Amazon Virtual Private Cloud User Guide Amazon Virtual Private Cloud User Guide Amazon Virtual Private Cloud: User Guide Copyright © 2023 Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Amazon Virtual Private Cloud User Guide Table of Contents What is Amazon VPC? ........................................................................................................................ 1 Features.................................................................................................................................... 1 Getting started with Amazon VPC ................................................................................................ 2 Working with Amazon VPC.......................................................................................................... 2 Pricing for Amazon VPC .............................................................................................................. 2 How Amazon VPC works ..................................................................................................................... 3 VPCs and subnets...................................................................................................................... 3 Default and nondefault VPCs...................................................................................................... 3 IP addressing ............................................................................................................................. 4 Compare IPv4 and IPv6...................................................................................................... 4 Private IPv4 addresses........................................................................................................ 5 Public IPv4 addresses......................................................................................................... 6 IPv6 addresses................................................................................................................... 6 Use your own IP addresses .................................................................................................. 7 Route tables.............................................................................................................................. 7 Access the internet ..................................................................................................................... 7 Access a corporate or home network ............................................................................................ 8 Connect VPCs and networks ........................................................................................................ 8 AWS private global network considerations ................................................................................... 8 Get started...................................................................................................................................... 10 Prerequisites............................................................................................................................ 10 Sign up for an AWS account .............................................................................................. 10 Create an administrative user ............................................................................................ 11 Step 1: Get to know your default VPC ........................................................................................ 11 Step 2: Launch an instance into your VPC ................................................................................... 12 Step 3: Connect to an EC2 instance in your public subnet .............................................................. 12 Step 4: Clean up...................................................................................................................... 13 Next steps............................................................................................................................... 13 Virtual private clouds........................................................................................................................ 14 VPC basics............................................................................................................................... 14 VPC CIDR blocks...................................................................................................................... 15 IPv4 VPC CIDR blocks....................................................................................................... 15 Manage IPv4 CIDR blocks for a VPC.................................................................................... 16 IPv4 CIDR block association restrictions ............................................................................... 18 IPv6 VPC CIDR blocks....................................................................................................... 19 Work with VPCs....................................................................................................................... 19 Create a VPC ................................................................................................................... 19 View your VPCs ................................................................................................................ 22 Associate additional IPv4 CIDR blocks with your VPC............................................................ 23 Associate IPv6 CIDR blocks with your VPC ........................................................................... 23 Disassociate an IPv4 CIDR block from your VPC .................................................................... 24 Disassociate an IPv6 CIDR block from your VPC .................................................................... 24 Delete your VPC ............................................................................................................... 25 Default VPCs........................................................................................................................... 26 Default VPC components ................................................................................................... 26 Default subnets................................................................................................................ 28 View your default VPC and default subnets ......................................................................... 28 Create a default VPC ........................................................................................................ 29 Create a default subnet .................................................................................................... 29 Delete your default subnets and default VPC ....................................................................... 30 DHCP option sets..................................................................................................................... 31 What is DHCP?................................................................................................................. 31 DHCP option set concepts ................................................................................................. 32 Work with DHCP option sets .............................................................................................. 34 iii Amazon Virtual Private Cloud User Guide DNS attributes......................................................................................................................... 38 Amazon DNS server .......................................................................................................... 38 DNS hostnames................................................................................................................ 39 DNS attributes in your VPC ............................................................................................... 40 DNS quotas..................................................................................................................... 41 View DNS hostnames for your EC2 instance ......................................................................... 41 View and update DNS attributes for your VPC ..................................................................... 42 Private hosted zones ........................................................................................................ 43 Network Address Usage............................................................................................................ 43 How NAU is calculated ...................................................................................................... 43 NAU examples................................................................................................................. 44 Share your VPC ........................................................................................................................ 45 Shared VPCs prerequisites ................................................................................................. 