Amazon VPC - FAQ and White Paper summary

https://aws.amazon.com/vpc/faqs/
https://d36cz9buwru1tt.cloudfront.net/Extend_your_IT_infrastructure_with_Amazon_VPC.pdf

Amazon VPC FAQs

General Questions

 Q. What is Amazon Virtual Private Cloud (Amazon VPC)?
Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define.
You can easily customize the network configuration for your Amazon VPC
You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Q. What are the components of Amazon VPC?
A Virtual Private Cloud (VPC): Subnet: Internet Gateway: NAT Gateway  ,
Hardware VPN Connection: Virtual Private Gateway:, Customer Gateway:, Router:, Peering Connection:, VPC Endpoint:, Egress-only Internet Gateway:
Q. Why should I use Amazon VPC?

Q. How do I get started with Amazon VPC?
Your AWS resources are automatically provisioned in a ready-to-use default VPC. You’ll be presented with four basic options for network architectures. After selecting an option, you can modify the size and IP address range of the VPC and its subnets. If you select an option with Hardware VPN Access, you will need to specify the IP address of the VPN hardware on your network. You can modify the VPC to add more subnets or add or remove gateways at any time after the VPC has been created.The four options are:

Billing

Q. How will I be charged and billed for my use of Amazon VPC?

Q. What defines billable VPN connection-hours?

Q. What usage charges will I incur if I use other AWS services, such as Amazon S3, from Amazon EC2 instances in my VPC?

Q: Do your prices include taxes?

Connectivity

Q. What are the connectivity options for my VPC?
You may connect your VPC to: 1) internet ( via internet gateway ), 2) corporate data center using hardware VPN ( virtual private gateway )  3) both of above 4 ) other AWS services ( internet gateway, NAT, virtual private gateway, VPC end points )  5) Other VPCs (via VPC peering connections .
Q. How do I connect my VPC to the Internet?  Internet gateway

Q. Are there any bandwidth limitations for Internet gateways? Do I need to be concerned about its availability? Can it be a single point of failure? No

Q. How do instances in a VPC access the Internet?
You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet (e.g., web servers).  You can also use the solutions in the next question.
Q. How do instances without public IP addresses access the Internet?
Instances without public IP addresses can access the Internet in one of two ways:

  1. Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.
  2. For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.
Q. Can I connect to my VPC using a software VPN?  Yes

Q. How does a hardware VPN connection work with Amazon VPC?

Q. What is IPsec?
Q. Which customer gateway devices can I use to connect to Amazon VPC?
There are two types of VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to: .......
n addition to the above capabilities, devices supporting dynamically-routed VPN connections must be able to: ....
Q. Which Diffie-Hellman Groups do you support? 
Phase1 DH groups 2, 14-18, 22, 23, 24.     Phase2 DH groups 2, 5, 14-18, 22, 23, 24
Q. What customer gateway devices are known to work with Amazon VPC?
Cisco , Juniper, Microsoft, Yamaha...
Q. If my device is not listed, where can I go for more information about using it with Amazon VPC? 
Amazon VPC forum
Q. Are there any VPN connection throughput limitations? 
Amazon does not enforce any restrictions on VPN throughput. However
Q. What tools are available to me to help troubleshoot my Hardware VPN configuration?
The DescribeVPNConnection API displays the....
Q. How do I connect a VPC to my corporate datacenter?
Establishing a hardware VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.
Q. Can I NAT my CGW behind a router or firewall? Yes
Q. What IP address do I use for my CGW address? Public address of NAT device
Q. How does my connection decide to use NAT-T? 
If your device has NAT-T enabled on the tunnel, AWS will use it by default.
Q. How do I disable NAT-T on my connection? 
You will need to disable NAT-T on your device.
Q. I would like to have multiple CGWs behind a NAT, what do I need to do to configure that? 
You will use the public IP address of your NAT device for the CGW for
Q. How many IPsec security associations can be established concurrently per tunnel? 
you will not run into SA limitations
Q. What IP address ranges can I use within my VPC?
You can address your VPC from any IPv4 address range, including RFC 1918 or publicly routable IP blocks. Publicly routable IP blocks are only reachable via the Virtual Private Gateway and cannot be accessed over the Internet through the Internet gateway.
Q. How do I assign IP address ranges to VPCs?
You assign a single Classless Internet Domain Routing (CIDR) IP address block when you create a VPC. Subnets within a VPC are addressed from this range by you. A VPC can be assigned at most one (1) IP address range at any given time; 
Q. What IP address ranges are assigned to a default VPC?
Default VPCs are assigned a CIDR range of 172.31.0.0/16. Default subnets within a default VPC are assigned /20 netblocks within the VPC CIDR range.
Q. Can I advertise my VPC public IP address range to the Internet and route the traffic through my datacenter, via the hardware VPN, and to my VPC? yes

