1 VPC

VPC(Virtual Private Cloud), Virtual private cloud , It is a logically independent data center , Public cloud service providers are based on overlay The Internet ( such as VXLAN and GRE), Divide the network into independent individuals , To different tenants . Tenants can deploy their own applications and resources in this independent network without interference from other users . At the same time, with some encryption and tunneling protocols , Ensure user data and communication security , This is the virtual network provided by cloud service providers .

2 Amazon VPC

aws Of VPC There are two types of ,default VPC and nondefault VPC,

• default VPC, default VPC(172.31.0.0/16), No need to create , In the VPC Created EC2 Will bring its own public network ip
• nondefault VPC, That is, the user creates and sets it himself VPC, It can be set according to actual needs ip Network segment and other properties , In the VPC Created EC Private network is used by default ip

3 Amazon VPC Network segment

• The network segment size can only be between /16 and /28 Between , That is to say 16-65,536 individual ip Address
• After the network segment is set, it cannot be modified , Neither expanding nor shrinking , You can delete, rebuild or add another network segment
• The same VPC There can be multiple network segments , But there are certain limitations , For example, it cannot overlap with the original , You can't cross A,B,C Class address , Like it turns out to be 10. Private network address of network segment , The new network segment cannot be 172.16 perhaps 192.168

4 Amazon VPC DNS

• VPC Internal default DNS The address is network segment +2, For example, the network segment is 10.0.0.0/16, So this one VPC Of dns The address is 10.0.0.2, If there are multiple network segments , Subject to the main network segment
• DNS Query has a rate limit , Each network interface can send at most 1024 Query message , The limit cannot be adjusted , After exceeding the limit , The query request will be rejected

5 Amazon VPC Access restrictions

There are two main ways ,security groups and network ACLs, The main differences are as follows ,

however , These two are for the following AWS Home Service access is not restricted ( Self built services will still be limited ),

• AWS DNS service
• AWS DHCP service
• AWS EC2 Instance metadata
• AWS Windows Certificate activation
• AWS Time synchronization service
• default VPC router Reservations IP Address

6 Amazon VPC signal communication

6.1 Connect to the public network

• If VPC The internal instance has a public network ip, Can be directly related to Internet gateway, You can access the public network
• For private networks ip, It's possible to relate Elastic IP To use the public network ip, So as to access the public network , But this requires manual Correlation , And only one instance can use this Elastic IP. In order to improve efficiency , have access to NAT gateway.

6.2 Connect to other VPC

• VPC peering, adopt peering, You can use private ip And others VPC, And different accounts VPC, Even other region Of VPC signal communication , But these two VPC Of ip Segments cannot overlap

VPC peering Not one gateway Neither VPN Connect , Independent of other separate hardware , At the same time, it has no single point of failure and bandwidth limitations . But it needs to save the opposite end VPC Routing information for , So when VPC Many times , Maintenance will be troublesome , Consider using transit gateway

• Transit Gateway, It can be regarded as a three-layer routing device , In more than one VPC Can act as a central router , It can also be used as isolation .

6.3 Connect to the local network

• Transit Gateway, adopt transit gateway You can put the local SD-WAN The network is connected to AWS, To achieve the purpose of expansion . It also supports routing VPN Connection and AWS Direct Connect gateways. Can connect multiple VPC
• AWS VPN, Include AWS Site-to-Site VPN,AWS Client VPN,AWS VPN CloudHub And other third parties VPN Software , Can only be connected to a single VPC

6.4 Use AWS PrivateLink Connect AWS service

In addition to the above , You can also use AWS PrivateLink The way , Give Way VPC Instances in can be connected to other AWS service ,AWS PrivateLink By way of VPC The application or service in is configured as endpoint, So that the opposite end VPC Be able to connect .

Service providers ( It can be a local service ) In their own region Create a endpoint service, At the same time, you need to create a load balancer Services are used to receive and route requests .

Service consumers need to be in their own region Create a VPC endpoint, Then you can connect to the service , That is to say endpoint service. By default endpoint service Cannot be accessed by external users , You need to open the corresponding permission .

about VPC endpoint, There are three types ,

• Interface, interface endpoint adopt NLB To distribute traffic , The destination address is via DNS analysis , Only support TCP Traffic , Support AWS Direct Connect Private connection , Therefore, local services can also connect to AWS VPC Services within , The service itself needs to be charged .
• GatewayLoadBalancer, Service consumers route traffic to it ,Gateway Load Balancer Distribute traffic to use private ip Virtual network devices for , It can be expanded on demand
• Gateway, A special , Don't use AWS PrivateLink, And can only be used to connect S3 and DynamoDB, The service itself is free

S3 Support at the same time gateway endpoints and interface endpoints, However, there are the following differences ,

• gateway Way to use S3 The public ip,interface The private network address is used , But the traffic is AWS Inside
• gateway Mode does not allow local traffic
• gateway The method cannot cross region Connect ,interface Can pass VPC peering perhaps AWS Transit Gateway Secondary connection
• gateway The method is free ,interface You need to charge for your own opening

most AWS Services are supported through AWS PrivateLink visit , The specific support list can be viewed https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html

Reference documents ：

1. https://docs.aws.amazon.com/vpc/latest/userguide/how-it-works.html
2. https://docs.aws.amazon.com/vpc/latest/userguide/configure-your-vpc.html#add-cidr-block-restrictions
3. https://docs.aws.amazon.com/vpc/latest/userguide/vpc-dns.html
4. https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Security.html#VPC_Security_Comparison
5. https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
6. https://docs.aws.amazon.com/vpc/latest/privatelink/create-interface-endpoint.html
7. https://aws.amazon.com/privatelink/features/
8. https://docs.aws.amazon.com/vpc/latest/privatelink/aws-services-privatelink-support.html
9. https://docs.aws.amazon.com/AmazonS3/latest/userguide/privatelink-interface-endpoints.html#types-of-vpc-endpoints-for-s3
   10.https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html