An Amazon VPC is a service that lets you provision a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. A VPC gives you more control over your virtual networking environment, resource placement, connectivity and security. Like any AWS service, it comes with many configurable parameters, but you can still achieve a lot with the defaults if you are in a hurry.
In this post, we would look at the following;
- A brief history of the AWS VPC
- The infrastructure on which your VPC resides on
- What you can do with the defaults
- Some caveats
The Amazon VPC was initially released on the 25th of September 2009, about three years since AWS launched its first services. Before the Amazon VPC, resources such as EC2 instances were launched into what is now referred to as EC2-Classic. EC2-Classic was AWS's first iteration of a platform for creating virtual machines. The peculiarity of EC2-Classic was that the networking layer used by VMs was shared with all the other AWS tenants. This setup didn't look good to customers who owned and ran their workloads in privately owned on-prem datacenters.
If you created your AWS account after the 12th of April, 2013, then you would automatically provision VMs inside the EC2-VPC. Nowadays, it is just referred to as AWS VPC. EC2-Classic has been deprecated.
An Amazon VPC is "regionally scoped", meaning it resides within a single AWS Region and cannot span to other Regions. This means before you create a VPC, you must choose a specific Region, say Cape Town or af-south-1. For those who are new to AWS, an AWS Region is a geographic area in the world where AWS operates cloud services. AWS Regions are designed to be completely independent of each other. Each AWS Region is composed of two or more Availability Zones, and each Availability Zone is, made up of at least two or more discrete data centres. The Availability Zones within the AWS Region have redundant networking and power.
Now when you launch a VPC in a specific region, it is advisable to take advantage of the high availability of the multiple Availability Zones by architecting and deploying your workloads across the Availability Zones.
The default VPC is nothing more than a partially configured VPC that is created with your AWS account. Since a VPC is regionally scoped, The creation of an AWS account, also triggers the creation of default VPCs in all AWS Regions around the world. The advantage of having it preconfigured by AWS is that the customer can immediately launch services such as EC2 instances without going through further configuration steps. Most VPC services such as Elastic Load Balancing, EC2, Amazon RDS, and VPC virtual networking devices (such as the Internet Gateway and Nat Gateway) would work the same way as they would with a manually created VPC.
The following items are preconfigured automatically in the default VPC;
- A CIDR block of 172.31.0.0/16
- /20 subnets in all availability zones in the region taken from the CIDR range. For example, the Cape Town region would have the following one of the following subnets in each of its 3 availability zones; 172.31.0.0/20, 172.31.16.0/20, 172.31.32.0/20,
- An internet gateway is already set up and connected to the default route table for each subnet.
- A default security group that allows all traffic at the instance level. It is stateful and allows all outbound traffic, but inbound traffic is implicitly denied.
- A default network access control list that controls traffic at the subnet level. By default, it allows all inbound and all outbound traffic.
- A DHCP Options set to pass TCP/IP configurations to your instances.
As stated earlier, when you create an account in AWS or enable one of the newer regions, you already have the resources of a default VPC at your disposal. By default, when you launch a service such as an EC2 instance, it would be launched in the Default VPC if you do not specify a manually configured VPC at set up.
All VPCs come with the same CIDR of 172.31.0.0/16, which overlaps with the default VPCs in other regions. Services like VPC Peering require non-overlapping CIDR blocks to function. So your networking options are limited.
The components of the default VPC are intentionally permissive, which is a security risk. The internet gateway provides internet access, and the security groups and Network ACLs allow all traffic from any IP address and any TCP/UDP port. Security experts advise that the default VPC should be deleted as soon as you create your account.
If you delete your default VPC, you wouldn't have the possibility of re-creating it yourself so take note. But you can contact AWS support to have them re-create it for you.
- A VPC is nothing more than a logically scooped private portion of AWS's infrastructure where you can run workloads privately.
- A default VPC is provisioned in every AWS Region by default for every account created. So if you don't want to spend time defining VPC components, you can get going with the default VPC.
- If you don't explicitly configure a VPC, all your EC2 and RDS instances would be launched into the default VPC.
- Just as with any default settings, permissiveness enables ease of use, but this is at the cost of security. Hence from a security perspective, the default VPC should be avoided.
I know you are in a hurry so we must leave it at this for now. As usual, you can find more information by clicking on the links in the resources section below. Feel free to follow up with me in the comments section or on Twitter. I hope this has been very informative to you. Have a good one!