Week 3 Afternoon Session

Cloud Networking
3.1 Introduction
Cloud networking is a type of IT infrastructure in which some or all of an organization’s network
capabilities and resources are hosted in a public or private cloud platform, managed in-house or by a service
provider, and available on demand.
Companies can either use on-premises cloud networking resources to build a private cloud network or use
cloud-based networking resources in the public cloud, or a hybrid cloud combination of both. These network
resources can include virtual routers, firewalls, and bandwidth and network management software, with
other tools and functions available as required.

3.2 CIDR, Private vs Public IP

Classless Inter-Domain Routing (CIDR) is an IP address allocation method that improves data routing
efficiency on the internet. Every machine, server, and end-user device that connects to the internet has a
unique number, called an IP address, associated with it. Devices find and communicate with one another by
using these IP addresses. Organizations use CIDR to allocate IP addresses flexibly and efficiently in their
networks.

Private IP address of a system is the IP address that is used to communicate within the same network.
Using private IP data or information can be sent or received within the same network.

Public IP address of a system is the IP address that is used to communicate outside the network. A public
IP address is basically assigned by the ISP (Internet Service Provider).

Difference between Private and Public IP address:

S.No. PRIVATE IP ADDRESS PUBLIC IP ADDRESS

1. The scope of Private IP is local. The scope of Public IP is global.

It is used to communicate within the

It is used to communicate outside the network.
2. network.

Private IP addresses of the systems

Public IP may differ in a uniform or non-uniform
connected in a network differ in a uniform
manner.
3. manner.

4. It works only on LAN. It is used to get internet service.

It is used to load the network operating

It is controlled by ISP.
5. system.

6. It is available free of cost. It is not free of cost.

S.No. PRIVATE IP ADDRESS PUBLIC IP ADDRESS

Private IP can be known by entering Public IP can be known by searching “what is my

7. “ipconfig” on the command prompt. ip” on google.

Range:
10.0.0.0 – 10.255.255.255,
Range: Besides private IP addresses, the rest are
172.16.0.0 – 172.31.255.255, public.
192.168.0.0 – 192.168.255.255
8.

Example: 192.168.1.10 Example: 17.5.7.8

Private IP uses numeric code that is not Public IP uses a numeric code that is unique and
9. unique and can be used again cannot be used by other

Public IP address has no security and is subjected

Private IP addresses are secure
10. to attack

Private IP addresses require NAT to

Public IP does not require a network translation
11. communicate with devices

3.3 Subnet Overview

A subnet, or subnetwork, is a network inside a network. Subnets make networks more efficient. Through
subnetting, network traffic can travel a shorter distance without passing through unnecessary routers to reach
its destination.
Because an IP address is limited to indicating the network and the device address, IP addresses cannot be
used to indicate which subnet an IP packet should go to. Routers within a network use something called a
subnet mask to sort data into subnetworks.
A subnet mask is like an IP address, but for only internal usage within a network. Routers use subnet
masks to route data packets to the right place. Subnet masks are not indicated within data packets traversing
the Internet — those packets only indicate the destination IP address, which a router will match with a
subnet.

For a real-world example, suppose an IP packet is addressed to the IP address 192.0.2.15. This IP address
is a Class C network, so the network is identified by "192.0.2" (or to be technically precise, 192.0.2.0/24).
Network routers forward the packet to a host on the network indicated by "192.0.2."

Once the packet arrives at that network, a router within the network consults its routing table. It does some
binary mathematics using its subnet mask of 255.255.255.0, sees the device address "15" (the rest of the IP
address indicates the network), and calculates which subnet the packet should go to. It forwards the packet
to the router or switch responsible for delivering packets within that subnet, and the packet arrives at IP
address 192.0.2.15

3.4 Networking – VPC

 Amazon Virtual Private Cloud is a networking service that you can use to establish boundaries around
your AWS resources. So, in simpler words, Amazon Virtual Private Cloud (Amazon VPC) enables the users
to define some virtual network and then launch the AWS resources into that virtual network. It gives you
full control over various network environments, resources, connectivity, and security. Moreover, it defines
how a network should communicate across different Availability Zones or regions. Users have a option of
easy customization of the network configuration for their Amazon Virtual Private Cloud(VPC).
Components of Amazon VPC:
 Subnet: A subnet in VPC is something a range of IP addresses. It is a section of a VPC that can
contain resources such as Amazon EC2 services and shares a common address component. Public
Subnet where resources are exposed to the internet through Internet Gateway and Private Subnet where
resources are not exposed to the outside world.
 Route Table: They are the set of rules used to decide where the network traffic has to be managed. It
specifies the destination i.e IP address and target. The target can be Internet gateway, NAT gateway,
Virtual private gateway, etc. With the use of route tables, users can determine where the network traffic
will be directed from your subnet or gateway.
 Virtual Private Gateway: It is the VPN(Virtual Private Network) hub on the Amazon side of the
VPN connection to have a secure transaction. Users can attach it to the VPC from which they want to
create the VPN connection.
 NAT Gateway: Network Address Translation (NAT) Gateway is used when higher bandwidth,
availability with lesser management effort is required. It updates the routing table of the private subnet
such that it sends the traffic to the NAT gateway. It supports only UDP, TCP, and ICMP protocols.
 VPC Peering: A VPC peering connection allows you to route traffic between two Virtual Private
Clouds using IPv4 or IPv6 private addresses. Users can create a VPC peering connection between their
own VPC with a VPC in another AWS account. This connection helps you to smoothly transfer the data.
 Security Groups: It consists set of firewalls rules that control the traffic for your sample. You can
have a single security group associated with multiple instances.
 Elastic IP: It is a static IP address which is a reserved public IP address that can be assigned to any
Instance in a particular region and never changes.
 Network Access Control Lists (NACL): It is an optional layer of security for your VPC that acts as
a firewall for controlling traffic in and out of one or more subnets. It adds an additional layer of security
to your VPC.
 Customer Gateway: VPN connection links your network (or data) to your Amazon VPC (virtual
private cloud). A customer gateway is a presenter on your side of that connection. It can be a physical or
software appliance.
 Network Interface: It’s a connection between private and public networks. Network traffic is
automatically shifted to the new instance if you move it from one instance to the other.
 VPC Endpoints: It allows VPC to make a connection with other services of AWS without using the
internet. They are of two types, Interference endpoints, and Gateway endpoints. They are scaled,
redundant, and highly available VPC components.
 IP addressing: With the IP Addressing, you can assign your VPCs and subnets, the IPv4 addresses
and IPv6 addresses.
The below image will give you an architectural view of Amazon VPC:
Benefits Of Using AWS Virtual Private Cloud:
Following are the benefits of using AWS VPC:
 Efficient coordination: VPC can scale to a vast extent and users have total control over a network
size including automation resources.
 Protection: VPC environment is more secure and its resources contain cloud infrastructure which
uses firewalls to protect the system from internet attacks.
 Enhanced performance: VPCs enable a hybrid cloud environment in which a VPC is used by an
organization as an extension of their database instead of having to deal with the complexity of
building an on-premises private cloud.
 Low Cost: VPCs are within a public cloud so the cost is quite economical.
 Easy to use: AWS VPC can be easily created using AWS Management Console in two ways; first
by creating manually and second through Start VPC Wizard.
 Variety of Connectivity Options: AWS VPC can be connected to a variety of resources, such as the
internet, other VPCs account, VPN connection, etc.

