Amazon Virtual Private Cloud FAQs

General Questions

Q. What is Amazon Virtual Private Cloud (Amazon VPC)?

Amazon VPC is a secure and seamless bridge between a company’s existing IT infrastructure and the Amazon VPC. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources. Amazon VPC integrates today with Amazon EC2 compute resources, and will integrate with other AWS services in the future.

Q. What are the components of Amazon VPC?

Amazon VPC is comprised of a variety of objects that will be familiar to customers with existing networks:

• A Virtual Private Cloud (VPC): an isolated portion of the AWS cloud. You define a VPC’s IP address space from a range you select.
• Subnet: a segment of a VPC’s IP address range where you can place groups of isolated resources.
• VPN Connection: a connection between your Amazon VPC and datacenter, home network, or co-location facility.
• VPN Gateway: the Amazon VPC side of a VPN Connection.
• Customer Gateway: Your side of a VPN Connection.
• Router: routers interconnect Subnets, and direct traffic between VPN Gateways and Subnets.

Q. Why should I use Amazon VPC?

You should use Amazon VPC if you wish to utilize the elasticity and scale of AWS services as if they were running in your own data center. Amazon VPC enables you to create VPCs that can be securely connected to your existing datacenters using industry-standard IPsec Virtual Private Networks (VPN). VPCs can be segmented into subnets to create additional layer of defense, data isolation, and policy enforcement. Much like your own datacenter, you can create subnets, assign IP ranges to subnets, and configure connectivity. You can design, configure, maintain, and control a VPC just as if it was another remote site. You can launch Amazon EC2 instances within your VPC from the AWS library of Amazon Machine Images, or launch your own bundled AMIs.

Q. How do I get started with Amazon VPC?

To get started with Amazon VPC, create your VPC by defining its IP address range. The IP addresses in this range are private and are isolated at a packet-routing level from any other network, including the Internet. You can then create subnets, which segment your VPC’s IP address range based on security and operational requirements. To connect to your VPC, create an IPsec VPN connection between your VPC and datacenter. Your VPC-based resources will appear on your existing network once you update your existing IT infrastructure’s security policies. VPC traffic bound for the Internet routes via the VPN connection to your datacenter, where it can be inspected by pre-existing network security services, such as firewalls and intrusion detection systems, before exiting your network perimeter to the Internet. This is particularly valuable if you are using specialized network appliances and software to enforce security policies.

Q. How do VPC-based Amazon EC2 instances differ from instances not in a VPC?

Amazon EC2 instances are assigned by Amazon both an internal and external IP address. External IP addresses provide connectivity to the Internet, whereas internal IP addresses allow instances to communicate with one another. With Amazon VPC, you bring your own IP addresses. All Amazon EC2 instances within VPCs only have internal IP addresses selected from your designated IP address ranges. Additionally, while Amazon EC2 instances can be directly reached from the Internet, Amazon EC2 instances within this initial release of Amazon VPC must pass all traffic, Internet or otherwise, through the VPN connection and egress to the Internet via your datacenter’s network security infrastructure.

Billing

Q. How will I be charged and billed for my use of Amazon VPC?

You pay only for what you use and there is no minimum fee. Amazon VPC pricing is per VPN connection-hour consumed (the amount of time you have a VPN connection established). Partial hours consumed are billed as full hours. Data transferred over VPN connections will be charged at standard IPsec VPN Data Transfer rates. Usage charges for other Amazon Web Services, including Amazon EC2, still apply at published rates for those resources. For VPC pricing information, please visit the pricing section of the Amazon VPC product page.

Q. What defines billable VPN Connection-hours?

VPN connection-hours are billed for any time your VPN connections are in the “available” state. You can determine the status of a VPN connection through the DescribeVpnConnections() API call. If you no longer wish to use your VPN connection, you simply terminate it using the TerminateVpnConnection() API call to avoid being billed for additional VPN-connection hours.

