To provide network connectivity between AWS VPCs and external networks or potentially between VPCs in certain use-cases you must create a Virtual Private Gateway. VPGs can be attached to a VPC or for some advanced architectures can be detached and are the Amazon managed end-point for terminating IPSEC VPN and AWS Direct Connect connections into your AWS infrastructure.

The VGW behaves like a next-hop router and provides edge routing for external access, this routing is separate from the VPC routing tables. A VGW is the termination point of VPN connections at the AWS end of the tunnel, the VGW does not initiate connections, connections must be initiated from the customer premises. VGWs support two methods of routing static routing and dynamic routing using BGP4.

IPv6 is designed with the goal of being an end-2-end protocol and as such AWS do not support NAT or prefix translation of IPv6 addresses. When you create a resource within a VPC that is IPv6 enabled it is assigned one or more IPv6 address from Amazons GUA allocation. A GUA address is global, unique and routable on the public internet.

The concept of a private VPC as such does not exist when using IPv6. However, there is certainly a need to ensure that certain IPv6 addressed resources are not accessible from the internet in the same way as we have with IPv4 addressed resources by putting them in a private VPC and providing internet access via a NAT gateway. To achieve this similar functionality to IPv4 hosts AWS have created the Egress Only Internet Gateway (EIGW). As with any AWS managed component a EIGW is a scalable and highly redundant VPC component that provides IPv6 addressed resources access to the internet but blocks access from the internet to the resources. The EIGW does not translate the IPv6 address of the resource and the resources assigned GUA address is the address that is visible on the public internet.

To provide internet access from a VPC Amazon provide a service called Internet Gateway.  Internet Gateways are Amazon operated and managed and provide a horizontally-scalable, redundant and highly available method of accessing the internet.  Internet Gateways provide internet access using both IPv4 and IPv6 addressing.  To provide internet access from a VPC you must create and attach a IGW to your VPC.  Create a route entry in the route table for the VPC Subnet to point non-local traffic to the IGW.  This could be a default 0/0 route for either IPv4 or IPv6 traffic or both.  To ensure end-to-end flow of traffic you must ensure that the appropriate Network ACLs and security groups allow the required traffic to and from your VPC.

When using private subnets within a VPC and accessing the internet via an IGW, the IGW will translate the private addresses to public addresses.  The IGW maintains one-to-one mappings of private to public IP ranges.  When a resource is launched it can automatically receive a public IP address or a Elastic IP can be assigned, the IGW maintains these mappings.

IPv6 is designed to be an end-to-end protocol and as such resources within a VPC are assigned IPv6 addresses from the Amazon GUA address assignments.  For outbound IPv6 traffic from the internet the IGW does not need to translate the the source address and it therefore passes through unchanged.  For inbound flows the IGW forwards the traffic to the resource matching the GUA.

A VPC is a logical entity that spans all availability zones in the region where it was created.  VPCs in turn consist of subnets which are logical segments of a VPC but unlike a VPC a subnet does not span availability zones, one or sore subnets may be created in each availability zone.  Upon creating a subnet within a VPC you specify the availability zone and the IPv4 address from the defined VPC CIDR range.  When you create resources they are allocated to one or more subnets.

When a VPC is created a IPv4 CIDR range is allocated with a /16 being the largest possible allocation.  The size of the the CIDR block allocated in-turn determines the sizes of the subnets that can be allocated with a /28 being the smallest possible allocation.  Attention should be paid to the design of the VPC or subnet architecture when determining allocations as AWS reserve some of the usable addresses within a subnet to provide network services and thus the usable addresses are actually less than what are available in pure networking terms.

As you maybe aware when you create a AWS account account a default VPC is created with one public subnet in each availability zone within a region.  This default subnet is a /20 range.

VPCs support both IPv4 and IPv6 where IPv4 is mandatory an IPv6 association is optional.  If you choose to use IPv6 you can associate it to an existing subnet and a fixed length /64 is assigned out of the /56 assigned to the VPC.  When utilising IPv6 Amazon assign a /56 to each VPC out of their public GUA allocation.  Although the IPv6 ranges are fixed length assignments when allocating a subnet you can specify the subnet identifier.

Subnets within a VPC are defined as private, public and VPN only.  The internal IPv4 subnet is always private and not advertised to the internet whereas the IPv6 subnet is GUA and therefore public.  As the names suggest a private subnet is not internet accessible although the IP allocations could be from public or RFC1918 address space.  Public subnets are available on the internet and VPN only subnets are only reachable via VPN endpoints.

Virtual Private Cloud (VPC) is the networking construct for Elastic Cloud Compute (EC2).  With a VPC you can create a virtual network within AWS.  When creating a VPC you are able to configure certain elements such as routing tables, network gateways, subnets and controlling access using ACLS or Security groups.  It is possible to create many VPCs in a AWS region, as long as they will never need to communicate they can share IP address ranges as each VPC is logically isolated.  Once created you can launch resources in the VPC such as EC2 compute resources.

When creating a VPC it must be assigned a IPv4 address range, any CIDR range can be used but Amazon treats it as private and it will not be advertised to the internet.  If required a IPv6 address may also be assigned, Amazon will assign a /56 from their allocation of GUA addresses.  Unlike IPv4 addresses the IPv6 assignments are advertised to the internet and therefore if a internet gateway is attached to the VPC the resources are publicly available.  VPCs operate in dual-stack mode and therefore components for IPv4 and IPV6 need to be configured independently.

VPCs are made up of a number of components and will be described further in the Understanding AWS series.  The components a VPC can consist of are:

  • Subnets and IP addresses IPV4 and IPV6
  • Route Tables
  • Security Groups and Network Access Control Lists (ACLs) ​
  • VPC Flow Logs
  • Internet Gateways
  • Egress Only Internet Gateways (EIGWs) for IPv6
  • NAT Instances and NAT Gateways
  • Virtual Private Gateways (VGWs) and Virtual Private Networks (VPNs)
  • VPC Endpoints
  • VPC Peering
  • Placement Groups
  • Elastic Network Interfaces
  • Dynamic Host Configuration Protocol (DHCP) Option Sets
  • Amazon DNS Server