a
Virtual Private Cloud

AWS Virtual Private Cloud

If whatever is being launched on AWS needs to be private, the Virtual Private Cloud (VPC) provides enough functionality for such a task. It grants full control over the virtual network environment from resource allocation to security and is simple to start up. There are options for choosing the IP range, creating subnets, and configuring route tables. The only connections to this network are completely user-defined.

What is the Virtual Private Cloud and What’s its Purpose?

The AWS VPC lets users provision isolated segments of the cloud to form a private network.  As stated, there is a range of controls and variables to adjust with this network including the IP address ranges, subnets, route tables, and network gateways.  There is also the option for a hardware VPN (virtual private network) to further incorporate a physical datacenter into the system.  While everything on a subnet can be made publicly accessible, back-end systems such as servers and databases can be made completely private with external access tightly controlled.

What is the Virtual Private Cloud and What’s its Purpose?

The AWS VPC lets users provision isolated segments of the cloud to form a private network.  As stated, there is a range of controls and variables to adjust with this network including the IP address ranges, subnets, route tables, and network gateways.  There is also the option for a hardware VPN (virtual private network) to further incorporate a physical datacenter into the system.  While everything on a subnet can be made publicly accessible, back-end systems such as servers and databases can be made completely private with external access tightly controlled.

Main Features

Flow Logs

Every action to any connected S3 (Simple Storage Service) or CloudWatch instances, provides a distinct view of traffic patterns, anomalies, dependencies, and data leaks, making troubleshooting network connection and configuration easier.  Metadata retains who accessed the TCP connections, including the source of access and the intended destination.  The flow logs are also a necessary component for meeting certain compliance requirements.

 

IP Address Manager

This is the dedicated service for accessing, monitoring, and adjusting all IP addresses associated with the AWS workloads.  IP address assignments tied to the VPC are automated, removing the need for spreadsheet planning applications.  The monitoring side of the address manager provides users with an unimpeded view of the network with metrics for IP usage.

 

IP Addressing

Resources on the VPC need to communicate internally more efficiently and be able to move resources over the internet.  The VPC can support both IPv4 and IPv6 addressing protocols to bridge the gap.  In a VPC, there are options for generating IPv4-only, IPv6-only, and cross-protocol subnets for EC2 instances to launch with.  There are further options for the modification of Amazon’s provided IP addresses or for users to utilize their own IP addresses to be assigned to the network. 

 

Ingress Routing

The VPC also provides inbound and outbound traffic controls from either a public or private gateway to an EC2 instance’s elastic network interface on its way to actually reaching the intended workloads.

 

Network Access Analysis

Along with the monitoring tools mentioned above, there are analysis tools for inspecting access points as required by network security and compliance regulations.  Along with adjusting requirements for the network, this helps to identify access points that don’t meet specified requirements.  It lays out how the network taps into user resources and identifies weak points in the network security that need improvements.

 

Network Access Control List

In conjunction with the Network Access Analysis, this optional whitelist is effectively an additional firewall for controlling inward and outward flow.  It does come with rules that can be modified for what to catch or ignore.

 

Traffic Mirroring

Issues like security anomalies, operational insight, compliance, understanding security controls, and troubleshooting become a lot easier if a snapshot of traffic can be extracted for closer analysis.  VPC does provide the option to look at traffic to EC2 instances and copy them for export to analyze further.  Mirroring provides direct access to network packets flowing through the VPC.

Main Features

Flow Logs

Every action to any connected S3 (Simple Storage Service) or CloudWatch instances, provides a distinct view of traffic patterns, anomalies, dependencies, and data leaks, making troubleshooting network connection and configuration easier.  Metadata retains who accessed the TCP connections, including the source of access and the intended destination.  The flow logs are also a necessary component for meeting certain compliance requirements.

 

IP Address Manager

This is the dedicated service for accessing, monitoring, and adjusting all IP addresses associated with the AWS workloads.  IP address assignments tied to the VPC are automated, removing the need for spreadsheet planning applications.  The monitoring side of the address manager provides users with an unimpeded view of the network with metrics for IP usage.

 

IP Addressing

Resources on the VPC need to communicate internally more efficiently and be able to move resources over the internet.  The VPC can support both IPv4 and IPv6 addressing protocols to bridge the gap.  In a VPC, there are options for generating IPv4-only, IPv6-only, and cross-protocol subnets for EC2 instances to launch with.  There are further options for the modification of Amazon’s provided IP addresses or for users to utilize their own IP addresses to be assigned to the network. 

 

Ingress Routing

The VPC also provides inbound and outbound traffic controls from either a public or private gateway to an EC2 instance’s elastic network interface on its way to actually reaching the intended workloads.

 

Network Access Analysis

Along with the monitoring tools mentioned above, there are analysis tools for inspecting access points as required by network security and compliance regulations.  Along with adjusting requirements for the network, this helps to identify access points that don’t meet specified requirements.  It lays out how the network taps into user resources and identifies weak points in the network security that need improvements.

