Amazon Virtual Private Cloud User Guide Amazon Virtual Private Cloud User Guide Amazon Virtual Private Cloud: User Guide Amazon Virtual Private Cloud User Guide Table of Contents What is Amazon VPC? ........................................................................................................................ 1 Features.................................................................................................................................... 1 Getting started with Amazon VPC ................................................................................................ 2 Working with Amazon VPC.......................................................................................................... 2 Pricing for Amazon VPC .............................................................................................................. 2 How Amazon VPC works ..................................................................................................................... 3 VPCs and subnets...................................................................................................................... 3 Default and nondefault VPCs...................................................................................................... 3 IP addressing ............................................................................................................................. 4 Compare IPv4 and IPv6...................................................................................................... 4 Private IPv4 addresses........................................................................................................ 5 Public IPv4 addresses......................................................................................................... 6 IPv6 addresses................................................................................................................... 6 Use your own IP addresses .................................................................................................. 7 Route tables.............................................................................................................................. 7 Access the internet ..................................................................................................................... 7 Access a corporate or home network ............................................................................................ 8 Connect VPCs and networks ........................................................................................................ 8 Amazon private global network considerations .............................................................................. 8 Get started...................................................................................................................................... 10 Prerequisites............................................................................................................................ 10 Step 1: Get to know your default VPC ........................................................................................ 10 Step 2: Launch an instance into your VPC ................................................................................... 11 Step 3: Connect to an EC2 instance in your public subnet .............................................................. 12 Step 4: Clean up...................................................................................................................... 12 Next steps............................................................................................................................... 12 Virtual private clouds........................................................................................................................ 13 VPC basics............................................................................................................................... 13 VPC CIDR blocks...................................................................................................................... 14 IPv4 VPC CIDR blocks....................................................................................................... 14 Manage IPv4 CIDR blocks for a VPC.................................................................................... 15 IPv4 CIDR block association restrictions ............................................................................... 17 IPv6 VPC CIDR blocks....................................................................................................... 18 Work with VPCs....................................................................................................................... 18 Create a VPC ................................................................................................................... 18 View your VPCs ................................................................................................................ 21 Associate additional IPv4 CIDR blocks with your VPC............................................................ 22 Associate IPv6 CIDR blocks with your VPC ........................................................................... 22 Disassociate an IPv4 CIDR block from your VPC .................................................................... 23 Disassociate an IPv6 CIDR block from your VPC .................................................................... 23 Delete your VPC ............................................................................................................... 24 Default VPCs........................................................................................................................... 25 Default VPC components ................................................................................................... 25 Default subnets................................................................................................................ 27 View your default VPC and default subnets ......................................................................... 27 Create a default VPC ........................................................................................................ 28 Create a default subnet .................................................................................................... 28 Delete your default subnets and default VPC ....................................................................... 29 DHCP option sets..................................................................................................................... 30 What is DHCP?................................................................................................................. 30 DHCP option set concepts ................................................................................................. 31 Work with DHCP option sets .............................................................................................. 33 DNS attributes......................................................................................................................... 37 Amazon DNS server .......................................................................................................... 37 iii Amazon Virtual Private Cloud User Guide DNS hostnames................................................................................................................ 38 DNS attributes in your VPC ............................................................................................... 39 DNS quotas..................................................................................................................... 40 View DNS hostnames for your EC2 instance ......................................................................... 40 View and update DNS attributes for your VPC ..................................................................... 41 Private hosted zones ........................................................................................................ 42 Network Address Usage............................................................................................................ 42 How NAU is calculated ...................................................................................................... 42 NAU examples................................................................................................................. 43 Share your VPC ........................................................................................................................ 44 Shared VPCs prerequisites ................................................................................................. 44 Share a subnet ................................................................................................................. 44 Unshare a shared subnet ................................................................................................... 45 Identify the owner of a shared subnet ................................................................................ 