Amazon VPC - Comprehensive Guide
🌐 Tổng quan về VPC
VPC là gì?
- Virtual Private Cloud: Isolated virtual network trong AWS
- Software-defined networking: Complete control over network environment
- Regional service: Spans across multiple AZs trong region
- Default encryption: Inter-node traffic encrypted by default
- Customizable: IP address ranges, subnets, route tables, gateways
VPC Core Components
Region
├── VPC (10.0.0.0/16)
│ ├── Availability Zone A
│ │ ├── Public Subnet (10.0.1.0/24)
│ │ └── Private Subnet (10.0.101.0/24)
│ ├── Availability Zone B
│ │ ├── Public Subnet (10.0.2.0/24)
│ │ └── Private Subnet (10.0.102.0/24)
│ ├── Internet Gateway
│ ├── NAT Gateway
│ ├── Route Tables
│ └── Security Groups
🏗️ VPC Components chi tiết
1. Subnets
Public Subnet:
- Internet access via Internet Gateway
- Auto-assign public IP: Yes
- Route to 0.0.0.0/0 → Internet Gateway
Private Subnet:
- No direct internet access
- Internet via NAT Gateway/Instance
- Database và backend services
Database Subnet:
- Isolated tier cho databases
- No NAT Gateway routes
- Only internal communication
2. Route Tables
Main Route Table:
- Default for all subnets
- Usually kept minimal
Custom Route Tables:
Public Subnet Route:
- 10.0.0.0/16 → Local
- 0.0.0.0/0 → Internet Gateway
Private Subnet Route:
- 10.0.0.0/16 → Local
- 0.0.0.0/0 → NAT Gateway
3. Internet Gateway (IGW)
Internet Gateway:
Function: Internet access cho public subnets
Characteristics:
- One per VPC
- Highly available
- Stateless
- Performs NAT for instances with public IPs
4. NAT Gateway vs NAT Instance
| Feature | NAT Gateway | NAT Instance |
|---|---|---|
| Availability | Highly available in AZ | Single point of failure |
| Bandwidth | Up to 100 Gbps | Depends on instance type |
| Maintenance | Managed by AWS | User managed |
| Cost | Higher | Lower (but + ops overhead) |
| Security Groups | Cannot assign | Can assign |
| Bastion Host | No | Yes (can be configured) |
🔒 Security Groups vs NACLs
Security Groups (Instance-level)
Security Groups:
Type: Stateful firewall
Level: Instance (ENI) level
Rules: Allow rules only
Return Traffic: Automatically allowed
Default: All outbound allowed, no inbound
Example Security Group:
Web Tier SG:
Inbound:
- Port 80 from 0.0.0.0/0 (HTTP)
- Port 443 from 0.0.0.0/0 (HTTPS)
- Port 22 from Bastion-SG (SSH)
Outbound:
- All traffic to 0.0.0.0/0
Network ACLs (Subnet-level)
Network ACLs:
Type: Stateless firewall
Level: Subnet level
Rules: Allow and Deny rules
Return Traffic: Must be explicitly allowed
Default: Allow all inbound/outbound
Example NACL:
Public Subnet NACL:
Inbound:
- Rule 100: Allow HTTP (80) from 0.0.0.0/0
- Rule 110: Allow HTTPS (443) from 0.0.0.0/0
- Rule 120: Allow SSH (22) from corporate IP
- Rule 32767: Deny all
Outbound:
- Rule 100: Allow all to 0.0.0.0/0
Security Layers Best Practice
Internet
↓
[Internet Gateway]
↓
[Public NACL] → [Web Tier Security Group] → [Web Servers]
↓
[Private NACL] → [App Tier Security Group] → [App Servers]
↓
[DB NACL] → [Database Security Group] → [Databases]
🔗 VPC Connectivity
VPC Peering
VPC Peering:
Purpose: Connect two VPCs privately
Routing: Non-transitive
Region: Same or cross-region
Account: Same or cross-account
Limitations:
- No overlapping CIDR blocks
- No transitive routing
- No edge-to-edge routing
Example:
VPC-A (10.0.0.0/16) ↔ VPC-B (10.1.0.0/16)
Route in VPC-A: 10.1.0.0/16 → PCX-12345
Route in VPC-B: 10.0.0.0/16 → PCX-12345
Transit Gateway
Transit Gateway:
Purpose: Central hub for multiple VPCs
Scalability: Up to 5000 VPCs