3.5 Default VPC Overview

When you start using Amazon VPC, you have a default VPC in each AWS Region. A default VPC comes
with a public subnet in each Availability Zone, an internet gateway, and settings to enable DNS resolution.
[The Domain Name System (DNS) maps IP addresses to hosts connected to either the public or private
internet via a process called DNS resolution.] Therefore, you can immediately start launching Amazon EC2
instances into a default VPC. You can also use services such as Elastic Load Balancing, Amazon RDS, and
Amazon EMR in your default VPC.
A default VPC is suitable for getting started quickly and for launching public instances such as a blog or
simple website. You can modify the components of your default VPC as needed.
You can add subnets to your default VPC.
Default VPC components
When we create a default VPC, we do the following to set it up:
 Create a VPC with a size /16 IPv4 CIDR block (172.31.0.0/16). This provides up to 65,536 private
IPv4 addresses.
 Create a size /20 default subnet in each Availability Zone. This provides up to 4,096 addresses per
subnet, a few of which are reserved for our use.
 Create an internet gateway and connect it to your default VPC.
 Add a route to the main route table that points all traffic (0.0.0.0/0) to the internet gateway.
 Create a default security group and associate it with your default VPC.
 Create a default network access control list (ACL) and associate it with your default VPC.
 Associate the default DHCP options set for your AWS account with your default VPC.

Note
Amazon creates the above resources on your behalf. IAM policies do not apply to these actions because
you do not perform these actions. For example, if you have an IAM policy that denies the ability to call
CreateInternetGateway, and then you call CreateDefaultVpc, the internet gateway in the default VPC is still
created.
The following figure illustrates the key components that we set up for a default VPC.

3.6 VPC Overview

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated
from other virtual networks in the AWS Cloud. You can launch AWS resources, such as Amazon EC2
instances, into your VPC.
Your account contains a default VPC for each AWS Region. You can also create additional VPCs.
VPC basics

A VPC spans all of the Availability Zones in a Region. After you create a VPC, you can add one or more
subnets in each Availability Zone.

VPC IP address range

When you create a VPC, you specify its IP addresses as follows:

 IPv4 only – The VPC has an IPv4 CIDR block but does not have an IPv6 CIDR block.
 Dual stack – The VPC has both an IPv4 CIDR block and an IPv6 CIDR block.

VPC diagram

The following diagram shows an example VPC. The VPC has one subnet in each of
the Availability Zones in the Region, EC2 instances in each subnet, and an internet
gateway to allow communication between the resources in your VPC and the internet.

VPC resources

Each VPC automatically comes with the following resources:

 Default DHCP option set : Today, IP addresses are assigned dynamically by DHCP servers using
the Dynamic Host Configuration Protocol (DHCP). A DHCP option set is a group of
network
configurations used by EC2 instances in your VPC to communicate over your
virtual network.
 Default network ACL: A network access control list (ACL) is made up of rules that either allow
access to a computer environment or deny it.
 Default security group: The default VPCs and any VPCs that you create come with a
default
Security group. The name of the default security group is "default".
  Main route table : The route table that automatically comes with your VPC. It controls the routing
for all subnets that are not explicitly associated with any other route table.

3.7 Lab VPC - To create a VPC with no additional VPC resources using the console
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. On the VPC dashboard, choose Create VPC.
3. For Resources to create, choose VPC only.
4. (Optional) For Name tag, enter a name for your VPC. Doing so creates a tag with a key of Name and
the
value that you specify.
5. For IPv4 CIDR block, do one of the following:
 Choose IPv4 CIDR manual input and enter an IPv4 address range for your VPC.
 Choose IPAM-allocated IPv4 CIDR block, select your Amazon VPC IP Address Manager (IPAM)
IPv4 address pool and a netmask. The size of the CIDR block is limited by the allocation rules on the
IPAM pool. IPAM is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses
for your AWS workloads. For more information, see What is IPAM? in the Amazon VPC IPAM User
Guide.
If you are using IPAM to manage your IP addresses, we recommend that you choose this option.
Otherwise, the CIDR block that you specify for your VPC might overlap with an IPAM CIDR allocation.
6. Choose Create VPC.
7. After you create a VPC, you can add subnets. For more information, see Create a subnet.

3.7 Lab Subnet – To create Subnet

To add a subnet to your VPC
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Subnets.
3. Choose Create subnet.
4. For VPC ID: Choose the VPC for the subnet.
5. (Optional) For Subnet name, enter a name for your subnet. Doing so creates a tag
with a key of Name and the value that you specify.
6. For Availability Zone, you can choose a Zone for your subnet, or leave the
default No Preference to let AWS choose one for you.
7. If the subnet should be an IPv6-only subnet, choose IPv6-only. This option is only
available if the VPC has an associated IPv6 CIDR block. If you choose this option, you
can't associate an IPv4 CIDR block with the subnet.
8. For IPv4 CIDR block, enter an IPv4 CIDR block for your subnet. For
example, 10.0.1.0/24. If you chose IPv6-only, this option is unavailable.
9. For IPv6 CIDR block, choose Custom IPv6 CIDR and specify the hexadecimal pair
value (for example, 00). This option is available only if the VPC has an associated IPv6
CIDR block.
10. Choose Create subnet.
3.8 Internet Gateways & Route Tables

An internet gateway is a service that allows for internet traffic to actually enter into a VPC. An Internet
Gateway is a logical connection between an AWS VPC and the Internet. It is not a physical device. Each
VPC has only one Internet Gateway. If a VPC doesn’t have an Internet Gateway, then the resources cannot
be accessed from the Internet. Conversely, resources within your VPC need an Internet Gateway to access
the Internet.

In order to allow internet traffic to our VPC, we can use an Internet Gateway.

Router and Route Tables

Routing is a big part of networking. In AWS, it's very easy to setup. Every VPC has an implied router,
you don’t need to create it, it's already there. It routes the traffic within the VPC and then we also have route
tables that contain routing entries. Think of a road and road-signs analogy; the router is the road and road-
signs are the route table entries.
A route table specifies how packets are forwarded between subnets within your VPC, the internet, and
your VPN connection.
A route table contains a set of rules called routes which determine where traffic has to be directed. You
can create as many route tables in a VPC as you want. Route tables act at the subnet level, not the VPC
level. A route table can be associated with one or several subnets. By default, all route tables in a VPC have
a local route for communication within the VPC. You can add custom routes in a route table by creating a
new route defining which traffic (IP destination) must go where (target).

3.9 Lab - Internet Gateways & Route Tables

Create an Internet Gateway
First things first, let's create an internet gateway. You can create an internet gateway by navigating to VPC
and creating it via the AWS web console:
 That's all it takes, providing it a name and internet gateway is created.
So, we created an internet gateway, but it's just sitting there by itself. It's not doing anything yet.
Remember, an internet gateway is used to allow internet traffic to VPC, so it needs to be associated with
a VPC.
Select Internet Gateway Resource --> Click on Actions --> Attach VPC
(select VPC created earlier)

Here is the attached internet gateway:

This will allow traffic to enter the VPC, but we can lock it down. That’s where Security Groups are going
to come into play (we will talk about those a little bit later).

Create a Custom Route Table

From the VPC page, select the Route Tables item and Click Create Route Table. We need to provide
a name for the route table and select our VPC as shown below:
 Next, we will add a route for the internet gateway to this custom route table.
Add Route for Internet Gateway to A Custom Route Table
Select the route table, and edit the routes as shown below:

Notice that the first entry (10.0.0.0/16) is for VPC local traffic and we added a catch-all route (0.0.0.0/0) and
set its target to our Internet Gateway, which we created earlier.
Associate Custom Route Table to Public Subnet (for Internet)
Our custom route table now has a route with Internet Gateway. Next, we will associate it with the public
subnet.
VPC –> Subnets –> Select Public Subnet –> RouteTables –> Edit Route Tables Association
 The following screenshot shows the association of the route table with the public subnet.