46 Manage VPC resources ...................................................................................................... 46 Billing and metering for the owner and participants ............................................................. 47 Limitations...................................................................................................................... 47 Example of sharing subnets............................................................................................... 48 Extend a VPC to another Zone................................................................................................... 49 Extend your VPC resources to Local Zones ........................................................................... 50 Extend your VPC resources to Wavelength Zones .................................................................. 53 Subnets in Amazon Outposts ............................................................................................. 55 Subnets........................................................................................................................................... 56 Subnet basics........................................................................................................................... 56 Subnet types................................................................................................................... 56 Subnet settings................................................................................................................ 57 Subnet diagram............................................................................................................... 57 Subnet sizing........................................................................................................................... 57 Subnet sizing for IPv6....................................................................................................... 58 Subnet routing......................................................................................................................... 59 Subnet security........................................................................................................................ 59 Work with subnets ................................................................................................................... 59 Create a subnet in your VPC .............................................................................................. 60 View your subnets ............................................................................................................ 61 Associate an IPv6 CIDR block with your subnet .................................................................... 61 Disassociate an IPv6 CIDR block from your subnet................................................................ 61 Modify the public IPv4 addressing attribute for your subnet .................................................. 62 Modify the IPv6 addressing attribute for your subnet ............................................................ 62 Delete a subnet............................................................................................................... 62 API and command overview .............................................................................................. 63 Subnet CIDR reservations.......................................................................................................... 63 Work with subnet CIDR reservations using the console .......................................................... 64 Work with subnet CIDR reservations using the Amazon CLI .................................................... 64 Managed prefix lists................................................................................................................. 65 Prefix lists concepts and rules ............................................................................................ 66 Identity and access management for prefix lists ................................................................... 66 Customer-managed prefix lists ........................................................................................... 67 Amazon-managed prefix lists ............................................................................................. 70 Shared prefix lists ............................................................................................................. 71 Reference prefix lists in your Amazon resources .................................................................... 74 Route tables............................................................................................................................ 75 Route table concepts ........................................................................................................ 75 Subnet route tables .......................................................................................................... 76 Gateway route tables ........................................................................................................ 81 Route priority.................................................................................................................. 83 Route table quotas ........................................................................................................... 84 Example routing options ................................................................................................... 84 iv Amazon Virtual Private Cloud User Guide Work with route tables ..................................................................................................... 93 Middlebox routing wizard .................................................................................................. 99 Network ACLs........................................................................................................................ 109 Network ACL basics ........................................................................................................ 110 Network ACL rules .......................................................................................................... 110 Default network ACL ....................................................................................................... 111 Custom network ACL ...................................................................................................... 112 Custom network ACLs and other Amazon services .............................................................. 119 Ephemeral ports............................................................................................................. 120 Path MTU Discovery ........................................................................................................ 120 Work with network ACLs ................................................................................................. 121 Example: Control access to instances in a subnet ................................................................ 124 Recommended rules for VPC scenarios .............................................................................. 126 Connect your VPC .......................................................................................................................... 128 Internet gateways................................................................................................................... 128 Enable internet access ..................................................................................................... 129 Access the internet from a subnet in your VPC ................................................................... 131 API and command overview ............................................................................................. 134 Elastic IP addresses ......................................................................................................... 134 Egress-only internet gateways .................................................................................................. 142 Egress-only internet gateway basics .................................................................................. 142 Work with egress-only internet gateways .......................................................................... 143 API and CLI overview ...................................................................................................... 144 NAT devices........................................................................................................................... 145 NAT gateways................................................................................................................ 145 NAT instances................................................................................................................ 171 Compare NAT devices ..................................................................................................... 178 Amazon Transit Gateway ......................................................................................................... 