Transcription of Amazon Virtual Private Cloud
1 Amazon Virtual Private CloudUser GuideAmazon Virtual Private Cloud User GuideAmazon Virtual Private Cloud : User GuideCopyright 2018 Amazon Web Services, Inc. and/or its affiliates. All rights 's trademarks and trade dress may not be used in connection with any product or service that is not Amazon 's, in any mannerthat is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon . All other trademarks notowned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored Virtual Private Cloud User GuideTable of ContentsWhat Is Amazon VPC? .. 1 Amazon VPC Concepts .. 1 VPCs and 1 Supported Platforms .. 1 Default and Nondefault 2 Accessing the Internet .. 2 Accessing a Corporate or Home Network .. 4 Accessing Services Through AWS PrivateLink.
2 5 How to Get Started with Amazon VPC .. 6 Using Amazon VPC with Other AWS Services .. 7 Accessing Amazon VPC .. 7 Pricing for Amazon VPC .. 8 Amazon VPC Limits .. 8 PCI DSS Compliance .. 8 Getting Started .. 9 Getting Started with IPv4 .. 9 Step 1: Create the VPC .. 10 Step 2: Create a Security Group .. 12 Step 3: Launch an Instance into Your VPC .. 14 Step 4: Assign an Elastic IP Address to Your Instance .. 15 Step 5: Clean 17 Getting Started with IPv6 .. 17 Step 1: Create the VPC .. 18 Step 2: Create a Security Group .. 20 Step 3: Launch an Instance .. 21 Scenarios and Examples .. 24 Scenario 1: VPC with a Single Public Subnet .. 24 Overview .. 24 Routing .. 26 Security .. 27 Implementing Scenario 1 .. 29 Scenario 2: VPC with Public and Private Subnets (NAT) .. 31 Overview .. 32 Routing .. 34 Security.
3 36 Implementing Scenario 2 .. 39 Implementing Scenario 2 with a NAT Instance .. 42 Scenario 3: VPC with Public and Private Subnets and AWS Managed VPN Access .. 43 Overview .. 44 Routing .. 46 Security .. 48 Implementing Scenario 3 .. 51 Scenario 4: VPC with a Private Subnet Only and AWS Managed VPN Access .. 56 Overview .. 56 Routing .. 58 Security .. 58 Implementing Scenario 4 .. 59 Example: Create an IPv4 VPC and Subnets Using the AWS CLI .. 62 Step 1: Create a VPC and Subnets .. 62 Step 2: Make Your Subnet Public .. 62 Step 3: Launch an Instance into Your Subnet .. 64 Step 4: Clean 66 Example: Create an IPv6 VPC and Subnets Using the AWS CLI .. 66 Step 1: Create a VPC and Subnets .. 67iiiAmazon Virtual Private Cloud User GuideStep 2: Configure a Public Subnet .. 68 Step 3: Configure an Egress-Only Private Subnet.
4 70 Step 4: Modify the IPv6 Addressing Behavior of the Subnets .. 71 Step 5: Launch an Instance into Your Public Subnet .. 71 Step 6: Launch an Instance into Your Private Subnet .. 72 Step 7: Clean 74 VPCs and 76 VPC and Subnet 76 VPC and Subnet 79 VPC and Subnet Sizing for 79 Adding IPv4 CIDR Blocks to a VPC .. 80 VPC and Subnet Sizing for 83 Subnet Routing .. 83 Subnet Security .. 84 Connections with Your Local Network and Other VPCs .. 84 Working with VPCs and Subnets .. 85 Creating a VPC .. 85 Creating a Subnet in Your VPC .. 86 Associating a Secondary IPv4 CIDR Block with Your VPC .. 87 Associating an IPv6 CIDR Block with Your VPC .. 88 Associating an IPv6 CIDR Block with Your Subnet .. 88 Launching an Instance into Your Subnet .. 88 Deleting Your Subnet .. 89 Disassociating an IPv4 CIDR Block from Your VPC.
5 89 Disassociating an IPv6 CIDR Block from Your VPC or Subnet .. 90 Deleting Your VPC .. 91 Default VPC and Default 92 Default VPC 92 Default 93 Availability and Supported Platforms .. 94 Detecting Your Supported Platforms and Whether You Have a Default VPC .. 94 Viewing Your Default VPC and Default Subnets .. 95 Launching an EC2 Instance into Your Default VPC .. 96 Launching an EC2 Instance Using the Console .. 96 Launching an EC2 Instance Using the Command Line .. 96 Deleting Your Default Subnets and Default VPC .. 96 Creating a Default VPC .. 97 Creating a Default Subnet .. 98IP Addressing .. 99 Private IPv4 Addresses .. 100 Public IPv4 Addresses .. 100 IPv6 Addresses .. 101IP Addressing Behavior for Your Subnet .. 102 Working with IP Addresses .. 102 Modifying the Public IPv4 Addressing Attribute for Your Subnet.