Q. What usage charges will I incur if I use other AWS services, such as Amazon S3, from Amazon EC2 instances in my VPC?

If you utilize other AWS services, such as Amazon S3, from Amazon EC2 instances within a VPC, you will incur VPN data transfer charges (to reach your datacenter) in addition to Internet data transfer charges (to reach the service in question).

Connectivity

Q. How does a VPN connection work with Amazon VPC?

A VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over the VPN connection, thus ensuring confidentiality and integrity of data in transit.

Q. What is IPsec?

IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

Q. Which customer gateway devices can I use to connect to Amazon VPC?

You can use any device, however, it MUST be able to:

• Establish IKE Security Association using Pre-Shared Keys
• Establish IPsec Security Associations in Tunnel mode
• Utilize the AES 128-bit encryption function
• Utilize the SHA-1 hashing function
• Utilize Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
• Establish Border Gateway Protocol (BGP) peerings
• Bind tunnels to logical interfaces (route-based VPN)
• Utilize IPsec Dead Peer Detection

Q. What customer gateway devices are known to work with Amazon VPC?

The following devices meeting the aforementioned requirements are known to work with Amazon VPC, and have support in the command line tools for automatic generation of configuration files appropriate for your device:

• Cisco ISR running Cisco IOS 12.4 (or later) software
• Juniper J-Series Service Router running JunOS 9.5 (or later) software
• Juniper SSG running ScreenOS 6.1, or 6.2 (or later) software
• Juniper ISG running ScreenOS 6.1, or 6.2 (or later) software

A list of Cisco Systems and Juniper Networks resellers are available here and here, respectively.

Q. If my device is not listed, where can I go for more information about using it with Amazon VPC?

We recommend checking the Amazon VPC forum as other customers may be already using your device.

Q. Are there any VPN connection throughput limitations?

Amazon does not enforce any restrictions on VPN throughput. However, other factors, such as the cryptographic capability of your customer gateway, the capacity of your Internet connection, average packet size, the protocol being used (TCP vs. UDP), and the network latency between your customer gateway and the VPN gateway can affect throughput.

Q. How do I connect a VPC to my existing network?

Establishing a VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation on Amazon EC2 instances within a VPC accessed via a VPN connection.

Q. How do I connect a VPC to the Internet?

Currently, you route Internet traffic via the VPN connection, and then leverage your existing datacenter connectivity to egress to the Internet. This enables you to inspect traffic using existing network monitoring and security devices.

IP Addressing

Q. What IP address ranges can I use within my VPC?

You can address your VPC from any IPv4 address range, including RFC 1918 or publicly routable IP blocks. AWS does not advertise customer-owned IP address blocks to the Internet. Additionally, VPCs currently cannot be addressed from IPv6 IP address ranges.

Q. How do I assign IP address ranges to VPCs?

You assign a single Classless Internet Domain Routing IP address block when you create a VPC. Subnets within a VPC are addressed from this range by you. A VPC can be assigned at most one (1) IP address range at any given time; addressing a VPC from multiple IP address ranges is currently not supported. Please note that while you can create a VPC in both the US – N. Virginia (us-east-1) and EU – Ireland (eu-west-1) regions with overlapping IP address ranges, doing so will prohibit you from connecting both VPCs to a common home network. For this reason we recommend using non-overlapping IP address ranges.

Q. Can I advertise my VPC IP address range to the Internet, and route the traffic through my datacenter and to my VPC?

Yes, you can route traffic via a VPN connection and advertise the address range from your network.

Q. How large of a VPC can I create?

Currently, Amazon VPC supports VPCs between /28 (in CIDR notation) and /16 in size. The IP address range of your VPC should not overlap with the IP address ranges of your existing network. If you require a VPC larger than a /16 in size, please complete the following form.

Q. Can I change a VPC’s size?

No. Currently, to change the size of a VPC you must terminate your existing VPC and create a new one.

Q. How many subnets can I create per VPC?

Currently you can create 20 subnets per VPC. If you would like to create more, please complete the following form.

Q. Is there a limit on how large or small a subnet can be?

The minimum size of a subnet is a /28 (or 14 IP addresses.) Subnets cannot be larger than the VPC in which they are created.