180 Amazon Virtual Private Network .............................................................................................. 180 VPC peering connections ......................................................................................................... 181 Examples using VPC peering and Amazon PrivateLink ......................................................... 181 Monitoring..................................................................................................................................... 183 VPC Flow Logs ....................................................................................................................... 183 Flow logs basics ............................................................................................................. 184 Flow log records ............................................................................................................. 187 Flow log record examples ................................................................................................ 192 Flow log limitations ........................................................................................................ 198 Flow logs pricing ............................................................................................................ 198 Work with flow logs ....................................................................................................... 199 Publish to CloudWatch Logs ............................................................................................ 201 Publish to Amazon S3 ..................................................................................................... 207 Publish to Kinesis Data Firehose ....................................................................................... 212 Query using Athena ........................................................................................................ 217 Troubleshoot.................................................................................................................. 220 CloudWatch metrics................................................................................................................ 222 NAU metrics and dimensions ........................................................................................... 222 Enable or disable NAU monitoring .................................................................................... 224 NAU CloudWatch alarm example ...................................................................................... 224 Security......................................................................................................................................... 226 Data protection...................................................................................................................... 226 Internetwork traffic privacy .............................................................................................. 227 Encryption in transit ....................................................................................................... 229 Infrastructure security............................................................................................................. 229 Network isolation........................................................................................................... 230 Control network traffic .................................................................................................... 230 Identity and access management .............................................................................................. 231 Audience....................................................................................................................... 231 v Amazon Virtual Private Cloud User Guide Authenticate with identities............................................................................................. 231 Manage access using policies ........................................................................................... 233 How Amazon VPC works with IAM .................................................................................... 235 Policy examples.............................................................................................................. 238 Troubleshoot.................................................................................................................. 245 Amazon managed policies ............................................................................................... 246 Security groups...................................................................................................................... 248 Security group basics ...................................................................................................... 248 Default security groups for your VPCs ............................................................................... 249 Security group rules ........................................................................................................ 250 Work with security groups ............................................................................................... 252 Work with security group rules ......................................................................................... 254 Centrally manage VPC security groups using Amazon Firewall Manager ................................. 257 Resilience.............................................................................................................................. 258 Compliance validation............................................................................................................. 258 Best practices......................................................................................................................... 259 Use with other services ................................................................................................................... 260 Amazon PrivateLink................................................................................................................ 260 Amazon Network Firewall ........................................................................................................ 261 Route 53 Resolver DNS Firewall ............................................................................................... 261 Scenarios....................................................................................................................................... 263 VPC with a single public subnet............................................................................................... 263 Overview....................................................................................................................... 263 Routing ......................................................................................................................... 265 Security......................................................................................................................... 265 VPC with public and private subnets (NAT) ................................................................................ 272 Overview....................................................................................................................... 273 Routing ......................................................................................................................... 275 Security......................................................................................................................... 276 Implement this scenario .................................................................................................. 280 Recommended network ACL rules ..................................................................................... 281 VPC with public and private subnets and Amazon Site-to-Site VPN access ...................................... 291 Overview....................................................................................................................... 292 Routing ......................................................................................................................... 294 Security......................................................................................................................... 296 Implement this scenario .................................................................................................. 299 Recommended network ACL rules ..................................................................................... 300 VPC with a private subnet only and Amazon Site-to-Site VPN access ............................................. 310 Overview....................................................................................................................... 311 Routing ......................................................................................................................... 312 Security......................................................................................................................... 