This document is a supplemental README that explains additional core VPC concepts.
Benefits of a VPC
Before VPCs existed in AWS, every EC2 Instance launched in AWS was addressable by the public Internet, or any other EC2
Instance launched in AWS, even from different customers! You could block network access using security groups or OS-managed
firewalls, but this still represented a security step backward from traditional data center setups where a given server would be physically unreachable from the Internet.
VPCs are fundamentally about isolating your resources so that they're only reachable by a limited set of other resources
you define. You can set granular isolation rules by defining Route Tables for each Subnet. You can allow a limited set
of outsiders to connect to your VPC, for example, using VPN, or just by exposing a single host accessible to the public.
The general point is that you have an isolated environment you can use to lock down access.
Given all the above, an intuitive way to leverage a VPC is to make each VPC represent a unique environment by having,
for example, a prod VPC and stage VPC.
CIDR-Formatted IP Address Ranges
Because a VPC is an isolated world meant specially for your use, you can define a range of private IP addresses that the VPC
will allow. For example, we may wish to allow any IP address from 10.0.50.0 to 10.0.50.15.
But we need a more concise way to represent such an IP address range, and the de facto standard is the Classless Inter-
Domain Routing (CIDR) standard. The name is confusing but as Wikipedia explains, the concept works as follows:
Convert a base-10 IP like 10.0.50.0 to binary format: 00001010.00000000.00110010.00000000
Decide how many binary digits (or bits) we will allow to "vary." For example, suppose I want the following range of IP
addresses: 00001010.00000000.00110010.00000000 to 00001010.00000000.00110010.11111111 (10.0.50.0 to 10.0.50.255).
Notice that the first three "octets" (group of 8 bits) are the same, but the last octet ranges from 0 to 255.
Express the number of varying bits in CIDR format: <base-10-ip>/<leading-number-of-bits-which-are-fixed>. For
example, if we use the range in the previous step, we'd have 10.0.50.0/24. The first 24 bits are fixed so that the
remaining 8 bits can vary. In CIDR parlance, our "IP Address" is 10.0.50.0 and our "Network Mask" is 24.
Sometimes CIDR Ranges are called CIDR Blocks. The CIDR Block 0.0.0.0/0 corresponds to any IP address. The CIDR Block
1.2.3.4/32 corresponds to only 1.2.3.4.
You'll notice that every VPC has a CIDR Block, and indeed this represents the range of private IP addresses
which can be assigned to resources in the VPC.
Subnets
Subnets are "sub-networks", or a partition of the VPC. For example, a VPC might have the CIDR range 10.0.50.0/24
(10.0.15.0 - 10.0.15.255) and a subnet might allow just IP addresses in the range 10.0.50.0/28 (10.0.15.0 -
10.0.15.16). Note that subnets cannot have overlapping CIDR Ranges.
In addition, each subnet can have a unique Route Table.
Route Tables
Each subnet needs a Route Table so that
it knows how to route traffic within that subnet. For example, a given subnet might route traffic destined for CIDR Block
10.0.20.0/24 to a VPC Peering Connection, traffic for 10.0.10.0/24 within the VPC, and all the rest (0.0.0.0/0) to
to the Internet Gateway so it can reach the public Internet. The Route Table declares all this.
The Internet Gateway
The best way to think of an Internet Gateway
is that it's the destination that VPC traffic destined for the public Internet gets routed to. This configuration is
recorded in a Route Table.
NAT Gateways
If you launch an EC2 Instance in one of the Public Subnets defined above, it will automatically be addressable from
the public Internet and have outbound Internet access itself.
But if you launch an EC2 Instance in one of the Private Subnets defined above, it will NOT be addressable from the
public Internet. This is a useful security property. For example, we generally don't want our databases directly addressable
on the public Internet.
But what if an EC2 Instance in a private subnet needs outbound Internet access? It could route its requests to the
Internet, but there's no way for the Internet to return the response since, as we just explained, the EC2 Instance isn't
addressable from the Internet.
