Virtual Private Cloud (VPC) Cheat Sheet

Overview

  • Logically isolated networks

Components

  • VPC
    • a network that may span across multiple AZs in a Region
    • with a designated CIDR
  • Subnet
    • a subdivided network within a VPC
    • uses a subset of VPC CIDR
    • must reside within one AZ
  • Route Table
    • a route table to route traffic to different destinations (CIDR, endpoint, etc.)
  • Internet Gateway
    • a managed gateway to be attached to a VPC to allow access to and from the public Internet
    • also requires adding a wildcard route pointing to the gateway to enable access
    • subnets with a route pointing to a Internet gateway is often called a Public Subnet, otherwise a Private Subnet
  • Network Access Control List (NACL)
    • a stateless (must explicitly allow in AND out traffic) IP-port firewall
  • Security Group
    • a stateful (allow one way and return traffic is implicitly allowed) port firewall
    • may use security group ID or IP as a source / target
    • a security group may be consists of many resources (EC2 instances, RDS instances, etc.)
  • Network Address Translation (NAT) Gateway
    • a managed NAT gateway
    • allow instances in Private Subnets to access the Internet, to download software, access public services, etc.
    • but not the other way around
    • charges hourly + traffic
  • Elastic IP (EIP)
    • an AWS-owned public IP address that can be allocated and associated to instances
    • once allocated, an EIP is dedicated to the user until it is released
    • instances with EIP associated do not change their public IP addresses after rebooting
  • PrivateLink
    • a term used to describe the internal networking mechanism that allows user to access AWS services without going through public Internet
  • VPC Endpoint
    • a private endpoint powered by PrivateLink that allows private access to S3, DynamoDB, etc.
  • Virtual Gateway
    • a managed gateway used to connect to outside network using Virtual Private Network (VPN)
  • Transit Gateway
    • a managed gateway that allows inter-connection of multiple VPCs and on-premise networks
  • DirectConnect Gateway
    • a managed gateway that allows access to DirectConnect connection from any Region