Amazon VPC Overview
Amazon Virtual Private Cloud (VPC) allows you to launch AWS resources in a logically isolated virtual network that you define.
NAT Gateway
A NAT Gateway allows outbound internet traffic from instances in a private subnet while preventing inbound internet connections.
- Redundant in AZ: Ensures high availability within the Availability Zone.
- Performance: Supports speeds up to 45 Gbps.
- Maintenance: No need to patch.
- Security: Not associated with Security Groups.
- Public IP: Auto-assigned a public IP for internet access.
- Availability: Follows the availability of the associated AZ.
Security Group (SG) vs Network ACL (NACL)
| Feature | Security Group (SG) | Network ACL (NACL) |
|---|---|---|
| Type | Stateful | Stateless |
| Default Behavior | Allows outbound by default | Allows inbound/outbound by default |
| Associations | Can be attached to multiple instances | Applies to subnets, impacting all instances |
| IP Blocking | Not possible | Can block specific IPs |
| Evaluation Order | No specific rule order | Rules evaluated from lowest to highest number |
Direct Connect
Direct Connect provides a dedicated network connection from your data center to AWS, ideal for high throughput workloads.
- Connects data centers directly to AWS.
- Suitable for high-throughput and low-latency applications.
VPC Endpoints
VPC Endpoints enable private connections to AWS services without needing an internet gateway, NAT device, VPN, or Direct Connect.
- Service Access: Connects to AWS services without leaving the Amazon network.
- Types:
- Interface Endpoint: For most AWS services.
- Gateway Endpoint: Specifically supports S3 and DynamoDB.
VPC Peering
VPC Peering connects two VPCs through a direct network route, allowing instances to communicate as if they were in the same network.
- Allows VPC-to-VPC connections within the same or across AWS accounts.
- Instances in peered VPCs behave as if in the same network.
- No transitive peering (cannot route traffic through one VPC to another).
- Can be established between regions.
PrivateLink
PrivateLink simplifies the secure sharing of services across VPCs, eliminating the need for VPC Peering for certain services.
- Supports 1:1, 1:N, and N:N configurations across multiple customer VPCs.
- Not required to use VPC peering.
- Requires NLB (Network Load Balancer) for the service VPC endpoint in customer VPCs.
Transit Gateway
Transit Gateway connects multiple VPCs and on-premises networks through a central hub, simplifying network architecture.
- Uses route tables to control communication between VPCs.
- Integrates with Direct Connect and VPN.
- Supports IP multicast for routing multiple packets to multiple destinations.
Use Transit Gateway for complex network architectures where multiple VPCs need interconnectivity and centralized control.