To solve this problem, we need our private EC2 Instance to submit its public Internet requests through another EC2 Instance
that's located in a public subnet. That EC2 Instance should keep track of where it got its original request so that it
can redirect or "translate" the response it receives back to the original requestor.
Such an EC2 Instance is called a "Network Address Translation" instance, or NAT instance.
But what if the NAT Instance goes down? Now our private EC2 Instance can't reach the Internet at all. That's why it's
preferable to have a highly available NAT Instance service, and that's what Amazon's NAT Gateway
service is. Amazon runs more than one EC2 Instance behind the scenes, and automatically handles failover if one instance dies.
VPC Endpoints
By default, when an EC2 Instance makes an AWS API call, that HTTPS request is still routed through the public Internet.
AWS customers complained that they didn't want their AWS API requests traveling outside the VPC, so AWS released a
VPC Endpoint service.
VPC Endpoints cost nothing for Gateways - that applies only for S3 and DynamoDB - but for Interfaces - which uses AWS
PrivateLink and supports the other services - they cost $0.01/hour and $0.01 per GB data processed. VPC Endpoints provide a new destination for a
Route Table so that when certain AWS API requests are made
instead of being routed to the public AWS API endpoint, they are routed directly within the VPC.
The vpc-app module supports by default Gateway endpoints. If you need Interface endpoints, there is the
vpc-interface-endpoint module.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"175e80c17384ec99239d9b67b0aa884131c48bc9"}]},{"name":".gitignore","path":".gitignore","sha":"32845458602b36a63610885e236aecaf5d0cfb98"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"8f0a49e6e74c419dd55216b6397d21c6cc2e1029"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"8c24c86ef8447a19436b38826f458c71b4da4f45"},{"name":"LICENSE.txt","path":"LICENSE.txt","sha":"f4e3d9bd4717a044ed31ad847a300eee74371a78"},{"name":"README.md","path":"README.md","sha":"c17748ab046e1b8da9c6f128da6fb65d67c4f90e"},{"name":"examples","children":[{"name":"vpc-app-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-app-no-nat-gateway/README.md","sha":"5327b37f00deaf545ac8aeb140841c9bee6a60b5"},{"name":"main.tf","path":"examples/vpc-app-no-nat-gateway/main.tf","sha":"974827a70c8cbd8620495f60fe17d535162dfdb0"},{"name":"outputs.tf","path":"examples/vpc-app-no-nat-gateway/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"vars.tf","path":"examples/vpc-app-no-nat-gateway/vars.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-app-subnets-disabled","children":[{"name":"README.md","path":"examples/vpc-app-subnets-disabled/README.md","sha":"ca802dd25bc96facb26771ea7af039ecbc6f19b2"},{"name":"main.tf","path":"examples/vpc-app-subnets-disabled/main.tf","sha":"c6fc8dd1dfab40e2f3f13a90f068c0bd8b070a69"},{"name":"outputs.tf","path":"examples/vpc-app-subnets-disabled/outputs.tf","sha":"6630dcfe2cf399866778a70b9f5530d99d5fc886"},{"name":"variables.tf","path":"examples/vpc-app-subnets-disabled/variables.tf","sha":"d29c3a45b54bb5e7e549d9a46d228ce7e427ad6d"}]},{"name":"vpc-app-with-endpoint","children":[{"name":"README.md","path":"examples/vpc-app-with-endpoint/README.md","sha":"d156678fe7d97d89370b1f95cf0558bf3d2a6430"},{"name":"main.tf","path":"examples/vpc-app-with-endpoint/main.tf","sha":"7fdafc96