 

Network Access Control List

In conjunction with the Network Access Analysis, this optional whitelist is effectively an additional firewall for controlling inward and outward flow.  It does come with rules that can be modified for what to catch or ignore.

 

Traffic Mirroring

Issues like security anomalies, operational insight, compliance, understanding security controls, and troubleshooting become a lot easier if a snapshot of traffic can be extracted for closer analysis.  VPC does provide the option to look at traffic to EC2 instances and copy them for export to analyze further.  Mirroring provides direct access to network packets flowing through the VPC.

Pricing Model

Pricing does become particularly complicated for this service in particular.  Creating or using the VPC itself generates no additional charge, but there is a collection of optional fees for features and services such as customization, monitoring, and security.  The rates when applied to other AWS utilities such as EC2 still utilizes the base rates of those other services.  Otherwise connecting the VPC to a corporate datacenter and using the optional hardware will bill by the hour and per GB used in transfers with pricing varying depending on the region (partial hours will count as full hours).  

NAT Gateway

As outlined, using the NAT gateway into the VPC will charge per gateway hour used.  Additional equivalent rates apply to each GB processed through the gateway regardless of start or endpoint.  There are also standard AWS data transfer charges applied for all data that goes through the gateway.  When the gateway is no longer needed and needs to be removed from the monthly bill, it is only a matter of deleting the gateway through the AWS Management Console, AWS Command Line Interface, or API.  

IP Access Manager

There is an hourly rate for each active IP address tampered with using the manager (an active IP requires being attached to an EC2 instance or Elastic Network Interface).  This service tracks and monitors all IP addresses assigned to resources within the VPC whether they are part of an IP Access Manager IP address pool or not.  Any that might have been made in the past and aren’t within the active address pool are still subject to billing.  Deleting the address via AWS Management Console, AWS Command Line Interface, or the API will remove billing completely for the IP address.  

Traffic Mirroring and Analysis

The rates for each of the different analysis services do wildly vary for different tasks on top of the regional differences.  All are still dependent on the number of active sessions each service has and the number of hours they are active.

Pricing Model

Pricing does become particularly complicated for this service in particular.  Creating or using the VPC itself generates no additional charge, but there is a collection of optional fees for features and services such as customization, monitoring, and security.  The rates when applied to other AWS utilities such as EC2 still utilizes the base rates of those other services.  Otherwise connecting the VPC to a corporate datacenter and using the optional hardware will bill by the hour and per GB used in transfers with pricing varying depending on the region (partial hours will count as full hours).

 

NAT Gateway

As outlined, using the NAT gateway into the VPC will charge per gateway hour used.  Additional equivalent rates apply to each GB processed through the gateway regardless of start or endpoint.  There are also standard AWS data transfer charges applied for all data that goes through the gateway.  When the gateway is no longer needed and needs to be removed from the monthly bill, it is only a matter of deleting the gateway through the AWS Management Console, AWS Command Line Interface, or API.

 

IP Access Manager

There is an hourly rate for each active IP address tampered with using the manager (an active IP requires being attached to an EC2 instance or Elastic Network Interface).  This service tracks and monitors all IP addresses assigned to resources within the VPC whether they are part of an IP Access Manager IP address pool or not.  Any that might have been made in the past and aren’t within the active address pool are still subject to billing.  Deleting the address via AWS Management Console, AWS Command Line Interface, or the API will remove billing completely for the IP address.

 

Traffic Mirroring and Analysis

The rates for each of the different analysis services do wildly vary for different tasks on top of the regional differences.  All are still dependent on the number of active sessions each service has and the number of hours they are active.

Dolan Cleary
Dolan Cleary

I am a recent graduate from the University of Wisconsin - Stout and am now working with AllCode as a web technician. Currently working within the marketing department.

Related Articles

The Difference Between Amazon RDS and Aurora

The Difference Between Amazon RDS and Aurora

AWS does incorporate several database services that offer high performance and great functionality. However, customers do find the difference between Amazon Relational Database Service and Amazon Aurora. Both services do provide similar functions, but do cover their own use cases.

AWS Snowflake Data Warehouse Pricing Guide

AWS Snowflake Data Warehouse Pricing Guide

AWS Snowflake Data Warehouse – or just Snowflake – is a data cloud built for users to mobilize, centralize, and process large quantities of data. Regardless of how many sources are connected to Snowflake or the user’s preferred type of organized data used, data is easily stored and controllably shared with selectively-authorized access. Snowflake does offer extensive control over its pricing, though how it works isn’t always clear.

Single-Tenant vs. Multi-Tenant Cloud Environments

Single-Tenant vs. Multi-Tenant Cloud Environments

Operating a cloud environment and optimizing Software as a Service can be managed in two different methods. Reasons for adopting either single-tenant or multi-tenant cloud environments are dependent on business and customer-related factors as well as how much more expensive one architectural structure will be over the other. Both structure types also have a number of security and privacy implications tied to their inherent design.

Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.