ICT 507 – Cloud Computing

Week 6
Webinar
Cloud Computing with Amazon Web Services (AWS): Security
using Virtual Private Cloud (VPC)

TEQSA: PRV14311
CRICOS: 03836J
 Week 6: Lesson Learning Outcomes

• Discuss the benefits of Amazon Virtual Private Cloud (VPC).

• Explain various components of Amazon Virtual Private Cloud (VPC).

• Discuss the configuration of Amazon Virtual Private Cloud (VPC).

TEQSA: PRV14311
CRICOS: 03836J
2
 Amazon Virtual Private Cloud (VPC)
• Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS
resources in a logically isolated virtual network that you define.

• It closely resembles a traditional network that you would operate in your own data
center, with the benefits of using the scalable infrastructure of AWS.

• You have complete control over your virtual networking environment, including

• Selection of your own IP address range

• Creation of subnets
• Configuration of route tables
• Network gateways Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
3
 Amazon VPC
• You can use both IPv4 and IPv6 for most resources in your VPC, helping to
ensure secure and easy access to resources and applications.
• Amazon VPC makes it easy to customize your VPC's network configuration.
• You can create a public-facing subnet for your web servers that have access to
the internet.
• It also lets you place your backend systems, such as databases or application
servers, in a private-facing subnet with no internet access.
• Amazon VPC lets you to use multiple layers of security, including security
groups and network access control lists, to help control access to Amazon
EC2 instances in each subnet.
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
4
 WHY VPC?

• Secure private network within AWS

• Ease of connecting with other instances in EC2

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
5
 AWS VPC

https://www.youtube.com/watch?v=bGDMeD6kOz0

TEQSA: PRV14311
CRICOS: 03836J
6
 Default Amazon VPC
• Each Amazon account comes with a default VPC that is pre-configured for you
to start using immediately.
• A VPC can span multiple availability zones in a region.

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
7
 Custom VPC

• Creating a custom VPC allows you to:

• Make things more secure
• Customize your virtual network, as you can define your own our IP
address range
• Create your subnets that are both private and public
• Tighten security settings

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
8
 Custom VPC

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
9
 VPC Peering
• A peering connection can be made between your own VPCs or
with a VPC in another AWS account, as long it is in the same
region
• If you have instances in VPC A, they wouldn't be able to
communicate with instances in VPC B or C unless you set up a
peering connection.
• Peering is a one-to-one relationship; a VPC can have multiple
peering connections to other VPCs, but transitive peering is not
supported.
• In other words, VPC A can connect to B and C in the figure, but
C cannot communicate with B unless directly paired.
• All VPCs must have different IP ranges. If they have the same IP
ranges, they would not be able to pair.
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
10
 VPC Peering

https://www.youtube.com/watch?v=fpxDGU2KdkA

TEQSA: PRV14311
CRICOS: 03836J
11
 Public and Private Subnets

• A public subnet is used for resources that must be connected

to the internet; web servers are an example.
• A public subnet is made public because the main route table
sends the subnets traffic that is destined for the internet to the
internet gateway.
• Private subnets
• For resources that do not need an internet connection, or
that you want to protect from the internet; database
instances are an example.
• A subnet is created inside each availability zone, and you
cannot launch any instances unless there are subnets in your
VPC.
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
12
 Virtual Private Network (VPN) Access
• By default, instances that you launch into an Amazon VPC cannot communicate with
your network.
• You can connect your VPCs to your existing data center using hardware VPN access.
• By doing so, you can effectively extend your data center into the cloud and create a
hybrid environment. To do this, you will need to set up a virtual private gateway.
• For your data center, you need a customer gateway, which is either a physical device or
a software application that sits on the customer’s side of the VPN connection.
• When you create a VPN connection, a VPN tunnel comes up when traffic is generated
from the customer's side of the connection.

