AWS – VPC Components

Amazon VPC Components


An Amazon VPC peering connection is a networking connection between two Amazon VPCs that enables instances in either Amazon VPC to communicate with each other as if they are within the same network.

A peering connection is neither a gateway nor an Amazon VPN connection and does not introduce a single point of failure for communication.

Peering connections are created through a request/ accept protocol.

An Amazon VPC may have multiple peering connections, it means two Amazon VPCs cannot have two peering agreements between them.

Peering connections do not support transitive routing.

Amazon VPC Components: Peering


  • User cannot create a peering connection between Amazon VPCs that have matching or overlapping CIDR blocks.
  • User cannot create a peering connection between Amazon VPCs in different regions.
  • Amazon VPC peering connections do not support transitive routing.
  • User cannot have more than one peering connection between the same two Amazon VPCs at the same time.

Network Address Translation (NAT)

By default, any instance that is launch into a private subnet in an Amazon VPC is not able to communicate with the Internet through the IGW.

This is problematic issue: if the instances within private subnets need direct access to the Internet from the Amazon VPC in order to apply security updates, download patches, or update application software.

AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to gain Internet access.

NAT Gateway

A NAT gateway is an Amazon managed resource

It is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

To allow instances within a private subnet to access Internet resources through the IGW via a NAT gateway, user must do the following:

  • Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway (for example, nat-1a2b3c4d).

Allocate an EIP and associate it with the NAT gateway.

Virtual Private Gateway (VPGs), Customer Gateway (CGWs), Virtual Private network (VPNs)

User can connect an existing data center to Amazon VPC using either hardware or software VPN connections, which will make Amazon VPC an extension of the data center.

Amazon VPC offers two ways to connect a corporate network to a VPC: VPG and CGW.

Virtual Private Gateway (VPGs), Customer Gateway (CGWs), Virtual Private network (VPNs)

A virtual private gateway (VPG) is the virtual private network (VPN) concentrator on the AWS side of the VPN connection between the two networks.

A customer gateway (CGW) represents a physical device or a software application on the customer’s side of the VPN connection.


Virtual Private Gateway (VPGs), Customer Gateway (CGWs), Virtual Private network (VPNs)

  • The VPG is the AWS end of the VPN tunnel.
  • The CGW is a hardware or software application on the customer’s side of the VPN tunnel.
  • User must initiate the VPN tunnel from the CGW to the VPG.
  • VPGs support both dynamic routing with BGP and static routing.
  • The VPN connection consists of two tunnels for higher availability to the VPC.
  • VPCs and Subnets
  • Supported Platforms
  • Default and Non default VPCs
  • Accessing the Internet
  • Accessing a corporate or Home network
    • VPCs and Subnets:

    A Virtual Private Cloud (VPC) is a virtual network dedicated to the AWS account.

    It is logically isolated from other virtual networks in the AWS cloud.

    Users can configure their own VPC and selects its IP address range, create subnets, and configure route tables, network gateways, and security settings.

    • VPCs and Subnets:

    A subnet is a range of IP addresses in the VPC.

    Selected AWS resources are launched into subnet.

    User use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won’t be connected to the Internet.

    • Supported Platforms:

    The original release of Amazon EC2 supported a single, flat network that’s shared with other customers called the EC2-Classic platform.

    Older AWS accounts still support this platform, and can launch instances into either EC2-Classic or a VPC.

    Accounts created after 2013-12-04 support EC2-VPC only.

    • Supported Platforms:

    Benefits of launching instances into a VPC instead of EC2-Classic:

    • Assign static private IPv4 addresses to the instances that persist across starts and stops.
    • Optionally associate an IPv6 CIDR block to VPC and assign IPv6 addresses to instances.
    • Supported Platforms:
    • Change security group membership for instances while they’re running.
    • Control the outbound traffic from instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering).
      • Default and non default VPCs:

      When AWS account supports the EC2-VPC platform only, then it comes with a default VPC

      It has a default subnet in each Availability Zone.

      A default VPC has the benefits of the advanced features provided by EC2-VPC.

      When user create its own VPC and configure it according to their needs.

      This is known as a non default VPC.

      Subnets that are created in non default VPC and additional subnets that that are created in default VPC are called non default subnets.

      • Accessing the Internet:

      User can control how the instances that is launch into a VPC access resources outside the VPC.

      The default VPC includes an Internet gateway, and each default subnet is a public subnet.

      Each instance that is launch into a default subnet has a private IPv4 address and a public IPv4 address.

      These instances can communicate with the Internet through the Internet gateway.

      An Internet gateway enables the instances to connect to the Internet through the Amazon EC2 network edge.


  • Accessing the Internet:

By default, each instance that launch into a non default subnet has a private IPv4 address, but no public IPv4 address.

Public IPv4 address is added by the user during launch  of an instance.



Network address translation (NAT) device can be used  to allow an instance in VPC to initiate outbound connections to the Internet while preventing unsolicited inbound connections.

NAT maps multiple private IPv4 addresses to a single public IPv4 address.

A NAT device has an Elastic IP address and is connected to the Internet through an Internet gateway.

  • Accessing a corporate or Home network:

Amazon VPC can be connected to the corporate data center by using an IPsec hardware VPN connection.

A VPN connection consists of a virtual private gateway attached to VPC and a customer gateway located in data center.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s