ae976643af27144b88089c86dd412766"},{"name":"outputs.tf","path":"examples/vpc-app-with-endpoint/outputs.tf","sha":"36e21a8b972bd561cbc3bdaea7b21b8982d6a662"},{"name":"variables.tf","path":"examples/vpc-app-with-endpoint/variables.tf","sha":"be23cd1bfd3a29beb63724612f6bb9a7e5bd3d25"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"examples/vpc-app/README.md","sha":"5327b37f00deaf545ac8aeb140841c9bee6a60b5"},{"name":"main.tf","path":"examples/vpc-app/main.tf","sha":"c24d0db3b6fffdcc5497ecc67dd8b4d7035f307b"},{"name":"outputs.tf","path":"examples/vpc-app/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"vars.tf","path":"examples/vpc-app/vars.tf","sha":"20dea2995e4f8e7b697b2d7395a7b61ab02261ac"}]},{"name":"vpc-custom-cidr-blocks","children":[{"name":"README.md","path":"examples/vpc-custom-cidr-blocks/README.md","sha":"e2387ee9acf039e4bbb6f1094da014d8074ce5f3"},{"name":"main.tf","path":"examples/vpc-custom-cidr-blocks/main.tf","sha":"65670d440098a90c42b45f9679082169f754851d"},{"name":"outputs.tf","path":"examples/vpc-custom-cidr-blocks/outputs.tf","sha":"e5fe2a9caaa3168dd704ef17ca49fbba76b3ede7"},{"name":"vars.tf","path":"examples/vpc-custom-cidr-blocks/vars.tf","sha":"56d3e0ca50ded5ea2535c71f3568f3728106a42b"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"examples/vpc-flow-logs/README.md","sha":"e83626d27ce68cd32c0cec0e2c12446c6dee1dd5"},{"name":"main.tf","path":"examples/vpc-flow-logs/main.tf","sha":"48c1d7c22322bbc5a3beda26239d87492262362a"},{"name":"outputs.tf","path":"examples/vpc-flow-logs/outputs.tf","sha":"1832dd649235eb4f917497c2772299c761d39dad"},{"name":"vars.tf","path":"examples/vpc-flow-logs/vars.tf","sha":"3ac7ead850b612a5973fd4c58192dc6b856330df"}]},{"name":"vpc-mgmt-no-nat-gateway","children":[{"name":"README.md","path":"examples/vpc-mgmt-no-nat-gateway/README.md","sha":"78b662b591782eed6e77684eb11521b62f4d4f3b"},{"name":"main.tf","path":"examples/vpc-mgmt-no-nat-gateway/main.tf","sha":"ca5f5dbf765092d809f6d6d8c4a0af3d1b0de841"},{"name":"outputs.tf","path":"examples/vpc-mgmt-no-nat-gateway/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"vars.tf","path":"examples/vpc-mgmt-no-nat-gateway/vars.tf","sha":"bf7cddc01e2b42855c9c435e5c2751e010e6a435"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"examples/vpc-mgmt/README.md","sha":"78b662b591782eed6e77684eb11521b62f4d4f3b"},{"name":"main.tf","path":"examples/vpc-mgmt/main.tf","sha":"6a73276ce571d82b831cb598f07b746ac3985247"},{"name":"outputs.tf","path":"examples/vpc-mgmt/outputs.tf","sha":"c11cde7873d030ed8e8e44a726ee2ea19d65fcd6"},{"name":"vars.tf","path":"examples/vpc-mgmt/vars.tf","sha":"59225eb0320c7af08fa4cade7bbeaf10bdeac295"}]},{"name":"vpc-network-acls","children":[{"name":"README.md","path":"examples/vpc-network-acls/README.md","sha":"6b8ddd8abd79e960e4e77441c49e30ee6c9ffc85"},{"name":"main.tf","path":"examples/vpc-network-acls/main.tf","sha":"450769bbe8b6bbacae7daabdde8b456960206787"},{"name":"outputs.tf","path":"examples/vpc-network-acls/outputs.tf","sha":"5f59a828f7128b7bd7e52599fa794abd0f760293"},{"name":"vars.tf","path":"examples/vpc-network-acls/vars.tf","sha":"a19ecd5a9d56e8127d6dbd39ea9594b0ef49a696"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"examples/vpc-peering-external/README.md","sha":"845de39a9e747e109eb5128f86f71292c793c039"},{"name":"main.tf","path":"examples/vpc-peering-external/main.tf","sha":"fd13e82ef38ce5955f8252d36719d5342dae795e"},{"name":"outputs.tf","path":"examples/vpc-peering-external/outputs.tf","sha":"5239df47a80d13f33ea58412eb73a83f4ff431ed"},{"name":"vars.tf","path":"examples/vpc-peering-external/vars.tf","sha":"891f648219c644354f932af309fa3dffb0de3bd5"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"examples/vpc-peering/README.md","sha":"18591a72f62a344da3bef591e4afe7bd7546853c"},{"name":"main.tf","path":"examples/vpc-peering/main.tf","sha":"65d44785359f29e939da04effc4bde03fb9b6a60"},{"name":"outputs.tf","path":"examples/vpc-peering/outputs.tf","sha":"85acf3fc320ca7969f57133d94515e80150f7c79"},{"name":"vars.tf","path":"examples/vpc-peering/vars.tf","sha":"6a8eb9ed4db5427a9eddb3205cfca9fc7386c085"}]}]},{"name":"modules","children":[{"name":"_docs","children":[{"name":"vpc-core-concepts.md","path":"modules/_docs/vpc-core-concepts.md","sha":"6c5780d57f69364b702bbaa5337aa3a1d693370d","toggled":true},{"name":"vpc_app_architecture.png","path":"modules/_docs/vpc_app_architecture.png","sha":"1cb6d726e1a35614b27be9f3d45b9752589b9683"}],"toggled":true},{"name":"network-acl-inbound","children":[{"name":"README.md","path":"modules/network-acl-inbound/README.md","sha":"95c14fd46389871c3de62f0035d2c96ee05a6a89"},{"name":"main.tf","path":"modules/network-acl-inbound/main.tf","sha":"7c1eac78f96279359b6cb18897f8630a2cff16d9"},{"name":"vars.tf","path":"modules/network-acl-inbound/vars.tf","sha":"bd4f481efbbe1970774eded16fecc0e02aa113c5"}]},{"name":"network-acl-outbound","children":[{"name":"README.md","path":"modules/network-acl-outbound/README.md","sha":"8ab75a21400cb74a356d8dc8ccb984b5835c908e"},{"name":"main.tf","path":"modules/network-acl-outbound/main.tf","sha":"ed711e50fb32123e0ed62bb67633df2ec1d9c973"},{"name":"vars.tf","path":"modules/network-acl-outbound/vars.tf","sha":"679d04948306dcdc4e677e8bfee3653b9fb46cc3"}]},{"name":"vpc-app-network-acls","children":[{"name":"README.md","path":"modules/vpc-app-network-acls/README.md","sha":"2047f3b5a6157f6bef300626fd1a5cc914706f13"},{"name":"main.tf","path":"modules/vpc-app-network-acls/main.tf","sha":"c4a1c4a98081808ead4034339bd39f37f4b40a40"},{"name":"outputs.tf","path":"modules/vpc-app-network-acls/outputs.tf","sha":"1e48debceed70b0444a7f7c8fc4c6f90d7cd49d3"},{"name":"vars.tf","path":"modules/vpc-app-network-acls/vars.tf","sha":"337254fc497e4b87c4c95ff07aa7e5f01240d318"}]},{"name":"vpc-app","children":[{"name":"README.md","path":"modules/vpc-app/README.md","sha":"0c1a23fc7cf7df8045b5dc45def50662d21cac0a"},{"name":"main.tf","path":"modules/vpc-app/main.tf","sha":"a783358e12983f2a2ba3e45fa091a077315e7195"},{"name":"outputs.tf","path":"modules/vpc-app/outputs.tf","sha":"d1fea344767918f133bb2c4d27da0a4f60ee05c1"},{"name":"vars.tf","path":"modules/vpc-app/vars.tf","sha":"6c0d06f33628334ccf39be2c1634d48b2315dff7"}]},{"name":"vpc-dns-forwarder-rules","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder-rules/README.md","sha":"e61361e740adf9b6c95de03ee3ee4044162f57b8"},{"name":"main.tf","path":"modules/vpc-dns-forwarder-rules/main.tf","sha":"3264cb717be99d4f9d3ba8395c44c4b3ba7c5087"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder-rules/variables.tf","sha":"b5baaad0819ce7c23d47d1292fe0798dee12cdf5"}]},{"name":"vpc-dns-forwarder","children":[{"name":"README.md","path":"modules/vpc-dns-forwarder/README.md","sha":"0d0b4fffb15431758fd436c7cdc474bace686b7e"},{"name":"main.tf","path":"modules/vpc-dns-forwarder/main.tf","sha":"98095c1c6b9261ec5d5a0a4fbb0de0d261d6b412"},{"name":"outputs.tf","path":