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
13
 VPN Access

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
14
 Internet Gateway
• It enables communication between instances in your VPC and the internet.
• To give your VPC the ability to connect to the internet, you need to attach an internet gateway.
• Only one internet gateway can be attached per VPC.
• Attaching an internet gateway is the first stage in permitting internet access to instances in
your VPC.
• For an EC2 instance to be internet-connected, you have to adhere to the following rules:
1.Attach an Internet gateway to your VPC
2.Ensure that your instances have either a public IP address or an elastic IP address
3.Point your subnet’s route table to the internet gateway
4.Make sure that your security group and network access control rules allow relevant traffic
to flow in and out of your instance
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
15
 Internet Gateway

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
16
 Route Table
• Amazon defines a route table as a set of rules,
called routes, which are used to determine
where network traffic is directed.
• Each subnet has to be linked to a route table,
and a subnet can only be linked to one route
table.
• On the other hand, one route table can have
associations with multiple subnets.
• Every VPC has a default route table, and it is a
good practice to leave it in its original state and
create a new route table to customize the
network traffic routes associated with your
VPC. Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
17
 Route Table
• Main Route Table
The route table that automatically comes with your VPC. It controls the
routing for all subnets that are not explicitly associated with any other
route table.

• Custom Route Table

A route table that you create for your VPC.

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
18
 Network Address Translator (NAT) Gateway
• A NAT Gateway can be used to enable instances in a private subnet to connect to
the internet or the AWS services, but this prevents the internet from initiating
connections with the instances in a private subnet.
• Private subnets protect your assets from being directly connected to the internet.
• For example, database server in the private subnet, which has no internet
connectivity.
• However, your private subnet having database instance might still need internet
access or the ability to connect to other AWS resources.
• You can use a NAT Gateway to do so.
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
19
 NAT Gateway
• It directs traffic from your private subnet to either the internet or other AWS services. It
then sends the response back to your instances.
• When traffic is directed to the internet, the source IP address of your instance is replaced
with the NAT Gateway address.
• When the internet traffic returns, the NAT Gateway translates the address to your instance’s
private IP address.
• A NAT gateway must be launched in a public subnet because it needs internet connectivity.
• It also requires an elastic IP address, which you can select at the time of launch.
• Once created, you need to update the route table associated with your private subnet to
point internet-bound traffic to the NAT gateway.
• This way, the instances in your private subnet can communicate with the internet.
Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
20
 NAT Gateway

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
21
 Security Groups and NACLs

•In a VPC, both Security Groups and Network ACLs

(NACLS) together help to build a layered network
defense.
•Security Groups: Act as a virtual
firewall for associated instances, controlling both
inbound and outbound traffic at the instance level.
•Network Access Control Lists (NACLs): Act as a
firewall for associated subnets, controlling both
inbound and outbound traffic at the subnet level.

Wittig, M., & Wittig, A. (2018). Amazon web services in action. Simon and Schuster

TEQSA: PRV14311
CRICOS: 03836J
22
 Weekly Activity
• This is an in-class activity.
• Time Allowed: 20 min
• You should use resources available under Amazon free tier for this activity

• You need to;

• Configure a VPC with two instances
• One instance is of a webserver that is to be placed in the pubic subnet
• Second instance of a database server that is to be places in the private subnet
• Configure an internet gateway and a NAT gateway
• Route tables are to be configured accordingly
• Allocate Elastic IP address to the webserver
• Webservers can reply to the ‘ping’ packets send to it.

TEQSA: PRV14311
CRICOS: 03836J
23
 Review:Review:
What What
Did Did
WeWeLearn
LearnToday?
Today?
• Amazon VPC is a service that lets users launch AWS resources in a logically
isolated virtual network that users define.

• VPC closely resembles a traditional network that you would operate in your own
data center, with the benefits of using the scalable infrastructure of AWS.

• AWS enables users to create public subnets and private subnets.

• NAT gateway enables instances in private subnets to communicate over the

internet. It is launched in a public subnet and needs an elastic IP address.

TEQSA: PRV14311
CRICOS: 03836J
24
 Next Week
Next Week – What’sComing
– What’s Coming Up?
Up?

• Cloud Computing with Amazon Web Services (AWS): Storage

using Simple Storage Service (S3) and Elastic Block Store (EBS)

Suggested Reading:
• Textbook 2 Chapter 7

TEQSA: PRV14311
CRICOS: 03836J
25
 Any Questions?

TEQSA: PRV14311
CRICOS: 03836J
26