Amazon Virtual Private Cloud
Create a logically isolated virtual network in the AWS cloud.
Amazon VPC (Amazon Virtual Private Cloud) is a service that allows you to deploy AWS resources in a logical, isolated virtual network that you define. You have complete control over your virtual network environment, including choosing your IP address range, creating subnets, and configuring route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure easy and seamless access to resources and applications.
As a foundational AWS service, Amazon VPC makes it easy to customize your VPC network configuration. You can create a public subnet for your web servers that have access to the internet. It also allows you to place your backend systems, such as database or application servers, in a private subnet facing the internet without access. Amazon VPC lets you use multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.
Benefits of using Amazon Virtual Private Cloud (Amazon VPC)
Programmable Virtual Network
Amazon VPC helps you control your virtual network space by allowing you to choose your own IP address range, create custom subnets, and configure route tables on any available gateway. You can customize your network configuration by creating a public subnet for your web servers that access the Internet. Put your backend systems, such as databases or application servers, in a private subnet. With Amazon VPC, you can ensure that your virtual private cloud is configured to meet your specific business needs.
Simple to Set Up and Use
With Amazon VPC’s simple setup, you spend less time setting up, managing, and validating, so you can focus on building the applications that run in your VPCs. You can easily create a VPC using the AWS Management Console or the Command Line Interface (CLI). As you choose from common network configurations and find the best match for your needs, VPC automatically creates the subnets, IP ranges, route tables, and security groups you need. Once your network is configured, you can easily verify it with Reachability Analyzer.
Secure and Monitored Network Connections
Amazon VPC provides advanced security features that allow you to perform inbound and outbound filtering at the instance and subnet level. In addition, you can store data in Amazon S3 and restrict access so that it can only be accessed from instances within your VPC. Amazon VPC also has monitoring features that allow you to perform functions such as out-of-band monitoring and internal traffic inspection, which help you protect your traffic.
Use cases
Back up and recover your data after a disaster
By using Amazon VPC for disaster recovery, you get all the benefits of a disaster recovery site at a fraction of the cost. You can periodically back up your critical data center data to a small number of Amazon EC2 instances with large volumes of Amazon Elastic Block Store (EBS) or import your virtual machine images into Amazon EC2. To ensure business continuity, Amazon VPC lets you quickly provision alternative compute capacity on AWS. When the disaster is over, you can send your mission-critical data to your data center and terminate the Amazon EC2 instances you no longer need.
Multi-tier web application hosting
Host multi-tier web applications and enforce strict access and security restrictions between your web servers, application servers, and databases. When running your application servers and databases on private subnets, run the web servers on a publicly accessible subnet. This ensures that the application servers and database servers are not directly accessible from the internet. Control access between servers and subnets using inbound and outbound packet filtering provided by network access control lists and security groups. To create a VPC that supports this use case, you can select “VPC with public and private subnets” in the Amazon VPC console wizard.
Host a Simple, Public Website
Host a basic web application, such as a blog or a simple website, in a VPC and gain the additional layers of privacy and security provided by Amazon VPC. You can help secure your website by creating security group rules that allow the web server to respond to incoming HTTP and SSL requests from the internet while simultaneously preventing the web server from initiating outbound connections to the internet. Create a VPC that supports this use case by selecting “VPC with only a single subnet” from the Amazon VPC console wizard.
Securely connect cloud applications to your data center
An IPsec VPN connection between your Amazon VPC and your corporate network encrypts all communications between application servers in the cloud and databases in your data center. Web servers and application servers in your VPC can take advantage of Amazon EC2 Elasticity and Auto Scaling to grow and shrink as needed. Create a VPC to support this use case by selecting “VPC with public and private subnets and hardware VPN access” in the Amazon VPC console wizard.
Extend your corporate network to the cloud
Move corporate applications to the cloud, deploy additional web servers, or add more compute capacity to your network by connecting a VPC to your corporate network. Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources to the cloud without changing how users access those applications. Additionally, you can host your VPC subnets on AWS Outposts, a service that brings native AWS services, infrastructure, and operating models to virtually any data center, colocation space, or on-premises facility. Select “VPC with private subnet and hardware VPN access only” from the Amazon VPC console wizard to use this VPC support.