3.10 Bastion Hosts

What is a Bastion Host?
o A Bastion Host is a special purpose computer on a host designed and configured to withstand
attacks.
o The computer hosts a single application, for example, a proxy server and all the other services are
removed to reduce the threat to the computer.
o A Bastion host is hardened due to its location and purpose, which is either on the outside of a
firewall or demilitarized zone, i.e., public subnet and it usually accesses from untrusted networks or
computers.
Architecture of Bastion Host

In the above architecture, we have public and private subnet. NAT instance exists behind the security
group, and NAT Gateway exists after the security group as NAT instance is configured with the security
group while NAT Gateway does not require any security group and it is also redundant. When an instance in
a private subnet wants to access the internet, they do so either by NAT instance or NAT Gateway. Now, if
we want to administer an environment, what typically happens?. We have got SSH or RDP where SSH is for
Linux and RDP is for windows. It is going through internet gateway, router, route table, network ACL,
security group, and finally to the Bastion server. Bastion server creates a connection to a private EC2
instance through SSH or RDP. We need to harden the Bastion host as strong as possible, then we do not
have to worry about hardening our instances as long as Bastion host is hardened. Hardening a Bastion host
reduces the surface area that we want to harden.

Some Key Points related to Bastion Host

o Bastion Host is launched in Public subnets and acts as a proxy to the instances in a private subnet.
o It provides security by reducing the attacks on your infrastructure.
o A Bastion host is used to to administer EC2 instances using SSH or RDP securely. Bastion hosts are
also known as jump boxes in Australia.
o You cannot use NAT Gateway as a Bastion host. If you SSH or RDP to an instance in a private
subnet, you need to configure a Bastion host. You cannot use NAT Gateway.
3.11 Lab - Bastion Hosts
Creating a Bastion Host in AWS
1. In the AWS Management Console, under Compute, select EC2.
2. Under Instances section in the navigation pane, select the Instances menu item. The Instances window
appears.
3. Click Launch Instance. The Choose an Amazon Machine Image window appears.

4. For the desired Amazon Linux AMI image and click Select. The Choose an Instance Type window
appears.
5. Check the t2.micro entry and click Next: Configure Instance Details. The Configure Instance
Details window appears.
6. In the Number of instances field, type 1
7. From the Network drop down list, select the VPC with the database you wish to scan.
8. Set Auto-assign Public IP to Enable.

9. Click Next: Add Storage. The Storage window appears.

10. Click Next: Add Tags. The Tags window appears.
11. Under Key, add a tag with a Name and under Value, type Scuba Bastion
12. Click Next: Configure Security Group. The Configure Security Group window appears.
13. Under Assign a security group, select Create a new security group.
14. Type a Security group name. You can also type a Description. to provide additional information about
what the security group does, e.g. Used by Scuba
15. Set one inbound rule as follows:
o Under Type, select SSH.
o Under Source, it is recommended that you select My IP and verify that your public IP is
entered as the source. This means that the new security group is accessed by this IP address only.
16. Click Review and Launch. The Review Instance Launch window appears.
17. Review the data and click Launch. The Select and existing key pair or create a new key pair dialog
box appears.

18. You can either choose an existing key pair or create a new key pair.
To create a new key pair:
a. Select Create new key pair.
b. Select a Key pair type.
c. Type a Key pair name and make a note of it.
d. Click Download Key Pair.
The file is downloaded to your browser.
Click Launch Instances. The Launch Status window appears while the instance is launched.
Click View Instances. The Instances window appears and the new instance is located there.
Click the Instance ID to see the details. Make a note of the Public IPv4 address.
If you want to find this instance later:
a. In the AWS Management Console, under Compute, select EC2.
b. Under Instances, find the new instance by typing the Tag name you gave, e.g. Scuba Bastion in the
search box. Make a note of its Public IPv4 address.
Verify that you have the PEM file, which is needed by Scuba.

3.12 NAT Instances

A NAT instance provides network address translation (NAT). There are two kinds of NAT devices which
AWS offers- A NAT gateway and a NAT instance. AWS recommends the usage of NAT gateways since it
helps provide high availability ,does not require security group and a better bandwidth in comparison to
NAT instance.

You can use a NAT instance to allow resources in a private subnet to communicate with destinations
outside the virtual private cloud (VPC), such as the internet or an on-premises network. The resources in the
private subnet can initiate outbound IPv4 traffic to the internet, but they can't receive inbound traffic
initiated on the internet.

3.13 Lab - NAT Instances

Let's first start with NAT instance and how to create them.

Sign in to the AWS Management Console.

Click on the EC2 service.

Launch an instance.
Move to the community AMI appearing on the left side of the console.

Type the nat in a search box, and then it will show all the NAT instances. Select the first NAT instance.

Choose an Instance type and then click on the Next.

Now, configure the instance details. Leave all the details as default except that keep the VPC as custom
VPC and choose the public subnet.
Add tags.

Click the Review and Launch button. On clicking on the Review and Launch button, a dialog box appears.
 Click on the Next button to create an instance.

In this way, a NAT instance is created.

3.14 NAT Gateways

NAT Gateway, also known as Network Address Translation Gateway, is used to enable instances present
in a private subnet to help connect to the internet or AWS services. In addition to this, the gateway makes
sure that the internet doesn’t initiate a connection with the instances. NAT Gateway service is a fully
managed service by Amazon, that doesn’t require any efforts from the administrator.They don’t support
IPV4 traffic.

A NAT gateway in a device forwards the traffic from instances present in the private subnet to the
internet/AWS services, and sends back the response from the server back to the instance. When the traffic
moves to the internet, an IPV4 address gets replaced with the NAT’s device address. Once the response is
obtained, it has to be sent to the instance, and in this case, the NAT device translates the address back to the
IPV4 and it is given to the IPV4 address.

3.15 How to create NAT Gateway

o Click on the NAT Gateway appearing on the left side of the console.

o Click on the Create NAT Gateway button

3.16 NACL & Security Groups

What is a Security Group?

It adds a security layer to EC2 instances that control both inbound and outbound traffic at the instance
level.
What is NACL?
NACL refers to Network Access Control List, which provides a layer of security to the Amazon Web
Services stack.NACL provids a firewall by securing the VPCs and subnets. It is an optional layer for VPC,
which adds another security layer to the Amazon service.

Components of NACL
Following are the components of Network Access Control List (NACL):
 Rule number: Every rule is assigned a unique number. The rule’s priority is also based on the
number it is assigned.
 Type: This tells about the type of traffic, like SSH, HTTP, HTTPS.
 Protocol: Protocol is a set of rules, that is applied to every request, ex: http, https, ICMP, SSH.
 Portrange: The listening port, which takes in the request from the user, such as HTTP is associated
with port 80.
 Inboundrules: Also known as source. These rules talk about the source from where the request or
traffic is coming from, and about the destination port/ the port through which the response is sent.
 Outboundrules: Also known as destination. These rules talk about where the response should be
sent and about the destination port.
 Allow/Deny: Whether the specific traffic has to be allowed or denied.
There are two types of NACL:
1. Customized NACL: It can also be understood as a user-defined NACL, and its inherent
characteristic is to deny any incoming and outgoing traffic until a rule is added to handle the traffic.
2. Default NACL: This is the opposite of customized NACL, which allows all the traffic to flow in and
out of the network. It also comes with a specific rule which is associated with a rule number, and it
can’t be modified or deleted. When the request doesn’t match with its associated rule, the access to it
is denied.
3.16 Lab - NACL & Security Groups

Security groups and NACL both act as virtual firewalls which control the traffic from Inbound and
Outbound.
Security Group:
Security groups are virtual shields or protectors of EC2 instances. Unless specifically allowed By
default all Inbound traffic is blocked whereas all Outbound traffic is allowed from the Instance.
We can edit inbound and outbound rules after creating the Security Group. Here is an example of default
outbound rules which allow all traffic for all protocols.
It is virtual firewall for your EC2 instances to control incoming and outgoing traffic
Security Group -Outbound
Here, we are adding inbound rules for protocol SSH with the default port of 22 for our current IP
address here.