"modules/vpc-dns-forwarder/outputs.tf","sha":"382b7f3ae80e99cfd8325c9b4de404110e4d85ef"},{"name":"variables.tf","path":"modules/vpc-dns-forwarder/variables.tf","sha":"3c27308d90da5517d686c5bfb901801ba65637c0"}]},{"name":"vpc-flow-logs","children":[{"name":"README.md","path":"modules/vpc-flow-logs/README.md","sha":"0c6650434183731aef9332db713d02d06010d470"},{"name":"main.tf","path":"modules/vpc-flow-logs/main.tf","sha":"1cef4b9597aadd80083cfa7a76973ac095af47ec"},{"name":"outputs.tf","path":"modules/vpc-flow-logs/outputs.tf","sha":"029e23b76b63c324e836a69891a7cb452da99a06"},{"name":"vars.tf","path":"modules/vpc-flow-logs/vars.tf","sha":"bd6957b840f84f331a8011fe0cb669ba41bbaeb3"}]},{"name":"vpc-interface-endpoint","children":[{"name":"README.md","path":"modules/vpc-interface-endpoint/README.md","sha":"5c65f1eec3964b3cc00637270f252406f9247a8a"},{"name":"main.tf","path":"modules/vpc-interface-endpoint/main.tf","sha":"dab6e3712b797b934edc1eb2b3e8df3492ebac9d"},{"name":"outputs.tf","path":"modules/vpc-interface-endpoint/outputs.tf","sha":"79d037d3f3ea31cb6981c07f036e9a1704da8945"},{"name":"variables.tf","path":"modules/vpc-interface-endpoint/variables.tf","sha":"e092b663fd6d87615bbb95d42452fa72878d6436"}]},{"name":"vpc-mgmt-network-acls","children":[{"name":"README.md","path":"modules/vpc-mgmt-network-acls/README.md","sha":"a94e2d2e22373c10053a890884eb8ae777c6add1"},{"name":"main.tf","path":"modules/vpc-mgmt-network-acls/main.tf","sha":"7e5e484015cc7b6ded0d28c2b11e0361bf68a79b"},{"name":"outputs.tf","path":"modules/vpc-mgmt-network-acls/outputs.tf","sha":"7dba259d40baeee89c8ee4af63d2b3d1167e92be"},{"name":"vars.tf","path":"modules/vpc-mgmt-network-acls/vars.tf","sha":"559fb01af837e1700fc7fd650a9743f55f92a484"}]},{"name":"vpc-mgmt","children":[{"name":"README.md","path":"modules/vpc-mgmt/README.md","sha":"9dd4c2d8639e4e8833257cdb5407c3de0b3c1c00"},{"name":"main.tf","path":"modules/vpc-mgmt/main.tf","sha":"f106c0cd2f84f731ea756b794425cfec3d6f1785"},{"name":"outputs.tf","path":"modules/vpc-mgmt/outputs.tf","sha":"5c5ff7409ce2687c4c041279cb41717102d4d0a0"},{"name":"vars.tf","path":"modules/vpc-mgmt/vars.tf","sha":"682342efa6eed7bf896181063983ca4b6d6e1ebc"}]},{"name":"vpc-peering-external","children":[{"name":"README.md","path":"modules/vpc-peering-external/README.md","sha":"20b4e1dbadac81d6d5a7a6ce12b705e9d3a03c41"},{"name":"main.tf","path":"modules/vpc-peering-external/main.tf","sha":"aadc0a74ece9e121f07d189de3c6ac7ac4ed006c"},{"name":"vars.tf","path":"modules/vpc-peering-external/vars.tf","sha":"b7a9760c9a22524b8452e83d68495b31e3af18dc"}]},{"name":"vpc-peering","children":[{"name":"README.md","path":"modules/vpc-peering/README.md","sha":"56b1e169cef2f4201c8204611ea0364c5f04bf2c"},{"name":"main.tf","path":"modules/vpc-peering/main.tf","sha":"e9c4d70395e5964ae7c6d72c392dc936f4298d44"},{"name":"vars.tf","path":"modules/vpc-peering/vars.tf","sha":"60502cffac1867fa48a5f68ef6ef0aa566cef21e"}]}],"toggled":true},{"name":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","path":"terraform-cloud-enterprise-private-module-registry-placeholder.tf","sha":"ae586c0fe830819580e1009d41a9074f16e65bed"},{"name":"test","children":[{"name":"README.md","path":"test/README.md","sha":"ef26d3851db2fff0b36dfa61379724c0db9ff281"},{"name":"go.mod","path":"test/go.mod","sha":"ec5387da6983f1941480ab52cb56a2227288a594"},{"name":"go.sum","path":"test/go.sum","sha":"099f6d2ad42e905152ac4cc64a480fcb0f0e6dab"},{"name":"test