Success stories of some companies
“The integration of the VM-Series Virtual Next-Generation Firewall with the new Amazon VPC Ingress Routing feature makes it very easy for customers to ensure that all traffic inbound to their VPC is filtered through our threat prevention services. By inserting a VM-Series Virtual Firewall as a wiretap into their brownfield environment, customers can seamlessly protect inbound traffic from the Internet and their data centers.”
– Mukesh Gupta, VP, Product Management, VM Series
“Amazon VPC Ingress Routing allows Fortinet to provide customers with greater security by enabling Fortinet network security on any traffic entering their mission-critical VPC. VPC Ingress Routing also enables much more flexible solutions that support different workloads with separate Fortinet products in a VPC. Ultimately, a more secure and flexible architecture helps customers reduce the risks associated with misconfigurations and further expand cloud deployments.”
– Lior Cohen, Senior Director of Security Products and Cloud Solutions, Fortinet
“Our enterprise customers typically use AWS Transit Gateway to deploy CloudGuard Advanced Threat Prevention, but this is not a good fit for small and medium-sized enterprises with a limited number of VPCs. Enhancing VPC ingress routing provides customers with a simpler and more efficient way to reroute traffic that is being routed to a VPC for enhanced security.”
– Zohar Alon, Head of Cloud Products, Check Point Software
“VPC Ingress Routing allows our customers to inspect all external traffic before it reaches the Barracuda CloudGen firewall. With VPC Ingress Routing, customers can now apply custom deep packet inspection policies based on their destination. Amazon Native VPC Ingress Routing makes it easier for our customers to deploy VPCs and leverage the cloud security solutions in the Barracuda line.”
– Klaus Ghery, GM/VP Network Security, Barracuda Networks
“It is absolutely critical that organizations secure cloud infrastructure – including inbound traffic – as cybercriminals increasingly target these areas and launch sophisticated attacks. AWS and Sophos are teaming up on cloud security. With extensive support for inbound routing, Sophos UTM provides an added layer of security to ensure traffic flowing through and into the VPC is protected.”
– Andy Miller, Senior Director, Global Public Cloud, Sophos
“IBM Security helps clients maximize the effectiveness of their AWS security controls. We help our clients design their security architecture, as well as select and deploy AWS controls that provide the highest level of security. Amazon VPC ingress routing gives us the flexibility to deploy security solutions at the edge of the VPC, enabling us to view and intercept north-south traffic before it reaches the loads in the VPC.”
– Mike Sanders, Program Manager, Cloud Security Strategy, IBM Security Services
“Valtix is revolutionizing cloud-native network security by discovering applications, then applying network security and continuously defending those applications across AWS regions. Amazon VPC ingress routing allows Valtix cloud-native firewall clusters to route application traffic across the internet and inter-network in a VPC, achieving complete network traffic visibility for enterprise applications running on AWS.”
– Vijay Chander, CTO, Valtix
“In today’s world of highly mobile workforces and globally distributed business environments, Forcepoint’s cloud-enabled NGFW enables secure, unhindered access to critical data and intellectual property from anywhere while mitigating the risk of zero-day attacks and other emerging threats in an organization’s hybrid technology stack. In addition to Amazon VPC ingress routing, the Forcepoint NGFW allows customers to gain greater flexibility in network security segmentation and leverage its security features, in the same way we leverage them within Forcepoint’s security platforms to deliver dynamic edge protection services.”
– Nicholas Fischbach, Global CTO, Forcepoint
“Enterprises need more secure and reliable connections to their Amazon VPC from their data center, and 128 Technology’s Session Smart Router offers customers a higher level of security, reliability, and reduced complexity. With the addition of VPC ingress routing, our customers will have even more control over the amount of traffic entering Amazon VPC. 128 Technology is pleased to be among a select group of ecosystem partners supporting this service.”
– Andy Avery, CEO, 128 Technology
“The recently announced enhancements to Amazon VPC ingress routing, combined with Amazon VPC Traffic Mirroring, allow NETSCOUT to effectively monitor and control intra- and inter-VPC traffic in AWS to provide seamless visibility across the data center, AWS, and hybrid cloud.”
