         | Did this page help you? Yes No Tell us about it... |
Amazon Virtual Private Cloud
Amazon Virtual Private Cloud enables you to create a virtual network in the AWS cloud. With a Virtual Private Cloud (VPC), you can define a virtual network that closely resembles a traditional data center. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of routing and access control lists. This section gives a brief introduction to Amazon VPC.
Amazon Virtual Private Cloud Concepts
If you're familiar with Amazon EC2, you know that each instance you launch is randomly assigned a public IP address in the Amazon EC2 address space. Amazon VPC enables you to create an isolated portion of the AWS cloud (a VPC) and launch Amazon EC2 instances that have private (RFC 1918) addresses in the range of your choice (e.g., 10.0.0.0/16). You can define subnets within your VPC, which enable you to group similar kinds of instances based on IP address range.
By using Amazon VPC with Amazon EC2 (instead of Amazon EC2 alone), you gain the ability to:
Logically group your Amazon EC2 instances, and assign them private IP addresses
Control the egress traffic from your Amazon EC2 instances (in addition to controlling the ingress traffic to them)
Add an additional layer of security to your Amazon EC2 instances in the form of network Access Control Lists (ACLs)
Connect your VPC to your corporate data center with a VPN connection, so you can use the AWS cloud as an extension of your corporate data center network
Levels of Privacy
When you create a VPC, you can configure it based on the level of privacy you want. In the most private scenario, you can attach only a virtual private gateway, and create an IPsec tunnel between your VPC and home network. In this scenario, your EC2 instances have no direct exposure to the Internet.
In the most public scenario, you can attach only an Internet gateway to the VPC and enable traffic to flow between the Internet and all the instances in your VPC.
You can configure your VPC to be somewhere in between, with both a virtual private gateway and an Internet gateway. Here, some instances could receive Internet traffic (e.g., web servers), whereas others could remain unexposed (e.g., database servers). This is a common scenario for running a multi-tier web application in the AWS cloud.
These different scenarios are discussed in more detail in the Amazon VPC documentation.
Routing and Security
You can configure routing in your VPC to control where traffic flows (e.g., to the Internet gateway, virtual private gateway, etc). With an Internet gateway, your VPC has direct access to other AWS products such as Amazon Simple Storage Service (Amazon S3). If you choose to have only a virtual private gateway with a connection to your home network, you can route your Internet-bound traffic over the VPN and control its egress with your security policies and corporate firewall. In the latter case, you incur additional bandwidth charges when accessing AWS products over the Internet.
You can use security groups and network ACLs to help secure the instances in your VPC. Security groups might be familiar if you're an Amazon EC2 user, and network ACLs might be familiar if you're a network administrator. Security groups act like a firewall at the instance level, whereas network ACLs are an additional layer of security that act at the subnet level.
By default, the instances you launch in your VPC have only private IP addresses. If you want an instance to have a public IP address, you can assign it an Elastic IP address, which is a static, public address you can assign to any instance in your VPC. For an instance in your VPC to be addressable from the Internet, it must have an Elastic IP address.
You can use Network Address Translation (NAT) to enable instances that don't have Elastic IP addresses to reach the Internet. You can set up the VPC's routing so that traffic from private instances goes through a special NAT instance that has an Elastic IP address. We provide a NAT Amazon Machine Image (AMI) that you can use for this purpose.
Dedicated Instances
Amazon EC2 instances launched into a VPC have a tenancy attribute. Setting the instance's tenancy attribute to
dedicated specifies that your instance will run on single-tenant hardware. Amazon VPCs
have a related attribute called instance tenancy. Setting this instance tenancy
attribute to dedicated specifies that only Dedicated Instances
can be launched into the VPC.
For more information, go to Using EC2 Dedicated Instances Within Your VPC in the Amazon Virtual Private Cloud User Guide.
Amazon VPC Documentation
Amazon VPC has its own set of documentation to describe how to create and use your VPC. The following table gives links to the Amazon VPC guides.
| Description | Documentation |
|---|---|
|
How to get started using Amazon VPC | |
|
How to use Amazon VPC through the AWS Management Console | |
|
Complete descriptions of all the Amazon VPC commands |
Amazon Elastic Compute Cloud Command Line Reference (the Amazon VPC commands are part of the Amazon EC2 reference) |
|
Complete descriptions of the Amazon VPC API actions, data types, and errors |
Amazon Elastic Compute Cloud API Reference (the Amazon VPC API actions are part of the Amazon EC2 reference) |
|
Information for the network administrator who needs to configure the gateway at your end of an optional IPsec VPN connection |
