Amazon Virtual Private Cloud (Amazon VPC) allows you to create a virtual network in the AWS cloud computing – no VPNs, hardware, or physical data centers are required. You can define your own network space, and control how your network and the Amazon EC2 resources inside your network are exposed to the Internet.
It creates a virtual network in the AWS cloud that closely resembles a traditional on-premises network. There are many use cases for Amazon VPC, such as,
- Isolation: You can use Amazon VPC to create a virtual network that is isolated from the Internet, providing a high level of security for your resources.
- Network customization: Amazon VPC allows you to create a custom network topology that closely matches your on-premises infrastructure. You can create your own IP address ranges, subnets, and network gateways.
- Hybrid cloud architectures: Amazon VPC enables you to create hybrid cloud architectures, allowing you to connect your on-premises data centers to the AWS cloud using VPN or Direct Connect connections.
- Multi-tier applications: You can use Amazon VPC to create multi-tier applications, with separate subnets for each tier (e.g. web, application, and database) for better security and manageability.
- Security: You can control access to your resources in the VPC through security groups and network ACLs. Also, You can also use AWS Services like Security Group, Network ACLs, VPC Flow Logs, and Security Hub to secure your VPC and all resources running inside your VPC
- Compliance and Auditing: you can use Amazon VPC to meet compliance and regulatory requirements by creating isolated networks and controlling access to your resources.
- Cost optimization: with VPC you have the flexibility to create a different network for different applications and resources and configure it according to your need, which can help you in saving cost,
Overall, Amazon VPC provides a flexible and secure way to deploy and run your applications on the AWS cloud and enables you to take advantage of the scalability and reliability of AWS while maintaining control over your network environment.
Now let’s see the several connectivity options available to connect the AWS VPC to other remote networks. Connectivity options in AWS can be broadly categorized into two types.
- Network-to-Amazon VPC connectivity options
- Amazon VPC-to-Amazon VPC connectivity options
In this blog, we will discuss the second type.
2. Amazon VPC-to-Amazon VPC connectivity options
When combining many Amazon VPCs into a bigger virtual network, use these architectural patterns. This is helpful to more quickly link AWS services between Amazon VPCs if you need several VPCs owing to security, billing, presence in multiple regions, or internal charge-back needs. For the purpose of building a corporate network that connects remote networks and various VPCs, you may also combine these patterns with the Network-to-Amazon VPC connectivity options.
The ideal way to achieve VPC connectivity between VPCs is to use non-overlapping IP ranges for each VPC being connected. To link multiple VPCs, for example, make sure that each VPC is set up with its own unique Classless Inter-Domain Routing (CIDR) ranges. As a result, we suggest you assign each VPC a single, contiguous, non-overlapping CIDR block.
Following are various connectivity options for Amazon VPC to Amazon VPC.
a. VPC peering.
A networking connection known as a VPC peering link allows routing between two VPCs using their respective private IP addresses as if they were on the same network. You can establish VPC peering connections with another AWS account’s VPC or with one of your own VPCs. Inter-region peering is also supported through VPC peering.
The VPCs can be in the same region or different regions or even in different AWS accounts. IN VPC peering the data travels privately on the global AWS backbone infrastructure. Gateways are not required for this kind of connection..
Figure: VPC peering diagram
Let us understand this with an example, suppose you want to establish VPC peering connection between two VPCs in two different AWS accounts: Account Production and Account Development.
- The owner of the requester VPC sends a VPC peering connection request to the owner of the accepter VOC.
- The owner of the VPC accepts the request and establishes the VPC peering connection.
- Both PVC owners add routes to their VPC route tables. These routes point to the IP address of the other VPC, thus enabling the flow of traffic between the VPCs using the private IP addresses.
- Owners of both the VPCs can also edit their respective security groups to ensure smooth communication between the peered VPCs.
However, we do face some limitations while using VPC peering connections. These are:
- No transitive internet gateway access:
Suppose VPC A and VPC B have peered, VPC B will not have access to the internet gateway in VPC A. VPC B should define its own route to the internet.
- No overlapping private IP address ranges:
- No transitive peering:
Suppose VPC A is peered with VPC B and VPC B is peered with VPC C. In such cases, VPC A does not have direct access to resources in VPC C and vice versa.
- No transitive edge routing through AWS Direct Connect:
Suppose VPC A and VPC B are peered. VPC A is connected to a remote network via AWS Direct Connect. In such a case, the remote network will not have access to VPC B resources.
b. AWS Transit Gateway
AWS Transit Gateway is a single gateway to connect thousands of VPCs and on-premises (remote) networks together. Larger organizations often use thousands of VPCs for various workloads. With the increasing number of VPCs in such an AWS cloud environment, the requirement to interconnect these VPCs together becomes a challenging task. One solution is to implement VPC peering. However, managing point-to-point connectivity introduces operational costs, more time, and cumbersome implementation.
AWS Transit Gateway has a better solution to offer. With AWS Transit Gateway, you have to create and manage a single connection only. It acts as a hub that controls the traffic flow among the connected networks and these connected networks act like spokes. This hub and spoke model is very useful in managing the networks and reducing costs. Each spoke (network) has to be connected to the transit gateway only and not to any other network.
AWS Transit Gateway has transit gateway route tables to manage the communication between the connected networks (spokes). The route table is configured with the source and destination IP addresses of the connected networks (spokes). When traffic comes from one network, it is routed to another network by using the routeing table that matches the destination IP address.
Figure: AWS Transit gateway diagram
AWS Transit Gateway traffic never travels over the public internet and always remains on the global AWS backbone, limiting security vectors including popular vulnerabilities and DDoS attacks.
c. Software site-to-site VPN
Amazon VPC offers flexibility in network routing. This provides the capability to establish private IP-based secure VPN tunnels between two or more software VPN appliances to link numerous VPCs into a larger virtual private network. This enables instances in each VPC to communicate with one another without interruption. We can use our preferred VPN software provider to control both ends of the VPN connection. For communication between the software VPN equipment, this method makes use of an internet gateway connected to each VPC.
Figure: Software site-to-site VPN diagram
d. Software VPN to AWS manages VPN
When connecting multiple VPCs, Amazon VPC gives you the freedom to mix and match the AWS-managed VPN and software VPN options. This approach enables instances in each VPC to effortlessly connect to one another using private IP addresses by establishing secure VPN tunnels between a software VPN appliance and a virtual private gateway. As indicated in the following picture, this approach uses a virtual private gateway in one Amazon VPC and a combination of an internet gateway and software VPN appliance in another Amazon VPC.
Figure: Software VPN to AWS managed VPN peering diagram
e. AWS managed VPN
You can establish an IPsec VPN with Amazon VPC to link your remote networks to your Amazon VPCs over the internet. As demonstrated in the following figures, you can use several VPN connections to transfer traffic from your router between your Amazon VPCs over the internet or AWS Direct Connect.
This method gives you a lot of control and flexibility for managing routing on your local and remote networks, as well as the opportunity to reuse VPN connections, but it is suboptimal from a routing standpoint because the traffic must pass via a router on your network.
Figure: AWS Managed VPN VPC-to-VPC Routing Diagram
Figure: AWS Direct Gateway VPC-to-VPC Routing diagram
f. AWS PrivateLink
You can securely link your VPC to services as though they were inside your VPC using the highly available, scalable AWS PrivateLink connectivity option.
Let us understand this using the following example. We see three VPC interface endpoints and a few EC2 instances in the left side of VPC. The first and topmost VPC endpoint is connected to AWS services. The second VPC endpoint is connected to a service hosted by another AWS account. The third and last VPC endpoint is connected to an AWS Marketplace partner service. This endpoint is called the VPC endpoint service. The traffic travels between your VPC and the target service using private IP addresses. This traffic always remains in the AWS network infrastructure.
The VPC on the left side is called service consumer. We have to create an interface endpoint in this VPC to access the services in this VPC and assign it a private IP address. This interface endpoint creates a network interface (NIC) in the service consumer subnet. Please note connect a custom service to AWS PrivateLink, you have to configure a Network Load Balancer in front of it. Then you connect the VPC interface endpoints to this Network Load Balancer.
Figure: AWS PrivateLink diagram
Figure: AWS PrivateLink with service consumer VPC, service provider VPC, and Load Balancer.
If you want to use services provided by another VPC safely within the AWS network, with all network traffic remaining on the global AWS backbone and never crossing the open internet, it is advised to use this method.
The connectivity options and patterns highlighted in this blog are some of those that customers have used to successfully integrate various Amazon VPC networks or distant networks. Regardless of where your organization is physically located or hosted, you can utilize the information provided here to choose the best method for connecting the infrastructure needed to run it.
Check out this post to learn about Options for Remote Networking to Amazon VPC connectivity.