Networking 101 - Part 3

10 minute read

Content level: Foundational

This article introduces beginners to Amazon VPC, providing foundational knowledge on cloud network connectivity within the AWS environment.

Overview

In our previous articles, Networking 101 - Part 1 and Part 2, we explored the fundamentals of networking and the basics of VPCs in AWS. Building on this foundation, Part 3 delves deeper into VPC security, focusing on the crucial aspects of Security Groups, Network ACLs, and monitoring with VPC Flow Logs. Additionally, we discuss optimizing VPC cost efficiency and understanding AWS VPC quotas.

This article highlights the versatility of Amazon VPC through various use cases, demonstrating its capability to provide secure, scalable, and isolated environments for different applications in the cloud. Whether you're new to networking or aiming to enhance your AWS knowledge, this series aims to equip you with the essential concepts and skills to effectively manage and optimize VPCs in the AWS environment.

VPC Security Strengthening

VPC Security Strengthening Images

In the previous installment of Networking 101 - Part 2, you learned about controlling network access within your Virtual Private Cloud (VPC) through two key mechanisms:

Security Groups: These function as firewalls, permitting only authorized traffic and routing it to specific parts of your network. For instance, if you wish to restrict traffic to a particular resource, you can configure a security group to authorize and route traffic exclusively to that resource, enhancing security.
Network ACLs (Access Control Lists): These provide an additional layer of stateless, granular security if needed. They are considered stateless because allowing inbound traffic does not automatically permit outbound traffic.

When troubleshooting issues related to accessing resources in your VPC, it's advisable to begin by examining these security components. Often, such issues stem from misconfigurations within these components.

Monitoring Your VPC with VPC Flow Logs

Security in your network isn't just about controlling who can access it; it's also crucial to monitor and audit access patterns over time. AWS provides an easy way to monitor your VPC using VPC Flow Logs.

💡 VPC Flow Logs enable you to capture data about the traffic going to and from the network interfaces in your VPC. This constant auditing helps you track who is accessing your network and when they are doing so.

You can choose to store VPC Flow Logs data in Amazon CloudWatch or Amazon S3. This flexibility allows you to analyze the logs for networking monitoring, security analysis, and expense optimization. For storing VPC Flow Logs, S3 is a more cost-effective option compared to CloudWatch, especially for larger volumes of data. CloudWatch's pricing based on volume tiers can result in higher costs, while S3's tiered pricing structure offers more cost-effective options for organizations with substantial log data storage requirements.

Monitoring VPC flow logs delivered to CloudWatch logs

When monitoring VPCs and sending 50 terabytes (TB) of ingested VPC Flow Logs to CloudWatch Logs per month, with data archived for one month, the charges are calculated as follows:

Monthly charges for log ingestion:

   0 to 10TB @$0.50 per GB = 10 * 1,024 * $0.50 = $5,120.00
   10TB to 30TB @$0.25 per GB = 20 * 1,024 * $0.25 = $5,120.00
   30TB to 50TB @$0.10 per GB = 20 * 1,024 * $0.10 = $2,048.00
   Total log ingestion charges: $5,120.00 + $5,120.00 + $2,048.00 = $12,288.00

Monthly charges for log archival (assuming log data compresses to 25TB [50%]):

   25TB @ $0.03 per GB = 25 * 1024 * 0.03 = $768.00

💲Monthly charges for CloudWatch: $12,288.00 (log ingestion) + $768.00 (log archival) = $13,056.00

Monitoring VPC flow logs delivered to S3

When monitoring VPCs and sending 50TB of ingested VPC Flow Logs, formatted in Apache Parquet, directly to S3 per month, with the data archived for one month, the charges are as follows:

Monthly charges for log ingestion:

   0 to 10TB @$0.25 per GB = 10 * 1,024 * $0.25 = $2,560.00
   10TB to 30TB @$0.15 per GB = 20 * 1,024 * $0.15 = $3,072.00
   30TB to 50TB @$0.075 per GB = 20 * 1,024 * $0.075 = $1,536.00
   Total Ingestion Charges = $2,560 + $3,072 + $1,536  = $7,168.00

Optional monthly charges for Apache Parquet format conversion:

   50TB @$0.03 per GB = 50 * 1,024 * $0.03 = $1,536.00

Monthly charges for log archival (assuming log data compresses to 25TB [50%]):

   25TB @ $0.023 per GB = 25 * 1024 * 0.023 = $588.80

💲Monthly charges for S3: $7,168.00 (log ingestion) + $1,536.00 (Apache Parquet) + $588.80 (log archival) = $9,292.80

⚠️ Volume tiers reset at the beginning of each month.

💡 Remember, effective auditing of your VPC is crucial for security and performance. VPC Flow Logs provide the necessary visibility to make informed decisions and enhance your network's security and efficiency.