45 Share a subnet ................................................................................................................. 45 Unshare a shared subnet ................................................................................................... 46 Identify the owner of a shared subnet ................................................................................ 47 Manage VPC resources ...................................................................................................... 47 Billing and metering for the owner and participants ............................................................. 48 Limitations...................................................................................................................... 48 Example of sharing subnets............................................................................................... 49 Extend a VPC to another Zone................................................................................................... 50 Extend your VPC resources to Local Zones ........................................................................... 51 Extend your VPC resources to Wavelength Zones .................................................................. 54 Subnets in AWS Outposts .................................................................................................. 56 Subnets........................................................................................................................................... 57 Subnet basics........................................................................................................................... 57 Subnet types................................................................................................................... 57 Subnet settings................................................................................................................ 58 Subnet diagram............................................................................................................... 58 Subnet sizing........................................................................................................................... 58 Subnet sizing for IPv6....................................................................................................... 59 Subnet routing......................................................................................................................... 60 Subnet security........................................................................................................................ 60 Work with subnets ................................................................................................................... 60 Create a subnet in your VPC .............................................................................................. 61 View your subnets ............................................................................................................ 62 Associate an IPv6 CIDR block with your subnet .................................................................... 62 Disassociate an IPv6 CIDR block from your subnet................................................................ 62 Modify the public IPv4 addressing attribute for your subnet .................................................. 63 Modify the IPv6 addressing attribute for your subnet ............................................................ 63 Delete a subnet............................................................................................................... 63 API and command overview .............................................................................................. 64 Subnet CIDR reservations.......................................................................................................... 64 Work with subnet CIDR reservations using the console .......................................................... 65 Work with subnet CIDR reservations using the AWS CLI ......................................................... 65 Managed prefix lists................................................................................................................. 66 Prefix lists concepts and rules ............................................................................................ 66 Identity and access management for prefix lists ................................................................... 67 Customer-managed prefix lists ........................................................................................... 68 AWS-managed prefix lists .................................................................................................. 71 Shared prefix lists ............................................................................................................. 72 Reference prefix lists in your AWS resources ........................................................................ 75 Route tables............................................................................................................................ 76 Route table concepts ........................................................................................................ 76 Subnet route tables .......................................................................................................... 77 Gateway route tables ........................................................................................................ 82 Route priority.................................................................................................................. 84 iv Amazon Virtual Private Cloud User Guide Route table quotas ........................................................................................................... 85 Example routing options ................................................................................................... 85 Work with route tables ..................................................................................................... 94 Middlebox routing wizard ................................................................................................ 100 Network ACLs........................................................................................................................ 110 Network ACL basics ........................................................................................................ 111 Network ACL rules .......................................................................................................... 111 Default network ACL ....................................................................................................... 112 Custom network ACL ...................................................................................................... 113 Custom network ACLs and other AWS services ................................................................... 120 Ephemeral ports............................................................................................................. 121 Path MTU Discovery ........................................................................................................ 121 Work with network ACLs ................................................................................................. 122 Example: Control access to instances in a subnet ................................................................ 125 Recommended rules for VPC scenarios .............................................................................. 127 Connect your VPC .......................................................................................................................... 129 Internet gateways................................................................................................................... 129 Enable internet access ..................................................................................................... 130 Access the internet from a subnet in your VPC ................................................................... 132 API and command overview ............................................................................................. 135 Elastic IP addresses ......................................................................................................... 135 Egress-only internet gateways .................................................................................................. 143 Egress-only internet gateway basics .................................................................................. 143 Work with egress-only internet gateways .......................................................................... 144 API and CLI overview ...................................................................................................... 145 NAT devices........................................................................................................................... 146 NAT gateways................................................................................................................ 