One of the tradeoffs that come with cloud's benefits -- flexibility, scalability, automation -- is that IT teams must assume less control over the infrastructure. Fortunately, when it comes to networking, you can still exercise significant control in the Amazon Web Services cloud through its virtual private cloud.
Amazon virtual private cloud allows users to create logically isolated pools of resources within the Amazon cloud infrastructure. Systems designers and administrators can logically organize multi-tier application servers into subnets with security and firewall configurations that meet their particular requirements.
Because you can create subnets as needed, you can deploy servers in different network configurations. For example, you can deploy a set of Web servers and a load balancer in a subnet with access to the Internet. You also can have application and database servers running in a subnet isolated from the Internet but still accessible to your Web servers. In addition to creating public and private subnets, you can connect your VPC to your organization's data center and route traffic through your on-premises network. VPCs are available in four configurations: VPC with a public subnet only; VPC with public and private subnets; VPC with public and private subnets and hardware VPN access; and VPC with private-only subnet and hardware VPN access.
Amazon VPC setup and management
Amazon Web Services' VPC Wizard gives you a straightforward way to set up a virtual private cloud. The wizard guides you in creating an Internet gateway, which allows access to the Internet and important Amazon services, such as Simple Storage Service (S3) object storage. As mentioned before, you can also create subnets within your VPC using this wizard; each subnet is assigned an IP address range. The number and types of subnets you need will depend on your security requirements, but with subnets defined, you will create routing rules to control the flow of traffic between subnets and the Internet.
Amazon implements firewall services through an abstraction called a security group. Security groups are sets of inbound and outbound network traffic rules associated with subnets. When a VM instance is created, users of Amazon VPC can specify rules for security groups. These rules define the type of traffic (e.g. HTTP, FTP) allowed for servers within the security group. To enable Remote Desktop Protocol, or RDP, for remote Windows administration, specify the public IP address range of your corporate network along with port 3389.
Private IP addresses are assigned to VM instances when they are created. You can add a public IP address from your pool of elastic IP addresses as well.
As with other Amazon services, you can manage your VPC through the Amazon Management Console, through the command-line interface or through APIs.
VPC pricing snags and details
There are no additional charges for using an Amazon virtual private cloud -- unless you implement a hardware VPN connection. If so, you will be charged 5 cents per connection-hour, along with data transfer charges. A connection-hour occurs when the VPN connection is provisioned and available. It is important to note that you are not charged data transfer charges for accessing AWS services over your VPC Internet gateway, but only for accessing AWS services using the VPN. With this charge model, you don't incur costs when you access S3 data from a server within the VPC, for example, because that data is transferred through the VPC's Internet gateway.
If you plan to use a VPN, see Amazon's documentation for information on the types of gateway devices you can use with VPC.
If you have designed your systems to take advantage of multiple availability zones to improve reliability and performance, you can still use VPCs. They can span multiple availability zones, but subnets are limited to a single zone. Other Amazon features and services, such as CloudWatch, autoscaling and clusters, are available for use with VPCs.
There are some limitations, however, on the use of VPCs. When a VPC is first created, it is in a default configuration that you modify to meet your needs. You can have up to five non-default VPCs per AWS account, per region. And you can create up to 200 subnets and 10 hardware VPNs per VPC.
This was first published in September 2013