Q. How large of a VPC can I create?
Currently, Amazon VPC supports VPCs between /28 (in CIDR notation) and /16 in size for IPv4.
Q. Can I change a VPC's size?
No. To change the size of a VPC you must terminate your existing VPC and create a new one.

Q. How many subnets can I create per VPC?
Currently you can create 200 subnets per VPC. If you would like to create more, please submit a case at the support center.

Q. Is there a limit on how large or small a subnet can be?
The minimum size of a subnet is a /28 (or 14 IP addresses.) for IPv4. Subnets cannot be larger than the VPC in which they are created.
For IPv6, the subnet size is fixed to be a /64. Only one IPv6 CIDR block can be allocated to a subnet.

Q. Can I use all the IP addresses that I assign to a subnet?
No. Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes.

Q. How do I assign private IP addresses to Amazon EC2 instances within a VPC?
When you launch an Amazon EC2 instance within a VPC, you may optionally specify the primary private IP address for the instance. If you do not specify the primary private IP address, AWS automatically addresses it from the IP address range you assign to that subnet. You can assign secondary private IP addresses when you launch an instance, when you create an Elastic Network Interface, or any time after the instance has been launched or the interface has been created.
Q. Can I change the private IP addresses of an Amazon EC2 instance while it is running and/or stopped within a VPC?
Primary private IP addresses are retained for the instance's or interface's lifetime. Secondary private IP addresses can be assigned, unassigned, or moved between interfaces or instances at any time
Q. If an Amazon EC2 instance is stopped within a VPC, can I launch another instance with the same IP address in the same VPC?   No

Q. Can I assign IP addresses for multiple instances simultaneously? no , one at a time

Q. Can I assign any IP address to an instance? Yes except...

Q. Can I assign multiple IP addresses to an instance? Yes


Q. Can I assign one or more Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?
 Yes, however, the EIP addresses will only be reachable from the Internet (not over the VPN connection). Each EIP address must be associated with a unique private IP address on the instance. EIP addresses should only be used on instances in subnets configured to route their traffic directly to the Internet gateway. EIPs cannot be used on instances in subnets configured to use a NAT gateway or a NAT instance to access the Internet.  This is applicable only for IPv4. Amazon VPCs do not support EIPs for IPv6 at this time.

Q. What does an Amazon VPC router do?
An Amazon VPC router enables Amazon EC2 instances within subnets to communicate with Amazon EC2 instances in other subnets within the same VPC. The VPC router also enables subnets, Internet gateways, and virtual private gateways to communicate with each other. Network usage data is not available from the router; however, you can obtain network usage statistics from your instances using Amazon CloudWatch.
Q. Can I modify the VPC route tables? Yes
You can create route rules to specify which subnets are routed to the Internet gateway, the virtual private gateway, or other instances.
Q. Can I specify which subnet will use which gateway as its default? Yes
Yes. You may create a default route for each subnet. The default route can direct traffic to egress the VPC via the Internet gateway, the virtual private gateway, or the NAT gateway.
Q. Does Amazon VPC support multicast or broadcast?  No


Q. How do I secure Amazon EC2 instances running within my VPC?
Amazon EC2 security groups can be used to help secure instances within an Amazon VPC. Security groups in a VPC enable you to specify both inbound and outbound network traffic that is allowed to or from each Amazon EC2 instance. Traffic which is not explicitly allowed to or from an instance is automatically denied.
In addition to security groups, network traffic entering and exiting each subnet can be allowed or denied via network Access Control Lists (ACLs). Q. What are the differences between security groups in a VPC and network ACLs in a VPC?
  Security groups in a VPC specify which traffic is allowed to or from an Amazon EC2 instance. Network ACLs operate at the subnet level and evaluate traffic entering and exiting a subnet. Network ACLs can be used to set both Allow and Deny rules. Network ACLs do not filter traffic between instances in the same subnet. In addition, network ACLs perform stateless filtering while security groups perform stateful filtering.          