Routing: Configurable route tables
Cross-region: Supported
Architecture:
VPC-A ──┐
VPC-B ──┤
VPC-C ──┼── Transit Gateway ──── On-premises
VPC-D ──┤
VPC-E ──┘
VPN Connections
Site-to-Site VPN:
Components:
- Virtual Private Gateway (VGW) hoặc Transit Gateway
- Customer Gateway (CGW)
- VPN Tunnels (2 for redundancy)
BGP Support: Dynamic routing
Static Routing: Manual route configuration
Bandwidth: Up to 1.25 Gbps per tunnel
Client VPN:
Purpose: Remote user access
Authentication: Active Directory, SAML, certificate
Split tunneling: Route specific traffic through VPN
Direct Connect
Direct Connect:
Purpose: Dedicated network connection
Bandwidth: 1Gbps to 100Gbps
Consistency: Predictable performance
Cost: Lower data transfer costs
Virtual Interfaces (VIFs):
Private VIF: Access VPC resources
Public VIF: Access AWS public services
Transit VIF: Connect to Transit Gateway
🌍 Multi-AZ & Multi-Region Design
High Availability Architecture
Production VPC Design:
Region: us-east-1
CIDR: 10.0.0.0/16
AZ-1a:
Public: 10.0.1.0/24 (Web tier)
Private: 10.0.101.0/24 (App tier)
DB: 10.0.201.0/24 (Database tier)
AZ-1b:
Public: 10.0.2.0/24 (Web tier)
Private: 10.0.102.0/24 (App tier)
DB: 10.0.202.0/24 (Database tier)
AZ-1c:
Public: 10.0.3.0/24 (Web tier)
Private: 10.0.103.0/24 (App tier)
DB: 10.0.203.0/24 (Database tier)
Cross-Region Connectivity
Multi-Region Setup:
Primary Region: us-east-1 (10.0.0.0/16)
DR Region: us-west-2 (10.1.0.0/16)
Connectivity Options:
- VPC Peering (cross-region)
- Transit Gateway (cross-region peering)
- VPN over internet
- Direct Connect (multiple locations)
📊 VPC Flow Logs
What are Flow Logs?
VPC Flow Logs:
Purpose: Network traffic monitoring
Scope: VPC, Subnet, or ENI level
Format: Standard or custom
Destination: CloudWatch Logs, S3, Kinesis Data Firehose
Standard Format:
version account-id interface-id srcaddr dstaddr srcport dstport
protocol packets bytes windowstart windowend action flow-log-status
Flow Log Analysis
# CloudWatch Insights query
fields @timestamp, srcaddr, dstaddr, action, protocol
| filter action = "REJECT"
| stats count() by srcaddr
| sort count desc
| limit 10
Security Use Cases
Security Monitoring:
- Detect unusual traffic patterns
- Identify rejected connections
- Monitor data transfer volumes
- Audit network access
Performance Analysis:
- Network utilization
- Bandwidth consumption
- Connection patterns
- Troubleshoot connectivity issues
🔧 VPC Endpoints
Gateway Endpoints
Gateway Endpoints:
Services: S3, DynamoDB
Route: Via route table entries
Cost: Free
Performance: Same region only
Configuration:
Route Table Entry:
pl-12345678 (S3) → vpce-gateway-id
Interface Endpoints (PrivateLink)
Interface Endpoints:
Services: Most AWS services
Technology: AWS PrivateLink
Cost: $0.01 per hour + data transfer
Performance: Cross-region supported
Example Services:
- EC2, ECS, EKS
- Lambda, API Gateway
- SNS, SQS, Kinesis
- Secrets Manager, KMS
Interface Endpoint Configuration
{
"VpcEndpointType": "Interface",
"ServiceName": "com.amazonaws.us-east-1.ec2",
"VpcId": "vpc-12345678",
"SubnetIds": ["subnet-12345678", "subnet-87654321"],
"SecurityGroupIds": ["sg-12345678"],
"PolicyDocument": {
"Statement": [{
"Effect": "Allow",
"Principal": "*",
"Action": "ec2:DescribeInstances",
"Resource": "*"
}]
}
}
💰 VPC Pricing
Cost Components
VPC Costs:
VPC itself: Free
Subnets: Free
Route Tables: Free
Security Groups: Free
NACLs: Free
Paid Components:
NAT Gateway: $0.045/hour + $0.045/GB processed
VPC Endpoints: $0.01/hour + data transfer
VPN Connection: $0.05/hour per tunnel
