# VPC ## VPC (Virtual Private Cloud) This is your private section of AWS, where you can place AWS resources, and allow/restrict access to them. * exists within a single AWS region * user defined IP address range ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxtoAXZwwOc4XGto8vb%2Fuploads%2FBhrUTQbmkOlaE3hDfyUn%2FScreenshot%202021-10-31%20at%2011.23.57.png?alt=media\&token=99cc88f0-772e-47e3-aa81-fc177454ea22) ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxtoAXZwwOc4XGto8vb%2Fuploads%2FdA5LQOPrQ0nPUKdzyou8%2FScreenshot%202021-10-31%20at%2019.25.38.png?alt=media\&token=172534b6-d76f-412f-873c-79a1ef538590) ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LxtoAXZwwOc4XGto8vb%2Fuploads%2FRpbOHFJXACkm059eZZaE%2FScreenshot%202021-10-31%20at%2019.39.21.png?alt=media\&token=a199e6cf-e560-45da-a845-d149550e5fc5) ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-M8UPC0pCtd16d7pMoP2%2F-M8UPTdJbk7U4G8bn2-_%2FScreen%20Shot%202020-05-29%20at%2009.50.44.png?alt=media\&token=e1f8843d-f90b-45ac-8bcc-008ea067c997) ### Internet gateway (IGW) Provides your private network with a route to the world outside of VPC. * IGW \ VPC * ``` if (VPC contains active resources) { IGW can not be detached from VPC } ``` ### Route tables RTs RTs contains rules (routes) that are used to determine where network traffic is directed. * 172.31.0.0/16 local * if destination IP address falls in this range => communication is kept local inside VPC * 0.0.0.0/0 igw-\ * if destination IP is not in the range above (172.31...) => communication is directed through the IGW out to the internet * ``` if (IGW is detached) { RTs still directs traffic to IGW But IGW has no connection to outside world } ``` * ``` if (detach IGW_1 & attach IGW_2 for VPC) { update_RTs_routes() } func update_RTs_routes() { delete route for IGW_1 add "0.0.0.0/0" route to IGW_2 } ``` ### Network Access Control List (NACL) It is a **optional layer of security for VPC** that acts like a firewall for controlling traffic in and out of one or more subnets. ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-M8UPjgBmWIOnGG5VnSy%2F-M8UR0AEGZDNACCN3JB8%2FScreen%20Shot%202020-05-29%20at%2009.57.39.png?alt=media\&token=1d387c30-0cbf-4d22-a048-b905eae526bf) Rules: * numbered (processed from lowest to highest) * The first rule evaluated that applies to the traffic type get immediately applied and executed regardless of the rules that come after (have a higher rule #) * "\*" is a default (i.e. if you do not explicitly allow traffic => default rule will DENY it) :bulb: Subnet <-1-1-> Network ACL (subnet can be in only one NACL) :warning: Whenever you have a problem with connectivity of services => check NACL ### Subnet :bulb: One subnet can not span more than one availability zone. ![](https://415484505-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LxtoAXZwwOc4XGto8vb%2F-M8o49HRh4azW17zNy9t%2F-M8o4fX3PhcIELu4wDcU%2FScreen%20Shot%202020-06-02%20at%2010.12.05.png?alt=media\&token=a0e3eeb7-9385-4e37-8537-9f16fba12962) Subnet <=> Route table. So if Route table does not have a route to internet => Subnet is private. ### Availability zone When you create a VPC => **it spans all of the** **Availability zones in the region**. After creating a VPC, you can add **one/more subnets in each Availability zone**. * High availability * I can always access my data in the cloud * My website never crashes and it always available to customers * Fault tolerance * If web server failed => backup server immediately takes over * If something in the system fails => it can repair itself