Security Group -Inbound

 In the security groups, we cannot block a specific IP address because it doesn’t have any DENY rule
just like ALLOW rule. To achieve this we can make use of NACL.

Limits of Security Groups :

1. For a specific Security Group, the maximum Inbound and Outbound rules is 60
2. For any region the default limit of security groups is 2,500 and it can be extended 10,000 Maximum for
any further extension we have to do service requests.

Network Access Control List(NACL):

Network Access Control List is also a virtual firewall for subnets, which controls the Inbound and
Outbound traffic of Subnets. After the creation of VPC, a Default NACL will be associated and allow all
Inbound and Outbound Traffic.
In NACL just like Security Groups, it contains set of Inbound and Outbound Rules , that can either
allow or deny Traffic into or out of subnets. Since we have option to allow or deny traffic the order of the
rules becomes important so that AWS uses a concept of rule number.
NACL- Inbound

NACL- Outbound

Limit of NACL :
1. The Maximum rules in a single NACL can have 20 rules.

Difference between Security Group Vs NACL:

The below table list the key difference between Security Groups and NACL:
Security Groups NACL

Firewall or protection of Instances Firewall or Protection of the Subnet

Security groups are stateful which means any

changes applied to incoming rule is also applied These are Stateless
to outgoing rule

This is the second layer of defense and an additional

It is the first layer of defense or protection.
layer of protection.

In the case of NACL, the rules are applied in the

All the rules are applied to an Instance. order of their priority, wherein the priority is
indicated by the rule number assigned.

All the rules are evaluated before they allow a

Rules are evaluated based on their priority
Traffic

Let us consider the below use case:

When a website needs to be accessed, the request from the user has to hit the right port, and the website
has to access the database and by extracting the appropriate data, it has to give back a response to the user.
The VPC comes in-built with a default NACL, which applies to ipv4 traffic. A custom NACL can be
created, which can be associated with a subnet. This customized NACL’s default behaviour is to deny
incoming and outgoing ipv4 traffic. It has to be specified rules, so as to behave in a certain way when it
receives a request.
Multiple subnets can be bound with a single NACL, but one subnet can be bound with a single NACL
only, at a time.
Conclusion
We saw how a NACL can be used to secure amazon services.
3.17 VPC Reachability Analyzer
Reachability Analyzer is a configuration analysis tool that enables you to perform connectivity testing
between a source resource and a destination resource in your virtual private clouds (VPCs). When the
destination is reachable, Reachability Analyzer produces hop-by-hop details of the virtual network path
between the source and the destination. When the destination is not reachable, Reachability Analyzer
identifies the blocking component. For example, paths can be blocked by configuration issues in a security
group, network ACL, route table, or load balancer.
You can use Reachability Analyzer to do the following:
 Troubleshoot connectivity issues caused by network misconfiguration.
 Verify that your network configuration matches your intended connectivity.
 Automate the verification of your connectivity intent as your network configuration changes.

3.18 Lab - VPC Reachability Analyzer

 You can use Reachability Analyzer to determine whether a destination resource in
your virtual private cloud (VPC) is reachable from a source resource. To get started,
you specify a source and a destination. For example, you can run a reachability
analysis between two network interfaces or between a network interface and a
gateway. If there is a reachable path between the source and destination,
Reachability Analyzer displays the details. Otherwise, Reachability Analyzer identifies
the blocking component.

Tasks
 Step 1: Create and analyze a path
 Step 2: View the results of the path analysis

 Step 3: Change the network configuration and analyze the path

 Step 4: Delete the path

Step 1: Create and analyze a path

Specify the path for the traffic from a source to a destination. After you create the
path, Reachability Analyzer analyzes the path once. You can analyze a path at any
time to determine whether your intended connectivity is supported, even as your
network configuration changes.

To create a path
1. Open the Network Manager console
at https://console.aws.amazon.com/networkmanager/home.
2. In the navigation pane, choose Reachability Analyzer.
3. Choose Create and analyze path.
4. (Optional) For Name tag, enter a descriptive name for the analysis.
5. To specify the source resource, choose the resource type from Source type, and
then choose the specific
resource from Source.
6. To specify the destination resource, choose the resource type from Destination
type, and then choose
the specific resource from Destination.
7. For Protocol, choose TCP or UDP.
8. (Optional) To add a tag, choose Add new tag and then enter the tag key and tag
value.
9. Choose Create and analyze path.

Step 2: View the results of the path analysis

After the path analysis completes, you can view the result of the analysis.
To view the results of the path analysis
1. Choose the ID of the path in the Path ID column to view the path details page.
2. In the Analysis explorer panel, find Reachability status and check whether it
is Reachable or Not reachable. If the path is reachable, the console displays the
shortest route found between the source and destination. Otherwise,
expand Explanations, Details for information about the blocking component.
3. If the reachability status matches your intent, there is no further action required.
Consider running the analysis again if you change your network configuration so that
you can ensure that the reachability status still matches your intent. Otherwise,
proceed to Step 3.

Step 3: Change the network configuration and analyze the path

If the reachability status does not match your intent, you can change your network
configuration. Then you can analyze the path again to confirm that the reachability
status matches your intent.

To restore connectivity for a path that is not reachable

1. The Analysis explorer panel includes an explanation code and detailed
information about the component or combination of components that is blocking the
path (under Explanations, Details). For example, in the following explanation, a
security group is missing a required inbound rule.
2. Update the configuration of the component so that the desired traffic can traverse
the component.
3. Choose Analyze path to confirm that the path is now reachable. You can
optionally specify the Amazon Resource Name (ARN) of a resource that the path must
traverse.
To remove connectivity for a reachable path
1. The Analysis explorer panel includes a visual representation of the shortest route
found between the source and destination. It includes all components between the
source and destination. For example, the following diagram shows the components
that traffic traverses from the source internet gateway to the destination EC2
instance.

2. Identify the component that is overly permissive and update its configuration.
3. Choose Analyze path to confirm that the path is no longer reachable.

Step 4: Delete the path

If you no longer need the path, you can delete it. When you delete a path, you also
delete all its analyses. If you keep the path, note that Reachability Analyzer will
automatically delete the analysis 120 days after its creation date.

To delete the path

1. Open the Network Manager console
at https://console.aws.amazon.com/networkmanager/home.
2. In the navigation pane, choose Reachability Analyzer.
3. Select the path.
4. Choose Actions, Delete path.
5. When prompted for confirmation, choose Delete path.

3.19 VPC Peering

A VPC peering connection is a networking connection between two VPCs that

enables you to route traffic between them using private IPv4 addresses or IPv6
addresses. Instances in either VPC can communicate with each other as if they are
within the same network. You can create a VPC peering connection between your own
VPCs, or with a VPC in another AWS account. The VPCs can be in different Regions
(also known as an inter-Region VPC peering connection).

AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it
is neither a gateway nor a VPN connection, and does not rely on a separate piece of
physical hardware. There is no single point of failure for communication or a
bandwidth bottleneck.

A VPC peering connection helps you to facilitate the transfer of data. For example, if
you have more than one AWS account, you can peer the VPCs across those accounts
to create a file sharing network. You can also use a VPC peering connection to allow
other VPCs to access resources you have in one of your VPCs.

When you establish peering relationships between VPCs across different AWS
Regions, resources in the VPCs (for example, EC2 instances and Lambda functions) in
different AWS Regions can communicate with each other using private IP addresses,
without using a gateway, VPN connection, or network appliance.

3.20. Lab - VPC Peering [Create a VPC peering connection]

To create a VPC peering connection, first create a request to peer with another VPC.
You can request a VPC peering connection with another VPC in your account, or with a
VPC in a different AWS account. For an inter-Region VPC peering connection where the
VPCs are in different Regions, the request must be made from the Region of the
requester VPC.