Direct Connect: Port fees + data transfer
Traffic Mirroring: $0.015/hour per target
Cost Optimization
NAT Gateway Optimization:
- Use single NAT Gateway per AZ (not per subnet)
- Consider NAT Instances for low traffic
- S3 Gateway Endpoint (free vs NAT costs)
VPC Endpoint Strategy:
- Gateway Endpoints for S3/DynamoDB
- Interface Endpoints for frequently used services
- Consolidate endpoints across subnets
🛠️ Troubleshooting Network Issues
Common Connectivity Problems
Cannot reach internet from public subnet:
Check: Internet Gateway attached
Check: Route to 0.0.0.0/0 via IGW
Check: Security Group allows outbound
Check: NACL allows traffic
Check: Instance has public IP
Cannot reach internet from private subnet:
Check: NAT Gateway in public subnet
Check: Route to 0.0.0.0/0 via NAT Gateway
Check: NAT Gateway has Elastic IP
Check: Security Groups và NACLs
Cannot connect between subnets:
Check: Route tables (local routes)
Check: Security Groups (cross-references)
Check: NACLs (stateless rules)
Check: Application-level issues
Network Troubleshooting Tools
# VPC Reachability Analyzer
aws ec2 analyze-path \
--source resource-id=i-1234567890abcdef0 \
--destination resource-id=i-0987654321fedcba0
# Flow Logs analysis
aws logs filter-log-events \
--log-group-name VPCFlowLogs \
--filter-pattern "[version, account, eni, source, destination, srcport, destport=\"22\", protocol=\"6\", packets, bytes, windowstart, windowend, action=\"REJECT\", flowlogstatus]"
# Network testing from instance
curl -I https://aws.amazon.com # Test internet connectivity
nc -zv 10.0.1.100 22 # Test specific port
traceroute 8.8.8.8 # Trace route path
🚀 VPC Best Practices
Network Design
- Plan CIDR blocks: Avoid overlaps, allow for growth
- Multi-AZ deployment: Always deploy across multiple AZs
- Tiered architecture: Separate web, app, database tiers
- Least privilege: Restrictive Security Groups và NACLs
- Monitor traffic: Enable Flow Logs
Security
- Defense in depth: Multiple security layers
- Private subnets: Keep databases private
- Bastion hosts: Controlled access to private resources
- VPC Endpoints: Avoid internet routing for AWS services
- Regular audits: Review security group rules
Performance
- Placement groups: Co-locate instances when needed
- Enhanced networking: SR-IOV cho high performance
- Instance types: Choose appropriate network performance
- Monitor metrics: CloudWatch network metrics
- Optimize routes: Efficient routing paths
📝 Exam Tips cho AWS SAA
Key Scenarios
Multi-tier application:
Solution: Public/Private/DB subnets với appropriate SGs
Hybrid connectivity:
Options: VPN (quick), Direct Connect (dedicated)
Cross-VPC communication:
Options: VPC Peering (simple), Transit Gateway (scalable)
Private AWS service access:
Solution: VPC Endpoints (S3/DynamoDB Gateway, others Interface)
Common Patterns
- Web application: ALB → Web tier → App tier → Database
- Microservices: Service mesh với Transit Gateway
- Data processing: Private subnets với VPC Endpoints
- Hybrid cloud: Direct Connect + Transit Gateway
📖 Tóm tắt
Amazon VPC cung cấp isolated, secure, và scalable networking environment với:
- Complete network control over IP addressing, routing, security
- Multiple connectivity options cho hybrid và multi-VPC architectures
- Comprehensive security với Security Groups và NACLs
- High availability across multiple AZs
- Cost-effective solutions cho different use cases
Hiểu rõ VPC components, security models, và connectivity patterns là fundamental cho AWS Solutions Architect Associate exam.