In a nutshell:
VPC Flow Logs take notes on all the traffic coming in and out of your VPC. These notes help you figure out whether traffic is running smoothly or if there are any issues in your network.
VPC peering links two VPCs together so they can directly communicate using their private IP addresses.
VPC endpoints let instances in your VPC talk directly to public AWS services without gateways. This keeps your data safer, makes things run quicker, and follows the rules better, especially when you don't want your computer talking to the internet all the time.
AWS PrivateLink securely connects your VPC to public AWS services and services provided by other AWS accounts.
Now that we've had the basics down, here are some more VPC concepts that will turn you into VPC pro. 😎
VPC Flow Logs
VPC Flow Logs is a feature that lets you capture information about the traffic going to and from your VPC.
- It can be applied at the VPC, subnet or even instance level. If Flow Logs is applied at the VPC level, all the instances in that VPC (e.g. load balancers, RDS) will be captured.
- The information that Flow Logs captures is a data packet's metadata. This means Flow Logs doesn't read the content inside the packet, but it reads information about the packet itself. For example, its source and destination.
- This is helpful for monitoring and troubleshooting network connectivity issues, like whether security group rules are letting the right traffic through to our instances.
- Once the information is captured, it can be stored in S3 or CloudWatch Logs. More on CloudWatch soon!
- VPC Flow Logs are not real time.
VPC peering is a way to link two VPCs together so they can directly communicate using their private IP addresses.
- VPC peers can span AWS accounts and also Regions, and the data shared is encrypted using the AWS global infrastructure.
- Note that VPC peers cannot have overlapping CIDR addresses!
- VPC peering connections are not transitive. This means you have to set up a peering connection directly between two VPCs for them to communicate. VPC A can be connected to both VPCs B and C, but B and C wouldn't be able to see or communicate with each other.
The AWS network is divided into two main zones: public and private.
- The public zone = The half of the AWS network that connects with the public internet.
- Public service = A service that sits inside the public zone, so it's connected to the open internet! S3 and DynamoDB are placed in the public zone because they are designed to be accessed over the internet. Other examples are CloudFront and Lambda.
- The private zone = The other half of the AWS network that doesn't connect to the public internet. Inside the AWS private zone, you can create an isolated environment like an Amazon VPC or create an Amazon EC2 instance (which by default it is completely isolated). But, you can add permissions for your Amazon EC2 instance or for your Amazon VPC to access the public zone or the public internet.
- Private service = A service that sits inside the private zone. They are meant to be kept internal, with no direct internet connection. EC2 and RDS are private services because they often host sensitive data or applications that are not intended for direct internet access. By default, only services inside the private zone can access all the other services inside the private zone. Other private services are Redshift and Elastic Load Balancer.
If a private service instance (e.g. an EC2 or RDS instance) wants to communicate with an AWS public service (e.g. S3), usually we'd have to set up a gateway:
- Internet gateways (which we first learnt about in the previous blog!) allow instances in a VPC to communicate with the internet, allowing both inbound and outbound traffic.
- NAT (Network Address Translation) gateways allow instances in a VPC to send outbound traffic to the internet, while preventing any inbound traffic.
Routing traffic through gateways has a few problems:
- Gateways expose instances to the public internet, which can pose security risks.
- Some compliance standards might ask companies to restrict the direct internet access that their data or applications have. Using gateways would break the rules.
- Route tables can be harder to manage if all traffic is going through a central gateway
That's where VPC endpoints come in!
VPC endpoints let instances inside your VPC connect with AWS public services without the need for a gateway.
There are two super helpful types of endpoints - gateway endpoints and interface endpoints.
- Gateway endpoints are used for connecting a private instance (that doesn't have a gateway set up) to S3 or DynamoDB.
- Interface endpoints are used for all other public services, and you have to pick the correct endpoint depending on the AWS service.
AWS PrivateLink is a service that allows you to securely and privately connect your Amazon Virtual Private Cloud (VPC) to:
- Public AWS services. Your VPC can access these services privately without the need for an internet/NAT gateway, public IP addresses, or AWS Direct Connect. It enhances security by keeping the communication within the AWS network. Yup, that means PrivateLink helps you set up both gateway and interface endpoints!
- Services provided by other AWS accounts. For example, any third-party services or apps that you want to use. Note that this feature is different from VPC peering - PrivateLink is focused on connecting to specific services from other VPCs, whereas VPC peering allows for general connectivity/communication between entire VPCs.
With PrivateLink, all network traffic stays on the global AWS backbone and never goes on the public internet.