_helpers.go","path":"test/test_helpers.go","sha":"2e67e5e933fac462918f3c8009ef9434a6dd091f"},{"name":"vpc_app_no_nat_gateway_test.go","path":"test/vpc_app_no_nat_gateway_test.go","sha":"c23d6186a6ebb7de534c9dcc73f74a8e278cf4c2"},{"name":"vpc_app_subnets_disabled_test.go","path":"test/vpc_app_subnets_disabled_test.go","sha":"cbdbd132ce71f6e56da2dac48fd62cddc2b65b9b"},{"name":"vpc_app_test.go","path":"test/vpc_app_test.go","sha":"d564a91c16fef917f1454f6409ac55f32f1199bb"},{"name":"vpc_app_with_endpoint_test.go","path":"test/vpc_app_with_endpoint_test.go","sha":"2f92e97fcaa8c9a2444eb5e327ca21a1fb32ffc2"},{"name":"vpc_custom_cidr_blocks_test.go","path":"test/vpc_custom_cidr_blocks_test.go","sha":"056710e3d1fc6d6affc28f23caef27cac9042519"},{"name":"vpc_flow_logs_test.go","path":"test/vpc_flow_logs_test.go","sha":"7aa4a9e4fcfa99d60b054a8d33ae1c2a52991ab6"},{"name":"vpc_mgmt_no_nat_gateway_test.go","path":"test/vpc_mgmt_no_nat_gateway_test.go","sha":"98a5b6189e3651267f7038f906deaa0304fcc699"},{"name":"vpc_mgmt_test.go","path":"test/vpc_mgmt_test.go","sha":"4df8061bd0de902e3ef3d1ff56e4e32758fb8ad8"},{"name":"vpc_network_acls_test.go","path":"test/vpc_network_acls_test.go","sha":"5ed930679340c81ea7549b0a26e94566e18ce660"},{"name":"vpc_peering_external_test.go","path":"test/vpc_peering_external_test.go","sha":"2ce81263d16d2b5f7387993404bea2849ca60698"},{"name":"vpc_peering_test.go","path":"test/vpc_peering_test.go","sha":"5a806d75862d8de21f52d4682d3d32ef7ea66aed"}]}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"other-vpc-core-concepts\">Other VPC Core Concepts</h1><div class=\"preview__body--border\"></div><p>This document is a supplemental README that explains additional core VPC concepts.</p>\n<h3 class=\"preview__body--subtitle\" id=\"benefits-of-a-vpc\">Benefits of a VPC</h3>\n<p>Before VPCs existed in AWS, every EC2 Instance launched in AWS was addressable by the public Internet, or any other EC2\nInstance launched in AWS, even from different customers! You could block network access using security groups or OS-managed\nfirewalls, but this still represented a security step backward from traditional data center setups where a given server would be physically unreachable from the Internet.</p>\n<p>VPCs are fundamentally about isolating your resources so that they're only reachable by a limited set of other resources\nyou define. You can set granular isolation rules by defining Route Tables for each Subnet. You can allow a limited set\nof outsiders to connect to your VPC, for example, using VPN, or just by exposing a single host accessible to the public.</p>\n<p>The general point is that you have an isolated environment you can use to lock down access.</p>\n<p>Given all the above, an intuitive way to leverage a VPC is to make each VPC represent a unique environment by having,\nfor example, a prod VPC and stage VPC.</p>\n<h3 class=\"preview__body--subtitle\" id=\"cidr-formatted-ip-address-ranges\">CIDR-Formatted IP Address Ranges</h3>\n<p>Because a VPC is an isolated world meant specially for your use, you can define a range of private IP addresses that the VPC\nwill allow. For example, we may wish to allow any IP address from 10.0.50.0 to 10.0.50.15.