To activate the request, the owner of the accepter VPC must accept the request. For
an inter-Region VPC peering connection, the request must be accepted in the Region
of the accepter VPC.
Prerequisites
 Review the limitations and rules for VPC peering connections.
 Ensure that your VPCs do not have overlapping IPv4 CIDR blocks. If they overlap,
the status of the VPC peering connection immediately goes to failed. This limitation
applies even if the VPCs have unique IPv6 CIDR blocks.
a.Create with VPCs in the same account and Region
To create a VPC peering connection with VPCs in the same account and Region
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Peering connections.
3. Choose Create peering connection.
4. Configure the following information, and choose Create peering
connection when you are done:
 Name: You can optionally name your VPC peering connection.
 VPC ID (Requester): Select the VPC in your account with which you want to
create the VPC
peering connection.
For Select another VPC to peer with, choose My account and select

another of your VPCs.
 (Optional) To add a tag, choose Add new tag and enter the tag key and value.
5. Choose Actions, Accept request.
6. When prompted for confirmation, choose Accept request.

7. Choose Modify my route tables now to add a route to the VPC route table so
that you can send and receive traffic across the peering connection.

b.Create with VPCs in the same account and different Regions

To create a VPC peering connection with VPCs in the same account and different Regions
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Peering connections.
3. Choose Create peering connection.
4. Configure the following information, and choose Create peering connection when you are done:
 Name: You can optionally name your VPC peering connection. Doing so creates a tag with a key
of Name and the value that you specify.
 VPC ID (Requester): Select the requester VPC in your account with which to request the VPC
peering connection.
 Account: Choose My account.
 Region: Choose Another region and select the Region ifor the accepter VPC.
 VPC ID (Accepter): Select the accepter VPC.
5. In the Region selector, select the Region of the accepter VPC.
6. In the navigation pane, choose Peering connections. Select the VPC peering connection that you
created, and choose Actions, Accept request.
7. When prompted for confirmation, choose Accept request.
8. Choose Modify my route tables now to add a route to the VPC route table so that you can send and
receive traffic across the peering connection.

c.Create with VPCs in different accounts and the same Region

To request a VPC peering connection with VPCs in different accounts and the same Region
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Peering connections.
3. Choose Create peering connection.
4. Configure the information as follows, and choose Create peering connection when you are done:
 Name: You can optionally name your VPC peering connection. Doing so creates a tag with a key
of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can
create their own tags for the VPC peering connection.
 VPC ID (Requester): Select the VPC in your account with which to create the VPC peering
connection.
 Account: Choose Another account.
 Account ID: Enter the ID of the AWS account that owns the accepter VPC.
 VPC ID (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.

d.Create with VPCs in different accounts and Regions

To request a VPC peering connection with VPCs in different accounts and Regions
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Peering connections.
3. Choose Create peering connection.
4. Configure the information as follows, and choose Create peering connection when you are done:
 Name: You can optionally name your VPC peering connection. Doing so creates a tag with a
key of Name and a value that you specify. This tag is only visible to you; the owner of the peer VPC can
create their own tags for the VPC peering connection.
 VPC ID (Requester): Select the VPC in your account with which to create the VPC peering
connection.
 Account: Choose Another account.
 Account ID: Enter the ID of the AWS account that owns the accepter VPC.
 Region: Choose Another region and select the Region in which the accepter VPC resides.
 VPC ID (Accepter): Enter the ID of the VPC with which to create the VPC peering connection.

e.Create a VPC peering connection using the command line

You can create a VPC peering connection using the following commands:

 create-vpc-peering-connection
(AWS CLI)
 New-EC2VpcPeeringConnection (AWS Tools for Windows PowerShell)

3.21 VPC Endpoints

 o A VPC endpoint allows you to privately connect your VPC to supported AWS services
and VPC endpoint services powered by PrivateLink without requiring an internet
gateway, NAT device, VPN Connection, or AWS Direct Connect connection.
o Instances in your VPC do not require public addresses to communicate with the
resources in the service. Traffic between your VPC and the other service does not leave
the Amazon network.
o VPC endpoints are virtual devices.
o VPC Endpoints are horizontally scaled, redundant and highly available VPC components
that allow communication between instances in your VPC and services without
imposing availability risks or bandwidth constraints on your network traffic.

Types of VPC Endpoints

o Interface Endpoints
o Gateway Endpoints

Interface Endpoints

o Interface Endpoint is an Elastic Network Interface with a private IP address which will
act as an entry point for the traffic destined to a particular service.
o An interface endpoint supports services such as Amazon CloudWatch, Amazon SNS,
etc.

Gateway Endpoints

o Gateway Endpoint is a gateway which is targetted for a specific route in your route
table.
o It can be used to route the traffic to a destined service.
o Amazon S3 and DynamoDB are the only services which are supported by Gateway
Endpoints.

3.22. Lab - VPC Endpoints

How to create a VPC Endpoint

o Sign in to the AWS Management Console.
o We have already created a custom VPC whose name is javatpointvpc.
o Click on the VPC Endpoint appearing on the left side of the console.
o Click on the Create Endpoint.

o Fill the following details to create a VPC Endpoint.

Where,

Service category: I select the AWS services that I will use through the VPC
Endpoint.
Service name: Select the service that you want to use. Suppose I choose AWS S3
service.

VPC: Select the VPC that you have created. I have created javatpointvpc, so choose
the javatpointvpc from the VPC drop-down menu.

Configure route tables: Choose the main route table that has been created in a
javatpointvpc.

o The below screen shows that the VPC Endpoint has been created.

3.23 VPC Flow Logs

Amazon VPC Flow Logs is a feature that enables you to capture and log the information about the
network traffic going to and from the designated network interfaces within your VPC. It can be used as a
centralized, single source of information to monitor different network aspects of your VPC.
Kinds of VPC Flow Logs
It is very much important to understand what is monitored and how the logs compile the data. Amazon
Web Service (AWS) Offers flow logging at three separate levels:
 Virtual Private Cloud (VPC): Flow logs can be enabled to a particular VPC and can monitor all the
activity within your cloud environment.
 Subnet: VPCs are often divided into subnets spanning multiple availability zones in a region.
A subnet is a range of IP addresses in your VPC. It can be a private or a public one. Flow Logs can be
created for a specific subnet to monitor all the activity within your subnet.
 Elastic Network Interface (ENI): ENIs are virtual network cards you can attach to your EC2
instances. They are used to enable network connectivity for your instances. One can monitor and capture
full flow logs from these interfaces to stay ahead of issues like latency and malicious activities.
3.24 Lab - VPC Flow Logs
VPC FlowLogs can be created at three levels:
o VPC
o Subnet
o Network Interface Level
how to create a VPC FlowLog
o Sign in to the AWS Management Console.
o Move to the VPC service and we can see from the below screen that VPC with the name
javatpointvpc has already been created.
 o Click on the custom VPC and then click on the Actions drop-down menu. Click on the create
FlowLog.

o Fill the following details to create a flow log.

Where,
Filter: It determines the type of traffic to be logged. There are three types of filters: All, Accept and Reject.
'All' is used to log both accepted and rejected traffic. 'Accept' is used to log only accepted traffic while
'Reject' logs only rejected traffic.
Destination: Destination determines where you want to send your traffic. Two types of destinations are
available: Send to CloudWatch Logs and Send to an S3 bucket. I choose "Send to CloudWatch Logs" as a
destination.
Destination log group: It determines the name of the destination. Till now, we have not created the
CloudWatch Log. First, we create CloudWatch Log and then add the name of the Log to this Log group.
o Click on the CloudWatch.

o Click on the Logs appearing on the left side of the console.

o Click on the "Let's get started" button.

o Click on the Create log group button.

 o Enter the Log Group Name.

o Finally, CloudWatch log is created. Enter the log name in FlowLog console.