Q. What is the difference between stateful and stateless filtering?
Stateful filtering tracks the origin of a request and can automatically allow the reply to the request to be returned to the originating computer. For example, a stateful filter that allows inbound traffic to TCP port 80 on a webserver will allow the return traffic, usually on a high numbered port (e.g., destination TCP port 63, 912) to pass through the stateful filter between the client and the webserver. The filtering device maintains a state table that tracks the origin and destination port numbers and IP addresses. Only one rule is required on the filtering device: Allow traffic inbound to the web server on TCP port 80.
Stateless filtering, on the other hand, only examines the source or destination IP address and the destination port, ignoring whether the traffic is a new request or a reply to a request. In the above example, two rules would need to be implemented on the filtering device: one rule to allow traffic inbound to the web server on TCP port 80, and another rule to allow outbound traffic from the webserver (TCP port range 49, 152 through 65, 535).Q. Within Amazon VPC, can I use SSH key pairs created for instances within Amazon EC2, and vice versa?
Yes.

Q. Can Amazon EC2 instances within a VPC communicate with Amazon EC2 instances not within a VPC? Yes
Yes. If an Internet gateway has been configured, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the Internet gateway and then enters the public AWS network to reach the EC2 instance. If an Internet gateway has not been configured, or if the instance is in a subnet configured to route through the virtual private gateway, the traffic traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network.
Q. Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region? yes

Q. Can Amazon EC2 instances within a VPC communicate with Amazon S3? Yes
Yes, they can communicate using public IP addresses, NAT gateway, NAT instances, VPN connections, or Direct Connect connections. 
Q. Why can’t I ping the router, or my default gateway, that connects my subnets?
Ping (ICMP Echo Request and Echo Reply) requests to the router in your VPC is not supported. Ping between Amazon EC2 instances within VPC is supported as long as your operating system's firewalls, VPC security groups, and network ACLs permit such traffic.

Q. Can I monitor the network traffic in my VPC?
Yes. You can use the Amazon VPC Flow Logs feature to monitor the network traffic in your VPC.
Q. Within which Amazon EC2 region(s) is Amazon VPC available?
Amazon VPC is currently available in multiple Availability Zones in all Amazon EC2 regions.

Q. Can a VPC span multiple Availability Zones?
Yes.
Q. Can a subnet span Availability Zones?
No. A subnet must reside within a single Availability Zone.

Q. How do I specify which Availability Zone my Amazon EC2 instances are launched in?  
When you launch an Amazon EC2 instance you must specify the subnet in which to launch the instance. The instance will be launched in the Availability Zone associated with the specified subnet.
Q. How do I determine which Availability Zone my subnets are located in?
When you create a subnet you must specify the Availability Zone in which to place the subnet.
Q. Am I charged for network bandwidth between instances in different subnets? yes if in diff AZs

Q. When I call DescribeInstances(), do I see all of my Amazon EC2 instances, including those in EC2-Classic and EC2-VPC? yes

Q. When I call DescribeVolumes(), do I see all of my Amazon EBS volumes, including those in EC2-Classic and EC2-VPC?  YES

Q. How many Amazon EC2 instances can I use within a VPC?
You can run any number of Amazon EC2 instances within a VPC, so long as your VPC is appropriately sized to have an IP address assigned to each instance. You are initially limited to launching 20 Amazon EC2 instances at any one time and a maximum VPC size of /16 (65,536 IPs). If you would like to increase these limits, please complete the following form.
Q. Can I use my existing AMIs in Amazon VPC?  yes those registered in the same region


Q. Can I use my existing Amazon EBS snapshots?Yes if in the same region

Q: Can I boot an Amazon EC2 instance from an Amazon EBS volume within Amazon VPC? 
Yes, however, an instance launched in a VPC using an Amazon EBS-backed AMI maintains the same IP address when stopped and restarted. This is in contrast to similar instances launched outside a VPC, which get a new IP address. The IP addresses for any stopped instances in a subnet are considered unavailable.
Q. Can I use Amazon EC2 Reserved Instances with Amazon VPC? 
yes
Q. Can I employ Amazon CloudWatch within Amazon VPC?
Yes.