– Bruce Kelly, Jr., Senior Vice President, Chief Technology Officer, Service Provider, NETSCOUT
“With our cloud-native network detection and response platform, Lastline is working closely with AWS to deliver security improvements to our customers’ data on AWS. Amazon VPC ingress routing enables us to offer our customers unparalleled flexibility and internal traffic visibility into their AWS network.”
– Christopher Krugel, PhD, Founder and Chief Product Officer, Lastline
“Amazon VPC Ingress Routing allows our customers to filter all external traffic before it reaches the subnets. It is a native version of Amazon VPC, making it easier to deploy and network responsive for the cloud.”
– Kevin Shu, Vice President of Product Marketing at Vectra
“ShieldX Elastic Security Platform (ESP) is built to secure modern, multi-cloud data centers. ESP is an agentless, cloud-agnostic solution designed to deliver comprehensive, consistent security controls to protect dynamic data centers, cloud infrastructure, applications, and data, no matter where they are or where they go. As an AWS partner, ShieldX integrates with AWS networking functions such as VPC Traffic Mirroring and VPC Ingress Routing to enable continuous asset discovery, automated network security policy generation, and Layer 7 inspection. Together, the companies provide a comprehensive solution for monitoring and preventing north/south and east/west network traffic in the AWS public cloud.”
– Ken Levine, CEO, ShieldX
“The Versa SD-WAN management and orchestration platform provides workflow automation, including provisioning and enabling edge WAN devices on AWS. Now, customers can also leverage Amazon VPC ingress routing to direct traffic flowing from the VPC, through the Internet gateway and virtual private gateway, into the Versa NGFW security appliance.”
– Chief Marketing Officer, Versa Networks
“FireEye Network Security customers already benefit from the ability to apply advanced threat protection and breach detection to their AWS environment. The announcement of Amazon VPC Ingress Routing makes it even easier to deploy FireEye Network Security on AWS. This new feature allows you to route northbound and southbound traffic through your VPC via the Internet Gateway and Virtual Private Gateway to third-party appliances, eliminating the need for NAT gateways. This allows customers to direct traffic to specific appliances for specialized scanning. FireEye customers benefit from ease of deployment and tighter integration with their private, public, and private cloud data centers.”
– Ramesh Gupta, General Manager of Network Security Products, FireEye
“Trend Micro provides multi-layered hybrid cloud security to thousands of customers on AWS. Amazon VPC ingress routing enables broad adoption and increased deployment flexibility for cloud network security solutions, allowing our customers to quickly and at scale protect their AWS VPC, without disrupting their business applications.”
– Steve Cowan, Executive Vice President, Cloud Defense Network and Hybrid Security, Trend Micro
“Today’s users don’t care where the applications they need to do their jobs are hosted. They just want them to operate in a consistent and reliable way so they can get things done. Through the integration between Citrix® ADC and Amazon VPC ingress routing from AWS, we can bring a proven, enterprise-class solution in a convenient delivery model to the masses, providing a high-performance experience that empowers people to do their best work.”
– Mihir Maniar, Vice President of Product Management, Networking, Citrix
“With the new Amazon VPC Ingress Routing enhancement, customers can now route VPC network traffic through advanced linear services. Aviatrix’s cloud-native networking software embraces and extends native AWS services – in this case, the new VPC Ingress Routing combined with AWS GuardDuty services to provide ingress and egress enforcement policies through Aviatrix gateways.”
– Sherry Wei, Founder and Chief Product Officer, Aviatrix
Get Started with Amazon VPC
You can automatically provision AWS resources in a ready-to-use default VPC. Configure this VPC by adding or removing subnets, attaching network gateways, changing the default route table, and modifying network ACLs.
Create an additional VPC by selecting the “Start VPC Wizard” button from the Amazon VPC page in the AWS Management Console. You are presented with four basic network topologies. Select the one that most closely resembles the network topology you want to create and click the “Create VPC” button. You can then further customize the topology to suit your needs. Shortly after, you can launch Amazon EC2 instances inside your VPC.
ITPIRAN
