What is the Virtual Private Cloud and What’s its Purpose?
The AWS VPC lets users provision isolated segments of the cloud to form a private network. As stated, there is a range of controls and variables to adjust with this network including the IP address ranges, subnets, route tables, and network gateways. There is also the option for a hardware VPN (virtual private network) to further incorporate a physical datacenter into the system. While everything on a subnet can be made publicly accessible, back-end systems such as servers and databases can be made completely private with external access tightly controlled.
What is the Virtual Private Cloud and What’s its Purpose?
The AWS VPC lets users provision isolated segments of the cloud to form a private network. As stated, there is a range of controls and variables to adjust with this network including the IP address ranges, subnets, route tables, and network gateways. There is also the option for a hardware VPN (virtual private network) to further incorporate a physical datacenter into the system. While everything on a subnet can be made publicly accessible, back-end systems such as servers and databases can be made completely private with external access tightly controlled.
Main Features
Flow Logs
Every action to any connected S3 (Simple Storage Service) or CloudWatch instances, provides a distinct view of traffic patterns, anomalies, dependencies, and data leaks, making troubleshooting network connection and configuration easier. Metadata retains who accessed the TCP connections, including the source of access and the intended destination. The flow logs are also a necessary component for meeting certain compliance requirements.
IP Address Manager
This is the dedicated service for accessing, monitoring, and adjusting all IP addresses associated with the AWS workloads. IP address assignments tied to the VPC are automated, removing the need for spreadsheet planning applications. The monitoring side of the address manager provides users with an unimpeded view of the network with metrics for IP usage.
IP Addressing
Resources on the VPC need to communicate internally more efficiently and be able to move resources over the internet. The VPC can support both IPv4 and IPv6 addressing protocols to bridge the gap. In a VPC, there are options for generating IPv4-only, IPv6-only, and cross-protocol subnets for EC2 instances to launch with. There are further options for the modification of Amazon’s provided IP addresses or for users to utilize their own IP addresses to be assigned to the network.
Ingress Routing
The VPC also provides inbound and outbound traffic controls from either a public or private gateway to an EC2 instance’s elastic network interface on its way to actually reaching the intended workloads.
Network Access Analysis
Along with the monitoring tools mentioned above, there are analysis tools for inspecting access points as required by network security and compliance regulations. Along with adjusting requirements for the network, this helps to identify access points that don’t meet specified requirements. It lays out how the network taps into user resources and identifies weak points in the network security that need improvements.
Network Access Control List
In conjunction with the Network Access Analysis, this optional whitelist is effectively an additional firewall for controlling inward and outward flow. It does come with rules that can be modified for what to catch or ignore.
Traffic Mirroring
Issues like security anomalies, operational insight, compliance, understanding security controls, and troubleshooting become a lot easier if a snapshot of traffic can be extracted for closer analysis. VPC does provide the option to look at traffic to EC2 instances and copy them for export to analyze further. Mirroring provides direct access to network packets flowing through the VPC.
Main Features
Flow Logs
Every action to any connected S3 (Simple Storage Service) or CloudWatch instances, provides a distinct view of traffic patterns, anomalies, dependencies, and data leaks, making troubleshooting network connection and configuration easier. Metadata retains who accessed the TCP connections, including the source of access and the intended destination. The flow logs are also a necessary component for meeting certain compliance requirements.
IP Address Manager
This is the dedicated service for accessing, monitoring, and adjusting all IP addresses associated with the AWS workloads. IP address assignments tied to the VPC are automated, removing the need for spreadsheet planning applications. The monitoring side of the address manager provides users with an unimpeded view of the network with metrics for IP usage.
IP Addressing
Resources on the VPC need to communicate internally more efficiently and be able to move resources over the internet. The VPC can support both IPv4 and IPv6 addressing protocols to bridge the gap. In a VPC, there are options for generating IPv4-only, IPv6-only, and cross-protocol subnets for EC2 instances to launch with. There are further options for the modification of Amazon’s provided IP addresses or for users to utilize their own IP addresses to be assigned to the network.