VPC Cost Efficiency

It's important to understand that there are no charges for creating and using a VPC. However, certain optional VPC capabilities incur usage-based charges. Here's a breakdown of the cost structure for various VPC components:

VPC Component	Charge Type	Charged For	Not Charged For
VPC	No charge	-	Creating and using a VPC
Subnets	No charge	-	Creating and using subnets
Route Tables	No charge	-	Creating and using route tables
Internet Gateway	No charge	-	Attaching to a VPC
NAT Gateway	Usage-based (hourly)	Number of NAT gateways and data processed	-
VPC Endpoints	Usage-based (hourly/data)	Number of VPC endpoints and data processed	-
Elastic IP Addresses (EIPs)	Usage-based	Number of EIPs allocated and not associated	EIPs associated with a running instance
VPC Peering	Usage-based (data transfer)	Data transfer between peered VPCs	Creating and accepting VPC peering connections
VPN Connection	Usage-based (hourly/data)	VPN connection hours and data transfer	-
IP Address Manager (IPAM)	Usage-based (monthly)	Number of IPAM pools and usage	-
Network ACLs	No charge	-	Creating and using network ACLs
Security Groups	No charge	-	Creating and using security groups
IPv4 Addresses	Usage-based (hourly)	All public IPv4 addresses attached and not to a service	-

⚠️ This table is based on typical AWS VPC pricing models as of the last update. Prices and components can vary based on region and specific configurations. Always refer to the AWS VPC Pricing page for the most up-to-date information.

💡 In addition to the above, you will also be billed for services that you launch into your VPC, such as Amazon EC2 or Amazon RDS.

VPC Quotas in AWS

When working with VPCs in AWS, it's crucial to be aware of the default limits imposed by the service. Each AWS account is limited to a maximum of five VPCs per Region. This quota is in place to help manage resources efficiently and ensure optimal performance.

If your project requires more than five VPCs in a single Region, you have the option to request an increase in this limit. To do so, you'll need to contact AWS Support and submit a service limit increase request. This process involves providing details about your use case and justifying the need for additional VPCs.

For more information on VPC quotas and how to request a limit increase, you can visit the AWS Service Quotas documentation and the AWS Support page for guidance on opening a support ticket.

Use Cases of Amazon VPC

As you've learned from the previous article, Amazon VPC enables users to establish a virtual network within the AWS ecosystem, offering full control over the virtual networking environment. These use cases demonstrate Amazon VPC's versatility in delivering secure, scalable, and isolated environments for a variety of applications and scenarios:

Case 1: Hosting a Public Website

In this scenario, a company uses Amazon VPC to host a public-facing website. The presentation tier with web servers is placed in public subnets, allowing internet users to access the website. The application and database tiers are placed in private subnets for security. This setup ensures that the website is available to the public while keeping the business logic and data secure.

Case 2: Internal Application for Employees

A company sets up an internal application (e.g., an intranet) within a VPC, accessible only by its employees. All three tiers (presentation, logic, and data) are placed in private subnets. Employees connect to the VPC over a VPN to access the application. This use case ensures that sensitive internal applications are not exposed to the public internet.

Case 3: Hybrid Cloud Integration

Case 3: Hybrid Cloud Integration In this use case, a company integrates its on-premises data center with its cloud infrastructure in AWS using Amazon VPC. The company uses a VPN or AWS Direct Connect to securely connect its on-premises network to the VPC. This setup allows seamless integration between on-premises and cloud resources, enabling the company to leverage the scalability and flexibility of the cloud while retaining some workloads on-premises.

Case 4: Multi-Tier Application with Microservices

A company deploys a multi-tier application with microservices architecture within a VPC. Each microservice is placed in its own private subnet, and communication between microservices is secured using security groups and NACLs. This setup provides isolation for each microservice, enhancing security and scalability. A public-facing load balancer in a public subnet routes incoming traffic to the appropriate microservices in the private subnets.

Summary

In Networking 101 - Part 3, the focus is on enhancing VPC security through Security Groups and Network ACLs, critical for managing network access effectively. The article also emphasizes the importance of monitoring VPCs using VPC Flow Logs to track and analyze traffic patterns. Furthermore, it discusses optimizing VPC costs by detailing charges for different components and the significance of understanding VPC quotas in AWS.

Moreover, the article explores the versatility of Amazon VPC through various use cases, illustrating its capability to provide secure, scalable, and isolated environments for hosting public websites, internal applications, hybrid cloud integration, and multi-tier applications with microservices architecture.

In the upcoming articles of this series, we will delve into more advanced networking topics and practical applications. Whether you are a beginner looking to start in networking or someone deeply interested in AWS and cloud technology, this series aims to equip you with the knowledge and tools to navigate the digital landscape confidently.

🙏 If you found this article informative and helpful, please consider sharing it with your friends and colleagues who might also benefit from this knowledge. Your support through likes and shares is greatly appreciated and motivates to continue creating valuable content for our readers.

Topics

Networking & Content Delivery

Relevant content

Networking 101 - Part 2
EXPERT
Osvaldo Marte
published a month ago
Networking 101 - Part 1
EXPERT
Osvaldo Marte
published a month ago
Deploying a web app to an AWS IoT Greengrass Core device - Part 2
EXPERT
MassimilianoAWS
published a year ago
Character Import Using Mixamo/Fuse and Gepetto (3 Parts)
rePost-User-9018410
asked 7 years ago
Unable to connect (101: Network is unreachable)
akimisri
asked 7 months ago
Beanstalk Network configuration - This environment is not part of a VPC.
Accepted Answer
rePost-User-0208928
asked a year ago
What should I do when my Amazon ECS cluster fails to delete as part of an AWS CloudFormation stack?
AWS OFFICIALUpdated a year ago
How can I delete a subnet that is part of an Amazon RDS DB subnet group?
AWS OFFICIALUpdated a year ago
How do I use the AWS CLI to upload a large file in multiple parts to Amazon S3?
AWS OFFICIALUpdated a year ago
How do I include my dedicated IP address as part of my default IP pool on Amazon SES?
AWS OFFICIALUpdated 8 months ago