</p>\n<p>But we need a more concise way to represent such an IP address range, and the de facto standard is the Classless Inter-\nDomain Routing (CIDR) standard. The name is confusing but as <a href=\"https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing\" class=\"preview__body--description--blue\" target=\"_blank\">Wikipedia</a> explains, the concept works as follows:</p>\n<ol>\n<li>\n<p>Convert a base-10 IP like <code>10.0.50.0</code> to binary format: <code>00001010.00000000.00110010.00000000</code></p>\n</li>\n<li>\n<p>Decide how many binary digits (or bits) we will allow to "vary." For example, suppose I want the following range of IP\naddresses: <code>00001010.00000000.00110010.00000000</code> to <code>00001010.00000000.00110010.11111111</code> (<code>10.0.50.0</code> to <code>10.0.50.255</code>).\nNotice that the first three "octets" (group of 8 bits) are the same, but the last octet ranges from 0 to 255.</p>\n</li>\n<li>\n<p>Express the number of varying bits in CIDR format: <code><base-10-ip>/<leading-number-of-bits-which-are-fixed></code>. For\nexample, if we use the range in the previous step, we'd have <code>10.0.50.0/24</code>. The first 24 bits are fixed so that the\nremaining 8 bits can vary. In CIDR parlance, our "IP Address" is <code>10.0.50.0</code> and our "Network Mask" is <code>24</code>.</p>\n</li>\n</ol>\n<p>Sometimes CIDR Ranges are called CIDR Blocks. The CIDR Block <code>0.0.0.0/0</code> corresponds to any IP address. The CIDR Block\n<code>1.2.3.4/32</code> corresponds to only <code>1.2.3.4</code>.</p>\n<p>You'll notice that every VPC has a CIDR Block, and indeed this represents the range of private IP addresses\nwhich can be assigned to resources in the VPC.</p>\n<h3 class=\"preview__body--subtitle\" id=\"subnets\">Subnets</h3>\n<p>Subnets are "sub-networks", or a partition of the VPC. For example, a VPC might have the CIDR range <code>10.0.50.0/24</code>\n(<code>10.0.15.0</code> - <code>10.0.15.255</code>) and a subnet might allow just IP addresses in the range <code>10.0.50.0/28</code> (<code>10.0.15.0</code> -\n<code>10.0.15.16</code>). Note that subnets cannot have overlapping CIDR Ranges.</p>\n<p>In addition, each subnet can have a unique Route Table.</p>\n<h3 class=\"preview__body--subtitle\" id=\"route-tables\">Route Tables</h3>\n<p>Each subnet needs a <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html\" class=\"preview__body--description--blue\" target=\"_blank\">Route Table</a> so that\nit knows how to route traffic within that subnet. For example, a given subnet might route traffic destined for CIDR Block\n<code>10.0.20.0/24</code> to a VPC Peering Connection, traffic for <code>10.0.10.0/24</code> within the VPC, and all the rest (<code>0.0.0.0/0</code>) to\nto the Internet Gateway so it can reach the public Internet. The Route Table declares all this.</p>\n<h3 class=\"preview__body--subtitle\" id=\"the-internet-gateway\">The Internet Gateway</h3>\n<p>The best way to think of an <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gateway.html\" class=\"preview__body--description--blue\" target=\"_blank\">Internet Gateway</a>\nis that it's the destination that VPC traffic destined for the public Internet gets routed to. This configuration is\nrecorded in a Route Table.</p>\n<h3 class=\"preview__body--subtitle\" id=\"nat-gateways\">NAT Gateways</h3>\n<p>If you launch an EC2 Instance in one of the <strong>Public Subnets</strong> defined above, it will automatically be addressable from\nthe public Internet and have outbound Internet access itself.