Ingress Routing
The VPC also provides inbound and outbound traffic controls from either a public or private gateway to an EC2 instance’s elastic network interface on its way to actually reaching the intended workloads.
Network Access Analysis
Along with the monitoring tools mentioned above, there are analysis tools for inspecting access points as required by network security and compliance regulations. Along with adjusting requirements for the network, this helps to identify access points that don’t meet specified requirements. It lays out how the network taps into user resources and identifies weak points in the network security that need improvements.
Network Access Control List
In conjunction with the Network Access Analysis, this optional whitelist is effectively an additional firewall for controlling inward and outward flow. It does come with rules that can be modified for what to catch or ignore.
Traffic Mirroring
Issues like security anomalies, operational insight, compliance, understanding security controls, and troubleshooting become a lot easier if a snapshot of traffic can be extracted for closer analysis. VPC does provide the option to look at traffic to EC2 instances and copy them for export to analyze further. Mirroring provides direct access to network packets flowing through the VPC.
Pricing Model
Pricing does become particularly complicated for this service in particular. Creating or using the VPC itself generates no additional charge, but there is a collection of optional fees for features and services such as customization, monitoring, and security. The rates when applied to other AWS utilities such as EC2 still utilizes the base rates of those other services. Otherwise connecting the VPC to a corporate datacenter and using the optional hardware will bill by the hour and per GB used in transfers with pricing varying depending on the region (partial hours will count as full hours).
NAT Gateway
As outlined, using the NAT gateway into the VPC will charge per gateway hour used. Additional equivalent rates apply to each GB processed through the gateway regardless of start or endpoint. There are also standard AWS data transfer charges applied for all data that goes through the gateway. When the gateway is no longer needed and needs to be removed from the monthly bill, it is only a matter of deleting the gateway through the AWS Management Console, AWS Command Line Interface, or API.
IP Access Manager
There is an hourly rate for each active IP address tampered with using the manager (an active IP requires being attached to an EC2 instance or Elastic Network Interface). This service tracks and monitors all IP addresses assigned to resources within the VPC whether they are part of an IP Access Manager IP address pool or not. Any that might have been made in the past and aren’t within the active address pool are still subject to billing. Deleting the address via AWS Management Console, AWS Command Line Interface, or the API will remove billing completely for the IP address.
Traffic Mirroring and Analysis
The rates for each of the different analysis services do wildly vary for different tasks on top of the regional differences. All are still dependent on the number of active sessions each service has and the number of hours they are active.
Pricing Model
Pricing does become particularly complicated for this service in particular. Creating or using the VPC itself generates no additional charge, but there is a collection of optional fees for features and services such as customization, monitoring, and security. The rates when applied to other AWS utilities such as EC2 still utilizes the base rates of those other services. Otherwise connecting the VPC to a corporate datacenter and using the optional hardware will bill by the hour and per GB used in transfers with pricing varying depending on the region (partial hours will count as full hours).
NAT Gateway
As outlined, using the NAT gateway into the VPC will charge per gateway hour used. Additional equivalent rates apply to each GB processed through the gateway regardless of start or endpoint. There are also standard AWS data transfer charges applied for all data that goes through the gateway. When the gateway is no longer needed and needs to be removed from the monthly bill, it is only a matter of deleting the gateway through the AWS Management Console, AWS Command Line Interface, or API.
IP Access Manager
There is an hourly rate for each active IP address tampered with using the manager (an active IP requires being attached to an EC2 instance or Elastic Network Interface). This service tracks and monitors all IP addresses assigned to resources within the VPC whether they are part of an IP Access Manager IP address pool or not. Any that might have been made in the past and aren’t within the active address pool are still subject to billing. Deleting the address via AWS Management Console, AWS Command Line Interface, or the API will remove billing completely for the IP address.
Traffic Mirroring and Analysis
The rates for each of the different analysis services do wildly vary for different tasks on top of the regional differences. All are still dependent on the number of active sessions each service has and the number of hours they are active.