From the above screen, we have observed that "No IAM role selected". To select the IAM role, we need to
create an IAM role first. Click on the Set Up Permissions.
o To create an IAM role, enter the role name and then click on the Allow button.

o After creating the IAM role, enter the IAM role in the FlowLog console.

o The below screen shows that the flowlog has been created.
3.25 Site to Site VPN, Virtual Private Gateway & Customer Gateway
Site to Site VPN:
A site-to-site virtual private network (VPN) refers to a connection set up between multiple networks.
This could be a corporate network where multiple offices work in conjunction with each other or a branch
office network with a central office and multiple branch locations.
Site-to-site VPNs are useful for companies that prioritize private, protected traffic and are particularly
helpful for organizations with more than one office spread out over large geographical locations. These
businesses often have to access resources housed on a primary network, which could include servers that
facilitate email or store data. In some instances, a server may be the operational hub of an application
essential to the company’s business. A site-to-site VPN can, in that case, give all sites full access to the
application—as if it were housed within their physical facility.

Virtual private gateway :

A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN
connection. You create a virtual private gateway and attach it to the VPC from which you want to create the
Site-to-Site VPN connection.

When you create a virtual private gateway, you can specify the private Autonomous System Number
(ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is
created with the default ASN (64512). You cannot change the ASN after you've created the virtual private
gateway. To check the ASN for your virtual private gateway, view its details in the Virtual Private
Gateways screen in the Amazon VPC console, or use the describe-vpn-gateways AWS CLI command.

Customer Gateway
A customer gateway is a resource that you create in AWS that represents the customer gateway device in
your on-premises network. When you create a customer gateway, you provide information about your
device to AWS. A customer gateway device is a physical device or software application on your side of the
Site-to-Site VPN connection. You configure the device to work with the Site-to-Site VPN connection.
 To use Amazon VPC with a Site-to-Site VPN connection, you or your network administrator must also
configure the customer gateway device or application in your remote network.

3.26 Lab - Site to Site VPN, Virtual Private Gateway & Customer Gateway
Getting started with AWS Site-to-Site VPN
Use the following procedure to set up an AWS Site-to-Site VPN connection. During
creation, you will specify a virtual private gateway, a transit gateway, or "Not
associated" as the target gateway type. If you specify "Not associated", you can
choose the target gateway type at a later time, or you can use it as a VPN attachment
for AWS Cloud WAN. This tutorial helps you create a VPN connection using a virtual
private gateway. It assumes that you have an existing VPC with one or more subnets.

To set up a VPN connection using a virtual private gateway, complete the following
steps:

Tasks
 Prerequisites

 Step 1: Create a customer gateway

 Step 2: Create a target gateway

 Step 3: Configure routing

 Step 4: Update your security group

 Step 5: Create a VPN connection

 Step 6: Download the configuration file

 Step 7: Configure the customer gateway device

Prerequisites
You need the following information to set up and configure the components of a VPN connection.
 Item Information

Customer gateway device The physical or software device on your side of the VPN
connection. You need the vendor (for example, Cisco),
platform (for example, ISR Series Routers), and software
version (for example, IOS 12.4).

Customer gateway To create the customer gateway resource in AWS, you need
the following information:
 The internet-routable IP address for the device's external
interface
 The type of routing: static or dynamic
 For dynamic routing, the Border Gateway Protocol
(BGP) Autonomous System Number (ASN)
 (Optional) Private certificate from AWS Private
Certificate Authority to authenticate your VPN

VPN connection To create the VPN connection, you need the following
information:
 For static routing, the IP prefixes for your private
network.
 (Optional) Tunnel options for each VPN tunnel..

Step 1: Create a customer gateway

A customer gateway provides information to AWS about your customer gateway device or software
application. For more information, see Customer gateway.
If you plan to use a private certificate to authenticate your VPN, create a private certificate from a
subordinate CA using AWS Private Certificate Authority. For information about creating a private
certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.

To create a customer gateway using the console

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Customer gateways.
3. Choose Create customer gateway.
4. (Optional) For Name tag, enter a name for your customer gateway. Doing so creates a tag with a key
of Name and the value that you specify.
5. For BGP ASN, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your
customer gateway.
6. Choose Create customer gateway.

To create a customer gateway using the command line or API

 CreateCustomerGateway (Amazon EC2 Query API)
 create-customer-gateway (AWS CLI)
 New-EC2CustomerGateway (AWS Tools for Windows PowerShell)
Step 2: Create a target gateway
To establish a VPN connection between your VPC and your on-premises network, you must create a target
gateway on the AWS side of the connection. The target gateway can be a virtual private gateway or a transit
gateway.

Create a virtual private gateway

When you create a virtual private gateway, you can specify a custom private Autonomous System Number
(ASN) for the Amazon side of the gateway, or use the Amazon default ASN. This ASN must be different
from the ASN that you specified for the customer gateway.
After you create a virtual private gateway, you must attach it to your VPC.
To create a virtual private gateway and attach it to your VPC
1. In the navigation pane, choose Virtual private gateways.
2. Choose Create virtual private gateway.
3. (Optional) For Name tag, enter a name for your virtual private gateway. Doing so creates a tag with a
key of Name and the value that you specify.
4. For Autonomous System Number (ASN), keep the default selection, Amazon default ASN, to use the
default Amazon ASN. Otherwise, choose Custom ASN and enter a value. For a 16-bit ASN, the value must
be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294
range.
5. Choose Create virtual private gateway.
6. Select the virtual private gateway you created, then choose Actions, Attach to VPC.
7. For Available VPCs, choose your VPC and then choose Attach to VPC.

To create a virtual private gateway using the command line or API

 CreateVpnGateway (Amazon EC2 Query API)
 create-vpn-gateway (AWS CLI)
 New-EC2VpnGateway (AWS Tools for Windows PowerShell)
To attach a virtual private gateway to a VPC using the command line or API
 AttachVpnGateway (Amazon EC2 Query API)
 attach-vpn-gateway (AWS CLI)
 Add-EC2VpnGateway (AWS Tools for Windows PowerShell)
Create a transit gateway
For more information about creating a transit gateway, see Transit gateways in Amazon VPC Transit
Gateways.

Step 3: Configure routing

To enable instances in your VPC to reach your customer gateway, you must configure your route table to
include the routes used by your VPN connection and point them to your virtual private gateway or transit
gateway.
(Virtual private gateway) Enable route propagation in your route table
You can enable route propagation for your route table to automatically propagate Site-to-Site VPN routes.
For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the
route table when the status of the VPN connection is UP. Similarly, for dynamic routing, the BGP-
advertised routes from your customer gateway are propagated to the route table when the status of the VPN
connection is UP.
To enable route propagation using the console
1. In the navigation pane, choose Route tables.
2. Select the route table that's associated with the subnet.
3. On the Route propagation tab, choose Edit route propagation. Select the virtual private gateway that
you created in the previous procedure, and then choose Save.

To disable route propagation using the console

1. In the navigation pane, choose Route tables.
2. Select the route table that's associated with the subnet.
3. On the Route propagation tab, choose Edit route propagation. Clear the Propagate check box for the
virtual private gateway.
4. Choose Save.

To enable route propagation using the command line or API

 EnableVgwRoutePropagation (Amazon EC2 Query API)
 enable-vgw-route-propagation (AWS CLI)
 Enable-EC2VgwRoutePropagation (AWS Tools for Windows PowerShell)
To disable route propagation using the command line or API
 DisableVgwRoutePropagation (Amazon EC2 Query API)
 disable-vgw-route-propagation (AWS CLI)
 Disable-EC2VgwRoutePropagation (AWS Tools for Windows PowerShell)

(Transit gateway) Add a route to your route table

If you enabled route table propagation for your transit gateway, the routes for the VPN attachment are
propagated to the transit gateway route table. For more information, see Routing in Amazon VPC Transit
Gateways.
If you attach a VPC to your transit gateway and you want to enable resources in the VPC to reach your
customer gateway, you must add a route to your subnet route table to point to the transit gateway.
To add a route to a VPC route table
1. On the navigation pane, choose Route tables.
2. Choose the route table that is associated with your VPC.
3. On the Routes tab, choose Edit routes.
4. Choose Add route.
5. For Destination, enter the destination IP address range. For Target, choose the transit gateway.
6. Choose Save changes.