</p>\n<p>But if you launch an EC2 Instance in one of the <strong>Private Subnets</strong> defined above, it will NOT be addressable from the\npublic Internet. This is a useful security property. For example, we generally don't want our databases directly addressable\non the public Internet.</p>\n<p>But what if an EC2 Instance in a private subnet needs <em>outbound</em> Internet access? It could route its requests to the\nInternet, but there's no way for the Internet to return the response since, as we just explained, the EC2 Instance isn't\naddressable from the Internet.</p>\n<p>To solve this problem, we need our private EC2 Instance to submit its public Internet requests through another EC2 Instance\nthat's located in a public subnet. That EC2 Instance should keep track of where it got its original request so that it\ncan redirect or "translate" the response it receives back to the original requestor.</p>\n<p>Such an EC2 Instance is called a "Network Address Translation" instance, or NAT instance.</p>\n<p>But what if the NAT Instance goes down? Now our private EC2 Instance can't reach the Internet at all. That's why it's\npreferable to have a highly available NAT Instance service, and that's what Amazon's <a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-nat-gateway.html\" class=\"preview__body--description--blue\" target=\"_blank\">NAT Gateway</a>\nservice is. Amazon runs more than one EC2 Instance behind the scenes, and automatically handles failover if one instance dies.</p>\n<h3 class=\"preview__body--subtitle\" id=\"vpc-endpoints\">VPC Endpoints</h3>\n<p>By default, when an EC2 Instance makes an AWS API call, that HTTPS request is still routed through the public Internet.\nAWS customers complained that they didn't want their AWS API requests traveling outside the VPC, so AWS released a\n<a href=\"http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html\" class=\"preview__body--description--blue\" target=\"_blank\">VPC Endpoint</a> service.</p>\n<p>VPC Endpoints cost nothing for Gateways - that applies only for S3 and DynamoDB - but for Interfaces - <a href=\"https://aws.amazon.com/privatelink/pricing/\" class=\"preview__body--description--blue\" target=\"_blank\">which uses AWS\nPrivateLink</a> and supports the <a href=\"https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html\" class=\"preview__body--description--blue\" target=\"_blank\">other services</a> - they cost $0.01/hour and $0.01 per GB data processed. VPC Endpoints provide a new destination for a\nRoute Table so that when certain AWS API requests are made\ninstead of being routed to the public AWS API endpoint, they are routed directly within the VPC.</p>\n<p>The <code>vpc-app</code> module supports by default Gateway endpoints. If you need Interface endpoints, there is the\n<code>vpc-interface-endpoint</code> module.</p>\n","repoName":"terraform-aws-vpc","repoRef":"v0.13.0","serviceDescriptor":{"serviceName":"Virtual Private Cloud (VPC)","serviceRepoName":"terraform-aws-vpc","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Create a Virtual Private Cloud (VPC). Includes multiple subnet tiers, NACLs, NAT gateways, Internet Gateways, and VPC peering.","imageUrl":"vpc.png","licenseType":"subscriber","technologies":["Terraform"],"compliance":[],"tags":[""]},"serviceCategoryName":"Networking","fileName":"vpc-core-concepts.md","filePath":"/modules/_docs/vpc-core-concepts.md","title":"Repo Browser: Virtual Private Cloud (VPC)","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}
.circleci
vpc_app_architecture.png
