Q1. What is Amazon Virtual Private Cloud?
Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways. You can also create a hardware Virtual Private Network (VPN) connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Q2. What are the components of Amazon VPC?
Amazon VPC comprises a variety of objects that will be familiar to customers with existing networks:
- A Virtual Private Cloud: A logically isolated virtual network in the AWS cloud. You define a VPC’s IP address space from ranges you select.
- Subnet: A segment of a VPC’s IP address range where you can place groups of isolated resources.
- Internet Gateway: The Amazon VPC side of a connection to the public Internet.
- NAT Gateway: A highly available, managed Network Address Translation (NAT) service for your resources in a private subnet to access the Internet.
- Hardware VPN Connection: A hardware-based VPN connection between your Amazon VPC and your datacenter, home network, or co-location facility.
- Virtual Private Gateway: The Amazon VPC side of a VPN connection.
- Customer Gateway: Your side of a VPN connection.
- Router: Routers interconnect subnets and direct traffic between Internet gateways, virtual private gateways, NAT gateways, and subnets.
- Peering Connection: A peering connection enables you to route traffic via private IP addresses between two peered VPCs.
- VPC Endpoints: Enables private connectivity to services hosted in AWS, from within your VPC without using an an Internet Gateway, VPN, Network Address Translation (NAT) devices, or firewall proxies.
- Egress-only Internet Gateway: A stateful gateway to provide egress only access for IPv6 traffic from the VPC to the Internet.
Q3. What are the connectivity options for my VPC ?
You may connect your VPC to:
- The Internet (via an Internet gateway)
- Your corporate data center using a Hardware VPN connection (via the virtual private gateway)
- Both the Internet and your corporate data center (utilizing both an Internet gateway and a virtual private gateway)
- Other AWS services (via Internet gateway, NAT, virtual private gateway, or VPC endpoints)
- Other VPCs (via VPC peering connections)
Q4. How do you connect my VPC to the Internet ?
Amazon VPC supports the creation of an Internet gateway. This gateway enables Amazon EC2 instances in the VPC to directly access the Internet.
Q5. What Are The Differences Between Security Groups In A Vpc And Network Acls In A Vpc?
Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering.
Q6. How do instances in a VPC access the Internet?
You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet (e.g., web servers). You can also use the solutions in the next question.
Q7. How does a hardware VPN connection work with Amazon VPC?
A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a hardware VPN connection.
Q8. What is IPsec?
IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.
Q9. Which customer gateway devices can I use to connect to Amazon VPC
There are two types of VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to:
- Establish IKE Security Association using Pre-Shared Keys
- Establish IPsec Security Associations in Tunnel mode
- Utilize the AES 128-bit or 256-bit encryption function
- Utilize the SHA-1 or SHA-2 (256) hashing function
- Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in “Group 2” mode, or one of the additional DH groups we support
- Perform packet fragmentation prior to encryption
In addition to the above capabilities, devices supporting dynamically-routed VPN connections must be able to:
- Establish Border Gateway Protocol (BGP) peerings
- Bind tunnels to logical interfaces (route-based VPN)
- Utilize IPsec Dead Peer Detection
Q10. What is the approximate maximum throughput of a VPN connection?
VGW supports IPSEC VPN throughput upto 1.25 Gbps. Multiple VPN connections to the same VPC are cumulatively bound by the VGW throughput of 1.25 Gbps.
Q11. What factors affect the throughput of my VPN connection?
VPN connection throughput can depend on multiple factors, such as the capability of your Customer Gateway (CGW), the capacity of your connection, average packet size, the protocol being used (TCP vs. UDP), and the network latency between your CGW and the Virtual Private Gateway (VGW).
Q12. What tools are available to me to help troubleshoot my Hardware VPN configuration?
The DescribeVPNConnection API displays the status of the VPN connection, including the state (“up”/”down”) of each VPN tunnel and corresponding error messages if either tunnel is “down”. This information is also displayed in the AWS Management Console.
Q13. How do I connect a VPC to my corporate datacenter?
Establishing a hardware VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.
Q14. Can I NAT my CGW behind a router or firewall?
Yes, you will need to enable NAT-T and open UDP port 4500 on your NAT device.
Q15. What IP address do I use for my CGW address?
You will use the public IP address of your NAT device.
Q16. How do I disable NAT-T on my connection?
You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.
Q17. Can Amazon EC2 instances within a VPC communicate with Amazon EC2 instances not within a VPC ?
Yes. If an Internet gateway has been configured, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the Internet gateway and then enters the public AWS network to reach the EC2 instance. If an Internet gateway has not been configured, or if the instance is in a subnet configured to route through the virtual private gateway, the traffic traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network.