6 102 Modifying the IPv6 Addressing Attribute for Your Subnet .. 103 Assigning a Public IPv4 Address During Instance Launch .. 103 Assigning an IPv6 Address During Instance Launch .. 104 Assigning an IPv6 Address to an Instance .. 105 Unassigning an IPv6 Address From an Instance .. 105 API and Command Overview .. 105 Migrating to 106 Example: Enabling IPv6 in a VPC With a Public and Private 107 Step 1: Associate an IPv6 CIDR Block with Your VPC and Subnets .. 110 Step 2: Update Your Route Tables .. 111 Step 3: Update Your Security Group Rules .. 111 Step 4: Change Your Instance Type .. 112ivAmazon Virtual Private Cloud User GuideStep 5: Assign IPv6 Addresses to Your Instances .. 113 Step 6: (Optional) Configure IPv6 on Your Instances .. 113 Security .. 120 Comparison of Security Groups and Network ACLs.
7 120 Security Groups .. 121 Security Group Basics .. 122 Default Security Group for Your VPC .. 123 Security Group Rules .. 123 Differences Between Security Groups for EC2-Classic and EC2-VPC .. 125 Working with Security Groups .. 126 Network ACLs .. 130 Network ACL Basics .. 130 Network ACL Rules .. 130 Default Network ACL .. 131 Custom Network ACL .. 132 Ephemeral Ports .. 136 Working with Network ACLs .. 137 Example: Controlling Access to Instances in a Subnet .. 140 API and Command Overview .. 142 Recommended Network ACL Rules for Your VPC .. 143 Recommended Rules for Scenario 1 .. 144 Recommended Rules for Scenario 2 .. 146 Recommended Rules for Scenario 3 .. 153 Recommended Rules for Scenario 4 .. 159 Controlling Access .. 161 Example Policies for the AWS CLI or SDK .. 161 Example Policies for the Console.
8 168 VPC Flow Logs .. 175 Flow Logs Basics .. 175 Flow Log Records .. 176 Flow Log Limitations .. 178 Publishing to CloudWatch Logs .. 179 Publishing to Amazon S3 .. 181 Working With Flow Logs .. 184 Troubleshooting .. 188 VPC Networking Components .. 190 Network Interfaces .. 190 Route Tables .. 191 Route Table Basics .. 191 Route Priority .. 194 Routing Options .. 195 Working with Route Tables .. 198 API and Command Overview .. 202 Internet Gateways .. 203 Enabling Internet Access .. 203 Creating a VPC with an Internet Gateway .. 205 Egress-Only Internet Gateways .. 209 Egress-Only Internet Gateway Basics .. 209 Working with Egress-Only Internet Gateways .. 210 API and CLI Overview .. 211 NAT .. 212 NAT Gateways .. 212 NAT Instances .. 228 Comparison of NAT Instances and NAT Gateways .. 235 DHCP Options 237 Overview of DHCP Options Sets.
9 237 Amazon DNS Server .. 238vAmazon Virtual Private Cloud User GuideChanging DHCP 239 Working with DHCP Options Sets .. 239 API and Command Overview .. 241 DNS 241 DNS Support in Your VPC .. 242 DNS 243 Viewing DNS Hostnames for Your EC2 Instance .. 243 Updating DNS Support for Your VPC .. 244 Using Private Hosted Zones .. 245 VPC Peering .. 245 Elastic IP Addresses .. 245 Elastic IP Address Basics .. 246 Working with Elastic IP Addresses .. 246 API and CLI Overview .. 248 VPC 249 Interface Endpoints .. 250 Gateway Endpoints .. 262 Controlling Access to Services with VPC Endpoints .. 274 Deleting a VPC 275 VPC Endpoint Services .. 276 Overview .. 276 Endpoint Service Limitations .. 278 Creating a VPC Endpoint Service Configuration .. 278 Adding and Removing Permissions for Your Endpoint Service.
10 280 Changing the Network Load Balancers and Acceptance Settings .. 281 Accepting and Rejecting Interface Endpoint Connection Requests .. 282 Creating and Managing a Notification for an Endpoint Service .. 283 Using Proxy Protocol for Connection Information .. 285 Deleting an Endpoint Service Configuration .. 286 VPN Connections .. 287 AWS Managed VPN Connections .. 287 Components of Your VPN .. 288 AWS Managed VPN Categories .. 289 VPN Configuration 291 VPN Routing Options .. 293 Configuring the VPN Tunnels for Your VPN Connection .. 294 Using Redundant VPN Connections to Provide Failover .. 296 Setting Up an AWS VPN Connection .. 298 Create a Customer Gateway .. 298 Create a Virtual Private Gateway .. 299 Enable Route Propagation in Your Route Table .. 299 Update Your Security Group .. 300 Create a VPN Connection and Configure the Customer Gateway.
