.

Amazon S3 Functionality and Organization

 Does Amazon store its own data in Amazon S3?

o Yes, various organizations within Amazon use S3 for many projects, treating it as
an authoritative data store for critical operations.
 Data Organization:
o S3 uses a key-based object storage system where each stored data object has a
unique key for retrieval. Keys can mimic hierarchical structures, and S3 Object
Tagging can help organize data across buckets and prefixes.
 Interface:
o Amazon S3 provides a REST web services interface that works with any internet-
development toolkit, making it easy to integrate and add functionalities.

Reliability and Performance

 Reliability:
o S3 is designed to be highly scalable and available. Different storage classes have
varying availability guarantees:
 S3 Standard: 99.99%
 S3 Standard-IA, S3 Intelligent-Tiering, S3 Glacier Instant Retrieval:
99.9%
  S3 One Zone-IA: 99.5%
 S3 Glacier Flexible Retrieval and S3 Glacier Deep Archive: 99.99% with
a SLA of 99.9%.
 Handling Traffic Spikes:
o S3 can handle sudden traffic spikes effectively due to its scalable infrastructure
and pay-as-you-go pricing model, ensuring uninterrupted service.
 Service Level Agreement (SLA):
o Amazon S3 provides a SLA that offers service credits if uptime falls below a
specified threshold in any billing cycle.

Consistency Model

 Read-after-Write Consistency:
o S3 automatically delivers strong read-after-write consistency, ensuring that once
an object is written or overwritten, any subsequent read request will immediately
access the latest version. This also applies to list operations, reflecting changes
right after a write.
 Benefits of Strong Consistency:
o This feature is particularly beneficial for applications that frequently read
immediately after writing. It ensures that all reads reflect the most recent writes,
improving performance for high-traffic workloads and reducing costs by
eliminating the need for additional infrastructure to ensure consistency.

AWS Regions and Availability Zones

 Where is my data stored?

o When you create an S3 bucket, you specify an AWS Region. For most storage
classes (S3 Standard, S3 Standard-IA, S3 Intelligent-Tiering, S3 Glacier Instant
Retrieval, S3 Glacier Flexible Retrieval, and S3 Glacier Deep Archive), your
objects are stored across multiple devices in at least three Availability Zones
(AZs). In contrast, the S3 One Zone-IA storage class stores data in a single AZ.
Data stored on S3 Outposts resides in your on-premises environment unless
manually transferred to an AWS Region.
 What is an AWS Region?
o An AWS Region is a geographical area containing multiple data centers known as
Availability Zones (AZs). Each Region comprises a minimum of three isolated
AZs that provide independent power, cooling, and physical security, all connected
via low-latency networks. This multi-AZ design enhances availability and fault
tolerance.
 What is an AWS Availability Zone (AZ)?
o An AZ consists of one or more discrete data centers with redundant power,
networking, and connectivity. AZs enhance the availability and scalability of
applications compared to a single data center. Data stored in S3 across supported
storage classes is replicated across at least three AZs for redundancy, except for
the S3 One Zone-IA class, which does not provide resilience against the loss of an
entire AZ.
Choosing an AWS Region

 How do I decide which AWS Region to store my data in?

o Factors to consider include proximity to customers or other AWS resources to
reduce latency, geographic redundancy for disaster recovery, legal and regulatory
requirements, and cost. You might select a lower-priced Region to save on storage
costs.
 In which parts of the world is Amazon S3 available?
o Amazon S3 is available in multiple AWS Regions globally, allowing you to
choose where to store your data. You can refer to the AWS regional services list
for details on S3 availability by Region.