A virtual private cloud enables you to launch resources into a virtual network that closely resembles a traditional on-premise network. Why would you want to do that? Well, you can create both private and public subnets. That means that you can decide whether you want to attach an internet gateway to enable public internet access.
The default VPC has an internet gateway attached. Each instance added in our network (default VPC) has a private and public IP assigned to it. These are attached to an ELI (elastic network interface).
Alright, so we have our VPC, what if we want to talk to another VPC? Well, VPC peering gives us the ability to create direct network routes between one vpc and another. This allows sharing of resources between two subnets as if it was the same network. It should be noted that this can be done between other AWS accounts, but can only be done between other VPC’s in the same region – that is to say, VPC peering cannot occur between two regions.
While VPC’s are very useful, as with everything they do have limitations:
- 5 vpcs per region
- 5 internet gateways – you can only have one gateway per vpc
- 50 customer gateways per region
- 50 vpn connections per region
- 200 route tables per region & 50 entries per route table
- 5 elastic IP addresses
- 100 security grops & 50 rules per group
- 5 sec groups per network interface. The security group is at the VPC level.
The network ACL (Access Control List) determines what traffic is allowed to enter your subnet. If its allowed in, the subnet handles it. Once it’s passed the subnet security screens, it is subject to checks by the security groups attached to your instance. It’s worth nothing that you should block IP’s at the network ACL level, so that you don’t need to block in every instance security group.