Step 4: Update your security group

To allow access to instances in your VPC from your network, you must update your security group rules to
enable inbound SSH, RDP, and ICMP access.
To add rules to your security group to enable access
1. In the navigation pane, choose Security groups.
2. Select the default security group for the VPC.
3. On the Inbound rules tab, choose Edit inbound rules.
4. Add rules that allow inbound SSH, RDP, and ICMP access from your network, and then choose Save
rules. For more information, see Work with security group rules in the Amazon VPC User Guide.

Step 5: Create a VPN connection

Create the VPN connection using the customer gateway in combination with the virtual private gateway or
transit gateway that you created earlier.
To create a VPN connection
1. In the navigation pane, choose Site-to-Site VPN connections.
2. Choose Create VPN connection.
3. (Optional) For Name tag, enter a name for your VPN connection. Doing so creates a tag with a key
of Name and the value that you specify.
4. For Target gateway type, choose either Virtual private gateway or Transit gateway. Then, choose
the virtual private gateway or transit gateway that you created earlier.
5. For Customer gateway, select Existing, then choose the customer gateway that you created earlier
from Customer gateway ID.
6. Select one of the routing options based on whether your customer gateway device supports Border
Gateway Protocol (BGP):
 If your customer gateway device supports BGP, choose Dynamic (requires BGP).
 If your customer gateway device does not support BGP, choose Static. For Static IP
Prefixes, specify each IP prefix for the private network of your VPN connection.
7. If your target gateway type is transit gateway, for Tunnel inside IP version, specify whether the VPN
tunnels support IPv4 or IPv6 traffic. IPv6 traffic is only supported for VPN connections on a transit
gateway.
8. If you specified IPv4 for Tunnel inside IP version, you can optionally specify the IPv4 CIDR ranges
for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The
default is 0.0.0.0/0.
If you specified IPv6 for Tunnel inside IP version, you can optionally specify the IPv6 CIDR ranges for
the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default
for both ranges is ::/0.
9. For Outside IP address type, keep the default option, PublicIpv4.
10. (Optional) For Tunnel options, you can specify the following information for each tunnel:
 A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.
 If you specified IPv6 for Tunnel inside IP version, a /126 IPv6 CIDR block from the fd00::/8 range
for the inside tunnel IPv6 addresses.
 The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
 To edit the advanced options for your tunnel, choose Edit tunnel options. For more information,
see VPN tunnel options.
11. Choose Create VPN connection. It might take a few minutes to create the VPN connection.

To create a VPN connection using the command line or API

 CreateVpnConnection (Amazon EC2 Query API)
 create-vpn-connection (AWS CLI)
 New-EC2VpnConnection (AWS Tools for Windows PowerShell)
Step 6: Download the configuration file
After you create the VPN connection, you can download a sample configuration file to use for
configuring the customer gateway device.

Permissions
To properly load the download configuration screen from the AWS Management Console, you must
ensure that your IAM role or user has permission for the following Amazon EC2
APIs: GetVpnConnectionDeviceTypes and GetVpnConnectionDeviceSampleConfiguration.

To download the configuration file using the console

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Site-to-Site VPN connections.
3. Select your VPN connection and choose Download configuration.
4. Select the Vendor, Platform, Software, and IKE version that correspond to your customer gateway
device. If your device is not listed, choose Generic.
5. Choose Download.

To download a sample configuration file using the command line or API

 GetVpnConnectionDeviceTypes (Amazon EC2 Query API)
 GetVpnConnectionDeviceSampleConfiguration (Amazon EC2 Query API)
 get-vpn-connection-device-types (AWS CLI)
 get-vpn-connection-device-sample-configuration (AWS CLI)

Step 7: Configure the customer gateway device

Use the sample configuration file to configure your customer gateway device. The customer gateway
device is the physical or software appliance on your side of the VPN connection.

3.27 Direct Connect & Direct Connect Gateway

AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard
Ethernet fiber-optic cable. One end of the cable is connected to your router, the other to an AWS Direct
Connect router. With this connection, you can create virtual interfaces directly to public AWS services (for
example, to Amazon S3) or to Amazon VPC, bypassing internet service providers in your network path. An
AWS Direct Connect location provides access to AWS in the Region with which it is associated. You can
use a single connection in a public Region or AWS GovCloud (US) to access public AWS services in all
other public Regions.

The following diagram shows a high-level overview of how AWS Direct Connect interfaces with your
network.
Direct Connect Gateway
AWS Direct Connect gateway is aimed at making it easier to connect from a single Direct Connect location
to multiple AWS regions or VPCs.
The Direct Connect Gateway is a device used to connect multiple AWS VPCs in different AWS regions via
Virtual private Gateways. The Direct Connect Gateway is in turn connected to the Direct Connect via a
virtual private interface. This allows multiple VPCs to be connected to the customer network via one virtual
private interface.

3.28 AWS PrivateLink - VPC Endpoint Services

AWS PrivateLink establishes private connectivity between virtual private clouds
(VPC) and supported AWS services, services hosted by other AWS accounts, and
supported AWS Marketplace services. You do not need to use an internet gateway,
NAT device, AWS Direct Connect connection, or AWS Site-to-Site VPN connection to
communicate with the service.

To use AWS PrivateLink, create a VPC endpoint in your VPC, specifying the name of
the service and a subnet. This creates an elastic network interface in the subnet that
serves as an entry point for traffic destined to the service.

You can create your own VPC endpoint service, powered by AWS PrivateLink and
enable other AWS customers to access your service.

The following diagram shows the common use cases for AWS PrivateLink. The VPC
on the left has several EC2 instances in a private subnet and three interface VPC
endpoints. The top-most VPC endpoint connects to an AWS service. The middle VPC
endpoint connects to a service hosted by another AWS account (a VPC endpoint
service). The bottom VPC endpoint connects to an AWS Marketplace partner service.
3.29 AWS Classic Link
ClassicLink allows you to link EC2-Classic instances to a VPC in your account, within
the same Region. If you associate the VPC security groups with a EC2-Classic
instance, this enables communication between your EC2-Classic instance and
instances in your VPC using private IPv4 addresses. ClassicLink removes the need to
make use of public IPv4 addresses or Elastic IP addresses to enable communication
between instances in these platforms.

3.30 Transit Gateway

AWS Transit Gateway is a highly available and scalable service to consolidate the AWS VPC routing
configuration for a region with a hub-and-spoke architecture. Each spoke VPC only needs to connect to the
Transit Gateway to gain access to other connected VPCs. Both IPv4 and IPv6 traffic is supported in AWS
Transit Gateway.

You can take advantage of several Transit Gateway route tables, associations, and propagations to segment
your traffic within the same Transit Gateway. You can also take advantage of the hub-and-spoke
architecture created by Transit Gateway to centralize access to shared services such as traffic inspection,
interface VPC endpoint access, or egress traffic through a NAT gateway or NAT instances. This
centralization simplifies the complexity of managing these resources in several VPCs, and allow for a better
control as you extend your footprint in AWS.

Transit Gateways can be peered with each other within the same AWS Region or between different AWS
Regions. AWS Transit Gateway traffic always stays on the global AWS backbone.

With a large number of VPCs, Transit Gateway provides simpler VPC-to-VPC communication
management over VPC Peering, as shown in the following figure.
 For a central visibility of IP traffic going to and from your Transit Gateways, you can publish Transit
Gateway Flow Logs to Amazon CloudWatch Logs and Amazon S3. Flow log data is collected outside of the
path of your network traffic, and therefore does not affect network throughput or latency.