Q. Can I employ Auto Scaling within Amazon VPC?
Yes.

Q. Can I launch Amazon EC2 Cluster Instances in a VPC?
Yes.


Q. What is a default VPC? 
A default VPC is a logically isolated virtual network in the AWS cloud that is automatically created for your AWS account the first time you provision Amazon EC2 resources. When you launch an instance without specifying a subnet-ID, your instance will be launched in your default VPC.
Q. What are the benefits of a default VPC?
When you launch resources in a default VPC, you can benefit from the advanced networking functionalities of Amazon VPC (EC2-VPC) with the ease of use of Amazon EC2 (EC2-Classic). You can enjoy features such as changing security group membership on the fly, security group egress filtering, multiple IP addresses, and multiple network interfaces without having to explicitly create a VPC and launch instances in the VPC.
Q. What accounts are enabled for default VPC?

Q. How can I tell if my account is configured to use a default VPC?
The Amazon EC2 console indicates which platforms you can launch instances in for the selected region, and whether you have a default VPC in that region. Verify that the region you'll use is selected in the navigation bar. On the Amazon EC2 console dashboard, look for "Supported Platforms" under "Account Attributes". If there are two values, EC2-Classic and EC2-VPC, you can launch instances into either platform.
Q. Will I need to know anything about Amazon VPC in order to use a default VPC? NO
No. You can use the AWS Management Console, AWS EC2 CLI, or the Amazon EC2 API to launch and manage EC2 instances and other AWS resources in a default VPC. AWS will automatically create a default VPC for you and will create a default subnet in each Availability Zone in the AWS region. Your default VPC will be connected to an Internet gateway and your instances will automatically receive public IP addresses, just like EC2-Classic.
Q. What are the differences between instances launched in EC2-Classic and EC2-VPC?
See Differences between EC2-Classic and EC2-VPC in the EC2 User Guide.

Q. Do I need to have a VPN connection to use a default VPC?
No. Default VPCs are attached to the Internet and all instances launched in default subnets in the default VPC automatically receive public IP addresses. You can add a VPN connection to your default VPC if you choose.

Q. Can I create other VPCs and use them in addition to my default VPC?
Yes. To launch an instance into nondefault VPCs you must specify a subnet-ID during instance launch.
Q. Can I create additional subnets in my default VPC, such as private subnets?
Yes. To launch into nondefault subnets, you can target your launches using the console or the --subnet option from the CLI, API, or SDK.

Q. How many default VPCs can I have?
You can have one default VPC in each AWS region where your Supported Platforms attribute is set to "EC2-VPC"
Q. What is the IP range of a default VPC?
The default VPC CIDR is 172.31.0.0/16. Default subnets use /20 CIDRs within the default VPC CIDR.
Q. How many default subnets are in a default VPC?
One default subnet is created for each Availability Zone in your default VPC. 
Q. Can I create additional subnets in my default VPC, such as private subnets?
Yes. To launch into nondefault subnets, you can target your launches using the console or the --subnet option from the CLI, API, or SDK.


Q. Can I specify which VPC is my default VPC?
Not at this time. 
Q. Can I specify which subnets are my default subnets?
Not at this time.
Q. Can I delete a default VPC?
Yes. Contact AWS Support if you've deleted your default VPC and want to have it reset.
Q. Can I delete a default subnet?
Yes, but once deleted, it’s gone.
Q. I have an existing EC2-Classic account. Can I get a default VPC?
The simplest way to get a default VPC is to
Q. I really want a default VPC for my existing EC2 account. Is that possible?
Yes, however, we can only enable an existing account for a default VPC if you have no EC2-Classic resources for that account in that region.
Q. How are IAM accounts impacted by default VPC?
If your AWS account has a default VPC, any IAM accounts associated with your AWS account use the same default VPC as your AWS account.

Q. Can I attach or detach one or more network interfaces to an EC2 instance while it’s running?
Yes.
Q. Can I have more than two network interfaces attached to my EC2 instance?
The total number of network interfaces that can be attached to an EC2 instance depends on the instance type
Q. Can I attach a network interface in one Availability Zone to an instance in another Availability Zone?  no only to same az
Q. Can I attach a network interface in one VPC to an instance in another VPC? NO
Q. Can I use Elastic Network Interfaces as a way to host multiple websites requiring separate IP addresses on a single instance?
Yes, however, this is not a use case best suited for multiple interfaces. Instead, assign additional private IP addresses to the instance and then associate EIPs to the private IPs as needed.
Q. Will I get charged for an Elastic IP Address that is associated to a network interface but the network interface isn’t attached to a running instance?
Yes.
Q. Can I detach the primary interface (eth0) on my EC2 instance?
No.