146 NAT instances................................................................................................................ 172 Compare NAT devices ..................................................................................................... 179 AWS Transit Gateway .............................................................................................................. 181 AWS Virtual Private Network ................................................................................................... 181 VPC peering connections ......................................................................................................... 182 Examples using VPC peering and AWS PrivateLink .............................................................. 182 Monitoring..................................................................................................................................... 184 VPC Flow Logs ....................................................................................................................... 184 Flow logs basics ............................................................................................................. 185 Flow log records ............................................................................................................. 188 Flow log record examples ................................................................................................ 193 Flow log limitations ........................................................................................................ 199 Flow logs pricing ............................................................................................................ 199 Work with flow logs ....................................................................................................... 200 Publish to CloudWatch Logs ............................................................................................ 202 Publish to Amazon S3 ..................................................................................................... 208 Publish to Kinesis Data Firehose ....................................................................................... 213 Query using Athena ........................................................................................................ 218 Troubleshoot.................................................................................................................. 221 CloudWatch metrics................................................................................................................ 223 NAU metrics and dimensions ........................................................................................... 223 Enable or disable NAU monitoring .................................................................................... 225 NAU CloudWatch alarm example ...................................................................................... 225 Security......................................................................................................................................... 227 Data protection...................................................................................................................... 227 Internetwork traffic privacy .............................................................................................. 228 Encryption in transit ....................................................................................................... 230 Infrastructure security............................................................................................................. 230 Network isolation........................................................................................................... 231 Control network traffic .................................................................................................... 231 v Amazon Virtual Private Cloud User Guide Identity and access management .............................................................................................. 232 Audience....................................................................................................................... 232 Authenticate with identities............................................................................................. 232 Manage access using policies ........................................................................................... 234 How Amazon VPC works with IAM .................................................................................... 236 Policy examples.............................................................................................................. 239 Troubleshoot.................................................................................................................. 246 AWS managed policies .................................................................................................... 248 Security groups...................................................................................................................... 249 Security group basics ...................................................................................................... 249 Default security groups for your VPCs ............................................................................... 250 Security group rules ........................................................................................................ 251 Work with security groups ............................................................................................... 254 Work with security group rules ......................................................................................... 256 Centrally manage VPC security groups using AWS Firewall Manager ...................................... 259 Resilience.............................................................................................................................. 260 Compliance validation............................................................................................................. 260 Configuration and vulnerability analysis .................................................................................... 261 Best practices......................................................................................................................... 261 Use with other services ................................................................................................................... 263 AWS PrivateLink..................................................................................................................... 263 AWS Network Firewall ............................................................................................................. 264 Route 53 Resolver DNS Firewall ............................................................................................... 264 Scenarios....................................................................................................................................... 266 VPC with a single public subnet............................................................................................... 266 Overview....................................................................................................................... 266 Routing ......................................................................................................................... 268 Security......................................................................................................................... 268 VPC with public and private subnets (NAT) ................................................................................ 275 Overview....................................................................................................................... 276 Routing ......................................................................................................................... 278 Security......................................................................................................................... 279 Implement this scenario .................................................................................................. 283 Recommended network ACL rules ..................................................................................... 284 VPC with public and private subnets and AWS Site-to-Site VPN access ........................................... 294 Overview....................................................................................................................... 295 Routing ......................................................................................................................... 297 Security......................................................................................................................... 299 Implement this scenario .................................................................................................. 302 Recommended network ACL rules ..................................................................................... 