312 Tutorials........................................................................................................................................ 317 Tutorials using the Amazon CLI ................................................................................................ 317 IPv4-enabled VPC and subnets......................................................................................... 317 Dual-stack VPC and subnets............................................................................................ 322 IPv6-enabled VPC and IPv6-only subnets........................................................................... 331 Tutorials using the Amazon Management Console ...................................................................... 339 VPC that supports IPv6 addressing ................................................................................... 340 Migrate existing VPCs from IPv4 to IPv6 ............................................................................ 343 Quotas.......................................................................................................................................... 356 VPC and subnets.................................................................................................................... 356 DNS...................................................................................................................................... 356 Elastic IP addresses (IPv4) ........................................................................................................ 356 Gateways............................................................................................................................... 357 Customer-managed prefix lists ................................................................................................. 357 Network ACLs........................................................................................................................ 358 Network interfaces................................................................................................................. 358 vi Amazon Virtual Private Cloud User Guide Route tables.......................................................................................................................... 358 Security groups...................................................................................................................... 359 VPC peering connections ......................................................................................................... 360 VPC endpoints....................................................................................................................... 360 VPC sharing........................................................................................................................... 360 Network Address Usage ........................................................................................................... 361 Amazon EC2 API throttling ...................................................................................................... 361 Additional quota resources ...................................................................................................... 361 Document history........................................................................................................................... 363 vii Amazon Virtual Private Cloud User Guide Features What is Amazon VPC? Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of Amazon. Features The following features help you configure a VPC to provide the connectivity that your applications need: Virtual private clouds (VPC) A VPC (p. 13) is a virtual network that closely resembles a traditional network that you'd operate in your own data center. After you create a VPC, you can add subnets. Subnets A subnet (p. 56) is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy Amazon resources in your VPC. IP addressing You can assign IPv4 addresses and IPv6 addresses to your VPCs and subnets. You can also bring your public IPv4 and IPv6 GUA addresses to Amazon and allocate them to resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers. Routing Use route tables (p. 75) to determine where network traffic from your subnet or gateway is directed. Gateways and endpoints A gateway (p. 128) connects your VPC to another network. For example, use an internet gateway (p. 128) to connect your VPC to the internet. Use a VPC endpoint to connect to Amazon Web Services privately, without the use of an internet gateway or NAT device. Peering connections Use a VPC peering connection to route traffic between the resources in two VPCs. Traffic Mirroring Copy network traffic from network interfaces and send it to security and monitoring appliances for deep packet inspection. Transit gateways Use a transit gateway (p. 180), which acts as a central hub, to route traffic between your VPCs, VPN connections, and Amazon Direct Connect connections. VPC Flow Logs A flow log (p. 183) captures information about the IP traffic going to and from network interfaces in your VPC. VPN connections Connect your VPCs to your on-premises networks using Amazon Virtual Private Network (Amazon VPN) (p. 180). 1 Amazon Virtual Private Cloud User Guide Getting started with Amazon VPC Getting started with Amazon VPC Your Amazon Web Services account includes a default VPC (p. 25) in each Amazon Web Services Region. Your default VPCs are configured such that you can immediately start launching and connecting to EC2 instances. For more information, see Get started (p. 10). You can choose to create additional VPCs with the subnets, IP addresses, gateways and routing that you need. For more information, see the section called “Create a VPC” (p. 18). Working with Amazon VPC You can create and manage your VPCs using any of the following interfaces: • Amazon Web Services Management Console — Provides a web interface that you can use to access your VPCs. • Amazon Command Line Interface (Amazon CLI) — Provides commands for a broad set of Amazon services, including Amazon VPC, and is supported on Windows, Mac, and Linux. For more information, see Amazon Command Line Interface. • Amazon SDKs — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and error handling. For more information, see Amazon SDKs. • Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC, but it requires that your application handle low-level details such as generating the hash to sign the request, and error handling. For more information, see Amazon VPC actions in the Amazon EC2 API Reference. Pricing for Amazon VPC There's no additional charge for using a VPC. There are charges for some VPC components, such as NAT gateways, IP Address Manager, traffic mirroring, Reachability Analyzer, and Network Access Analyzer. For more information, see Amazon VPC Pricing. 2 Amazon Virtual Private Cloud User Guide VPCs and subnets How Amazon VPC works Amazon Virtual Private Cloud (Amazon VPC) enables you to launch Amazon resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of Amazon. Concepts • VPCs and subnets (p. 3) • Default and nondefault VPCs (p. 3) • IP addressing (p. 4) • Route tables (p. 7) • Access the internet (p. 7) • Access a corporate or home network (p. 8) • Connect VPCs and networks (p. 8) • Amazon private global network considerations (p. 8) VPCs and subnets A virtual private cloud (VPC) is a virtual network dedicated to your Amazon account. It is logically isolated from other virtual networks in the Amazon Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups. A subnet is a range of IP addresses in your VPC. You launch Amazon resources, such as Amazon EC2 instances, into your subnets. You can connect a subnet to the internet, other VPCs, and your own data centers, and route traffic to and from your subnets using route tables. Learn more • VPC basics (p. 13) • Subnet basics (p. 56) • Internetwork traffic privacy in Amazon VPC (p. 227) • IP addressing (p. 4) Default and nondefault VPCs If your account was created after 2013-12-04, it comes with a default VPC in each Region. A default VPC is configured and ready for you to use. For example, it has a default subnet in each Availability Zone in the Region, an attached internet gateway, a route in the main route table that sends all traffic to the internet gateway, and DNS settings that automatically assign public DNS hostnames to instances with public IP addresses and enable DNS resolution through the Amazon-provided DNS server (see DNS attributes in your VPC (p. 39)). Therefore, an EC2 instance that is launched in a default subnet automatically has access to the internet. If you have a default VPC in a Region and you don't specify a subnet when you launch an EC2 instance into that Region, we choose one of the default subnets and launch the instance into that subnet. You can also create your own VPC, and configure it as you need. This is known as a nondefault VPC. Subnets that you create in your nondefault VPC and additional subnets that you create in your default VPC are called nondefault subnets. 3