Q. Can I create a peering connection to a VPC in a different region? 
No. In the same region.
Q. Can I peer my VPC with a VPC belonging to another AWS account? Yes
Q. Can I peer two VPCs with matching IP address ranges? No
 Q. How much do VPC peering connections cost? No fee except data transfer cost.
Q. Can I use AWS Direct Connect or hardware VPN connections to access VPCs I’m peered with?  no
Q. Do I need an Internet Gateway to use peering connections?   no
Q. Is VPC peering traffic within the region encrypted? no
Q. If I delete my side of a peering connection, will the other side still have access to my VPC? no
Q. If I peer VPC A to VPC B and I peer VPC B to VPC C, does that mean VPCs A and C are peered?  no
Q. What if my peering connection goes down? 
AWS uses VPC infrastructure for peering. no single point failure
Q. Are there any bandwidth limitations for peering connections?
Bandwidth between instances in peered VPCs is no different than bandwidth between instances in the same VPC
Q. What is ClassicLink?
Amazon Virtual Private Cloud (VPC) ClassicLink allows EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
Q. What does ClassicLink cost?
No fee . Data charges if across AZ
Q. How do I use ClassicLink?
In order to use ClassicLink, you first need to enable at least one VPC in your account for ClassicLink. Then you associate a Security Group
Q. Does the EC2-Classic instance become a member of the VPC?
The EC2-Classic instance does not become a member of the VPC. It becomes a member of the VPC Security Group that was associated with the instance. 

Q. Can I use EC2 public DNS hostnames from my EC2-Classic and EC2-VPC instances to address each other, in order to communicate using private IP?

No. It won't resolve
Q. Are there any VPCs for which I cannot enable ClassicLink?
Yes
Q. Can traffic from an EC2-Classic instance travel through the Amazon VPC and egress through the Internet gateway, virtual private gateway, or to peered VPCs?
No. Traffic can only be routed to private ip within the VPC.
Q. Does ClassicLink affect the access control between the EC2-Classic instance, and other instances that are in the EC2-Classic platform? No
Q. Will ClassicLink settings on my EC2-Classic instance persist through stop/start cycles?
The ClassicLink connection will not persist through stop/start cycles of the EC2-Classic instance. The EC2-Classic instance will need to be linked back to a VPC after it is stopped and started. However, the ClassicLink connection will persist through instance reboot cycles.
Q. Will my EC2-Classic instance be assigned a new, private IP address after I enable ClassicLink?
No it retains its private ip
Q: Does ClassicLink allow EC2-Classic Security Group rules to reference VPC Security Groups, or vice versa?
No

Q. Can I use the AWS Management Console to control and manage Amazon VPC? yes

Q. How many VPCs, subnets, Elastic IP addresses, Internet gateways, customer gateways, virtual private gateways, and VPN connections can I create?
You can have:
  • Five Amazon VPCs per AWS account per region
  • Two hundred subnets per Amazon VPC
  • Five Amazon VPC Elastic IP addresses per AWS account per region
  • One Internet gateway per VPC
  • Five virtual private gateways per AWS account per region
  • Fifty customer gateways per AWS account per region
  • Ten IPsec VPN Connections per virtual private gateway   

Q. Does the Amazon VPC VPN Connection have a Service Level Agreement (SLA)?
Not currently.
Q. Can I obtain AWS Support with Amazon VPC?
Yes
Q. Can I use ElasticFox with Amazon VPC?
ElasticFox is no longer officially supported for managing your Amazon VPC


      



 



 








    
         


     


                     
      

Comments

  1. The corporate then plowed the price benefits into low cost pricing that no different retailer may match. In reality, there have been cases the place Walmart may promote sure merchandise under what it price a few of its rivals to buy the identical product.This is great blog. If you want to know more about this visit here AWS Cloud Certified.

    ReplyDelete
  2. Really nice blog post.provided a helpful information.I hope that you will post more

    updates like this
    AWS Online Course

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete

Post a Comment