303 VPC with a private subnet only and AWS Site-to-Site VPN access .................................................. 313 Overview....................................................................................................................... 314 Routing ......................................................................................................................... 315 Security......................................................................................................................... 315 Tutorials........................................................................................................................................ 320 Tutorials using the AWS CLI ..................................................................................................... 320 IPv4-enabled VPC and subnets......................................................................................... 320 Dual-stack VPC and subnets............................................................................................ 325 IPv6-enabled VPC and IPv6-only subnets........................................................................... 334 Tutorials using the AWS Management Console ........................................................................... 342 VPC that supports IPv6 addressing ................................................................................... 343 Migrate existing VPCs from IPv4 to IPv6 ............................................................................ 346 Quotas.......................................................................................................................................... 359 VPC and subnets.................................................................................................................... 359 DNS...................................................................................................................................... 359 Elastic IP addresses (IPv4) ........................................................................................................ 359 Gateways............................................................................................................................... 360 vi Amazon Virtual Private Cloud User Guide Customer-managed prefix lists ................................................................................................. 360 Network ACLs........................................................................................................................ 361 Network interfaces................................................................................................................. 361 Route tables.......................................................................................................................... 361 Security groups...................................................................................................................... 362 VPC peering connections ......................................................................................................... 363 VPC endpoints....................................................................................................................... 363 VPC sharing........................................................................................................................... 363 Network Address Usage ........................................................................................................... 364 Amazon EC2 API throttling ...................................................................................................... 364 Additional quota resources ...................................................................................................... 364 Document history........................................................................................................................... 365 vii Amazon Virtual Private Cloud User Guide Features What is Amazon VPC? Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. Features The following features help you configure a VPC to provide the connectivity that your applications need: Virtual private clouds (VPC) A VPC (p. 14) is a virtual network that closely resembles a traditional network that you'd operate in your own data center. After you create a VPC, you can add subnets. Subnets A subnet (p. 57) is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your VPC. IP addressing You can assign IPv4 addresses and IPv6 addresses to your VPCs and subnets. You can also bring your public IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers. Routing Use route tables (p. 76) to determine where network traffic from your subnet or gateway is directed. Gateways and endpoints A gateway (p. 129) connects your VPC to another network. For example, use an internet gateway (p. 129) to connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an internet gateway or NAT device. Peering connections Use a VPC peering connection to route traffic between the resources in two VPCs. Traffic Mirroring Copy network traffic from network interfaces and send it to security and monitoring appliances for deep packet inspection. Transit gateways Use a transit gateway (p. 181), which acts as a central hub, to route traffic between your VPCs, VPN connections, and AWS Direct Connect connections. VPC Flow Logs A flow log (p. 184) captures information about the IP traffic going to and from network interfaces in your VPC. VPN connections Connect your VPCs to your on-premises networks using AWS Virtual Private Network (AWS VPN) (p. 181). 1 Amazon Virtual Private Cloud User Guide Getting started with Amazon VPC Getting started with Amazon VPC Your AWS account includes a default VPC (p. 26) in each AWS Region. Your default VPCs are configured such that you can immediately start launching and connecting to EC2 instances. For more information, see Get started (p. 10). You can choose to create additional VPCs with the subnets, IP addresses, gateways and routing that you need. For more information, see the section called “Create a VPC” (p. 19). Working with Amazon VPC You can create and manage your VPCs using any of the following interfaces: • AWS Management Console — Provides a web interface that you can use to access your VPCs. • AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services, including Amazon VPC, and is supported on Windows, Mac, and Linux. For more information, see AWS Command Line Interface. • AWS SDKs — Provides language-specific APIs and takes care of many of the connection details, such as calculating signatures, handling request retries, and error handling. For more information, see AWS SDKs. • Query API — Provides low-level API actions that you call using HTTPS requests. Using the Query API is the most direct way to access Amazon VPC, but it requires that your application handle low-level details such as generating the hash to sign the request, and error handling. For more information, see Amazon VPC actions in the Amazon EC2 API Reference. Pricing for Amazon VPC There's no additional charge for using a VPC. There are charges for some VPC components, such as NAT gateways, IP Address Manager, traffic mirroring, Reachability Analyzer, and Network Access Analyzer. For more information, see Amazon VPC Pricing. 2 Amazon Virtual Private Cloud User Guide VPCs and subnets How Amazon VPC works Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS. Concepts • VPCs and subnets (p. 3) • Default and nondefault VPCs (p. 3) • IP addressing (p. 4) • Route tables (p. 7) • Access the internet (p. 7) • Access a corporate or home network (p. 8) • Connect VPCs and networks (p. 8) • AWS private global network considerations (p. 8) VPCs and subnets A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can specify an IP address range for the VPC, add subnets, add gateways, and associate security groups. A subnet is a range of IP addresses in your VPC. You launch AWS resources, such as Amazon EC2 instances, into your subnets. You can connect a subnet to the internet, other VPCs, and your own data centers, and route traffic to and from your subnets using route tables. Learn more • VPC basics (p. 14) • Subnet basics (p. 57) • Internetwork traffic privacy in Amazon VPC (p. 228) • IP addressing (p. 4) Default and nondefault VPCs If your account was created after 2013-12-04, it comes with a default VPC in each Region. A default VPC is configured and ready for you to use. For example, it has a default subnet in each Availability Zone in the Region, an attached internet gateway, a route in the main route table that sends all traffic to the internet gateway, and DNS settings that automatically assign public DNS hostnames to instances with public IP addresses and enable DNS resolution through the Amazon-provided DNS server (see DNS attributes in your VPC (p. 40)). Therefore, an EC2 instance that is launched in a default subnet automatically has access to the internet. If you have a default VPC in a Region and you don't specify a 3