Amazon virtual private cloud 101 features, pricing and more data recovery specialist

When the cloud was new, organizations flocked to Amazon Web Services (AWS) because it offered an easy way to provision and decommission virtual servers. This provided the flexibility of a Linux or Windows system without the hassle of setting up a physical machine. But many organizations didn’t consider the networking implications of running a VM with a service provider, so they typically used a public IP address that made the system accessible from anywhere.

Such simplicity is convenient, but it isn’t practical or secure, especially once an organization needs to expand its AWS usage to dozens of VMs accessing Simple Storage Service (S3), Relational Database Service (RDS) and other services to run enterprise applications. Real-world cloud usage requires something like the private network and subnetting flexibility that’s commonplace in enterprise data centers, which is precisely what Amazon Virtual Private Cloud (VPC) provides.


Since the days of N-tier applications, enterprise network topologies have relied on the ability to segment applications and users into different subnets, each with a uniquely tailored security policy that isolates sensitive data from systems that external users access. AWS management console interface shows the VPC dashboard

A similar ability to isolate and segment various applications, services, user groups and departments into controlled security zones is critical if cloud services such as AWS are to supplement and replace on-premises infrastructure. Amazon VPC provides this flexibility and more because it uses virtual network services that IT can spin up instantly, reconfigure quickly and scale easily.

The name Virtual Private Cloud is somewhat deceptive because it’s about creating private networks, not dedicated clouds, despite the fact that having complete control over a network sandbox makes it seem like a private cloud. Essentially, VPCs are a vessel for other AWS services such as Elastic Compute Cloud ( EC2), Elastic Block Store and RDS. Key features of Amazon Virtual Private Cloud

• a virtual router that supports isolated private networks, such as RFC 1918 using 10.0.0.0/8, 172.16.0.0/16 or 192.168.0.0/24 addressing, with full control over subnetting and the Classless Inter-Domain Routing ( CIDR) blocks within the umbrella address space;

Aside from network configuration flexibility, VPCs greatly simplify accessing AWS services from on-premises data centers because users can create private connections using VPC endpoints that don’t require NAT and an internet gateway. Endpoints also provide more granular security to AWS resources, such as the ability to create a policy that restricts access to particular S3 buckets.

VPCs are so critical to the way AWS works that it’s impossible to use AWS without them; when admins create an AWS account, it comes with a default VPC, which hosts any EC2, RDS, Elastic Load Balancing or other services they launch. Most enterprise AWS users will want to create custom VPCs that support more complex, segmented network designs.

Aside from their inherent adaptability to various network security needs, VPCs are critical to many enterprise usage scenarios, such as hosting public-facing websites and web applications that might need to access sensitive data on a separate protected subnet.

VPCs also help to build multi-tier applications that partition and control traffic and user access between different security zones. They can be used to create hybrid cloud applications where some components, such as the public web UI, are hosted on AWS and others — enterprise databases or a content management system — run on premises.

Using VPCs with EC2 and other AWS services is non-negotiable, so the real issue is the benefits of extensive VPC usage with multiple subnets and security groups. There’s little downside in return for great flexibility in network design and security policies.

• More external connectivity options with support for AWS Direct Connect — private, high-bandwidth physical circuits connecting on-premises data centers or private systems at a colocation facility to AWS — and PrivateLink, aka VPC Endpoints providing private network connectivity between a customer VPC and select AWS and third-party services hosted on AWS; for example, in the Marketplace.

• The ability to bridge on-premises and AWS infrastructure without a Direct Connect circuit using virtual private network (VPN) connections. On the AWS side, the VPN can be an AWS service — managed VPN or VPN CloudHub — or a third-party virtual appliance, whereas on premises or at remote sites, the VPN termination point can be either a physical or virtual appliance.

Despite all these features, implementing VPCs doesn’t need to complicated; indeed, AWS provides a wizard to build simple configurations. That said, more sophisticated network designs that would be typical of a large enterprise do require intricate, multistep configurations that are best left to experienced network professionals. Step one of the setup wizard is to select a VPC configuration.

Another potential disadvantage is capacity limits on various VPC parameters. For example, an AWS account can only have five VPCs per region with five IPv4 subnets per VPC. Similarly, each VPC only supports 200 ACL rules, with a maximum of 50 ACLs per subnet. SMB users won’t encounter these, but some large enterprises might, and they should design accordingly. Amazon VPC pricing explained

VPCs are free to create, but they are subject to the same data transfer fees as every other AWS service. There are additional charges for external VPN connections to VPC and NAT gateways — such as bridging some VPCs to the internet with a publicly routable address — which are detailed on the AWS product page.

Here is a summary: VPN connections, i.e., IPsec over the internet, are 5 cents (U.S.) per connection hour in most cases. PrivateLink VPC endpoints are 1 cent per hour plus 1 cent per transferred GB in most cases. A NAT gateway is 45 cents per hour plus 45 cents per transferred GB. Amazon Virtual Private Cloud best practices

VPCs can be the foundation for extremely sophisticated network designs, meaning they require the same degree of planning for subnet and address strategies as data center networks. As AWS outlines, VPC users should also liberally use subnets to separate applications with different routing and security requirements.

banner