3.31 VPC Traffic Mirroring

Traffic Mirroring is an Amazon VPC feature that you can use to copy network traffic from an elastic
network interface of type interface. You can then send the traffic to out-of-band security and monitoring
appliances for:

 Content inspection
 Threat monitoring
 Troubleshooting

Traffic Mirroring supports filters and packet truncation, so that you can extract only the traffic of interest,
using the monitoring tools of your choice.

Traffic Mirroring concepts

The following are the key concepts for Traffic Mirroring:

 Source — The network interface to monitor.

 Filter — A set of rules that defines the traffic that is mirrored.
 Target — The destination for mirrored traffic.
 Session — Establishes a relationship between a source, a filter, and a target.

Traffic Mirroring benefits

Traffic Mirroring offers the following benefits:

 Simplified operation — Mirror any range of your VPC traffic without having to manage packet
forwarding agents on your EC2 instances.
 Enhanced security — Capture packets at the elastic network interface, which cannot be disabled or
tampered with from a user space.
 Increased monitoring options — Send your mirrored traffic to any security device.

3.31 IPv6 for VPC

When you create a virtual private cloud (VPC), you can specify an IPv4 CIDR block and specify
whether to assign an IPv6 CIDR block to the VPC. After you enable IPv6 for a VPC, the system
automatically creates an IPv6 gateway of Free Edition for the VPC. You can use the IPv6 gateway to
manage IPv6 Internet bandwidth and configure egress-only rules.
The number of IPv4 addresses is limited. In scenarios in which IPv4 addresses are used, it takes
much time and effort for network engineers to resolve IP address conflicts. In this case, you can
enable IPv6. IPv6 provides significantly more IP addresses than IPv4. IPv6 helps solve the issue of IP
address shortage, and allows various types of devices to access the Internet.

3.32 Lab - IPv6 for VPC

Enable IPv6 for an existing VPC

1. Log on to the VPC console.
2. In the top navigation bar, select the region where the VPC is created.
3. On the VPCs page, find the VPC that you want to manage and click Enable IPv6 CIDR Block in
the IPv6 CIDR Block column.

4. In the Enable IPv6 CIDR Block dialog box, select Enable IPv6 CIDR Block of all VSwitches in
VPC, and click OK.
If you do not select Enable IPv6 CIDR Block of all VSwitches in VPC, you must enable IPv6 for each
vSwitch..
3.33 Egress Only Internet Gateway

An egress-only internet gateway is a horizontally scaled, redundant, and highly available VPC component
that allows outbound communication over IPv6 from instances in your VPC to the internet, and prevents the
internet from initiating an IPv6 connection with your instances.

An egress-only internet gateway is stateful: it forwards traffic from the instances in the subnet to the
internet or other AWS services, and then sends the response back to the instances.
An egress-only internet gateway has the following characteristics:
 You cannot associate a security group with an egress-only internet gateway. You can use security groups
for your instances in the private subnet to control the traffic to and from those instances.
 You can use a network ACL to control the traffic to and from the subnet for which the egress-only
internet gateway routes traffic.
In the following diagram, the VPC has both IPv4 and IPv6 CIDR blocks, and the subnet both IPv4 and
IPv6 CIDR blocks. The VPC has an egress-only internet gateway.

3.34 Lab - Egress Only Internet Gateway

Create an egress-only internet gateway

You can create an egress-only internet gateway for your VPC using the Amazon VPC console.

To create an egress-only internet gateway

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Egress Only Internet Gateways.
3. Choose Create Egress Only Internet Gateway.
4. (Optional) Add or remove a tag.
[Add a tag] Choose Add new tag and do the following:
 For Key, enter the key name.
 For Value, enter the key value.

[Remove a tag] Choose Remove to the right of the tag’s Key and Value.
5. Select the VPC in which to create the egress-only internet gateway.
6. Choose Create.

View your egress-only internet gateway

You can view information about your egress-only internet gateway in the Amazon VPC console.

To view information about an egress-only internet gateway

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Egress Only Internet Gateways.
3. Select the egress-only internet gateway to view its information in the details pane.

Create a custom route table

To send traffic destined outside the VPC to the egress-only internet gateway, you must create a custom
route table, add a route that sends traffic to the gateway, and then associate it with your subnet.

To create a custom route table and add a route to the egress-only internet gateway
1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Route Tables, Create route table.
3. In the Create route table dialog box, optionally name your route table, then select your VPC and
choose Create route table.
4. Select the custom route table that you just created. The details pane displays tabs for working with its
routes, associations, and route propagation.
5. On the Routes tab, choose Edit routes, specify ::/0 in the Destination box, select the egress-only
internet gateway ID in the Target list, and then choose Save changes.
6. On the Subnet associations tab, choose Edit subnet associations, and select the check box for the
subnet. Choose Save.

Alternatively, you can add a route to an existing route table that's associated with your subnet. Select your
existing route table, and follow steps 5 and 6 above to add a route for the egress-only internet gateway.

Delete an egress-only internet gateway

If you no longer need an egress-only internet gateway, you can delete it. Any route in a route table that
points to the deleted egress-only internet gateway remains in a blackhole status until you manually delete or
update the route.

To delete an egress-only internet gateway

1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
2. In the navigation pane, choose Egress Only Internet Gateways, and select the egress-only internet
gateway.
3. Choose Delete.
4. Choose Delete Egress Only Internet Gateway in the confirmation dialog box.

3.35 Networking Costs in AWS

 Your data is one of the most valuable assets your company has. Utilizing the cloud improves your data’s
mobility and flexibility to enhance its value, but AWS data transfer costs can add up quickly. You need to
understand data transfer charges and what you can do to minimize them.

What Are AWS Data Transfer Costs?

AWS data transfer costs are what AWS charges to transfer data either:

 Between AWS and the internet

 Within AWS between services, such as EC2 or S3

For some AWS services, the cost for moving data in or out is accounted for in the cost of the service itself,
rather than billed as a separate data transfer fee. Sometimes this means that there won’t be a distinct data
transfer cost in either direction, such as with Amazon Kinesis. Sometimes there will be a specific cost to
move data one way (out) but not the other way (in), such as when transferring to and from AWS S3 across
different regions. Other times, there will be a cost to transfer data in and transfer data out, such as when
transferring data between EC2 instances in different availability zones (AZs) of the same region.

All those variables mean that controlling data transfer costs means knowing exactly how your data is
moving around.

Data transfer between AWS and the Internet

Data transfer rates from AWS out to the internet are highly dependent on the region. For example, for
resources located in the US West (Oregon) region, the first 100 GB per month is free, and the next 9.999 TB
per month costs $0.09 per GB. However, if a resource is located in the South America (São Paolo) region,
the first 100 GB per month is still free, but the next 9.999 TB per month costs $0.15 per GB.

Data transfer within AWS

Within AWS, you can transfer data across regions or within a region.

Data transfer across regions

Transferring data between AWS services across regions has the same cost structure (although the rates are
a lot lower) as transferring data between AWS and the internet. These costs also depend on the region, but
data transfer into an AWS region from any other AWS region is free. In other words, you only pay for the
outbound transfer of the originating region, not the inbound transfer in the target region.

Data transfer within regions

Data transfer charges between AWS services within a region depend on whether you’re transferring data
within or across AZs.

Data transfers are free if you remain within a region and the same availability zone, and you use a private
IP address. Data transfers within the same region but crossing availability zones have associated costs.

To help you visualize how this all fits together, here’s a diagram that shows the various types of data
transfer for EC2 instances. Rates are for US West (Oregon). NOTE: the $0.09 per GB charge for moving
data out of AWS is up to the first 10TB per month.