Q. Can I use all the IP addresses that I assign to a subnet?

No. Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes.

Q. How do I assign IP addresses to Amazon EC2 instances within a VPC?

When you launch an Amazon EC2 instance within a VPC, you may optionally specify the IP address for the instance. If you do not specify an IP address, AWS automatically addresses it from the IP address range you assign to that subnet.

Q. Can I change the IP address of an Amazon EC2 instance while it is running and/or stopped within a VPC?

No. When you specify an IP address, it is retained for the instance’s lifetime.

Q. If an Amazon EC2 instance is stopped within a VPC, can I launch another instance with the same IP address in the same VPC?

No. An IP address assigned to a running instance can only be used again by another instance once that original running instance is in a “terminated” state.

Q. Can I assign IP addresses for multiple instances simultaneously?

No. You can specify the IP address of one instance at a time when launching the instance.

Q. Can I assign any IP address to an instance?

You can assign any IP address to your instance so long as it is:

• part of the associated subnet’s IP address range
• not reserved by Amazon for IP networking purposes
• not currently assigned to another instance

Q. Can I assign Elastic IP (EIP) addresses to VPC-based Amazon EC2 instances?

No, as you currently cannot directly access the Internet from a VPC.

Routing & Topology

Q. What does an Amazon VPC router do?

An Amazon VPC router enables Amazon EC2 instances within subnets to communicate with Amazon EC2 instances in other subnets within the same VPC. They also enable subnets and VPN gateways to communicate with each other. You can create and delete subnets attached to your router. Network usage data is not available from the router; however, you can obtain network usage statistics from your instances using Amazon CloudWatch.

Q. Does Amazon VPC support multicast or broadcast?

No.

Security & Filtering

Q. How do I secure Amazon EC2 instances running within my VPC?

All traffic transiting your VPN connection can be inspected by your on-premise security infrastructure, including network firewalls, intrusion detection and prevention systems. You can also run and manage host-based firewalls upon Amazon EC2 instances running within your VPC.

Q. Do Amazon EC2 Security Groups work in Amazon VPC?

Not currently.

Q. Within Amazon VPC, can I use SSH key pairs created for instances within Amazon EC2, and vice versa?

Yes.

Q. Can Amazon EC2 instances within a VPC communicate with Amazon EC2 instances not within a VPC?

Yes. To preserve the isolation of your VPC, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network. Data transferred between Amazon EC2 instances within your VPC and Amazon EC2 instances not within a VPC is charged at standard Amazon VPC VPN data transfer and Amazon EC2 Internet data transfer rates.

Q. Can Amazon EC2 instances within a VPC in one region communicate with Amazon EC2 instances within a VPC in another region?

Yes, it is possible to connect two VPCs operating in different regions through your home network. Please see the Amazon VPC Getting Started Guide for more information. Please note that you will be charged standard VPN Data Transfer rates per VPN Connection.

Q. Can Amazon EC2 instances within a VPC communicate with Amazon Web Services not in Amazon VPC, such as Amazon S3?

Yes. Currently all traffic to other Amazon Web Services traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network. Data transferred between Amazon EC2 instances within your VPC and other AWS services is charged at standard Amazon VPC VPN data transfer rates and the respective AWS services’ standard Internet data transfer rates.

Q. Why can’t I ping the router, or my default gateway, that interconnects my subnets?

Ping (ICMP Echo) requests to the router that interconnects subnets within your VPC is not supported. Ping between Amazon EC2 instances within VPC is supported, as is ping between resources in your VPC and resources in your home datacenter, as long as the security policy on your corporate network permits such traffic.

Amazon VPC & Amazon EC2

Q. Within which Amazon EC2 region(s) is Amazon VPC available?

Amazon VPC is currently available in a single Availability Zone within the us-east-1 region, and in a single AZ within the eu-west-1 region.

Q. Can I deploy a VPC in multiple Availability Zones (AZs)?

Not currently.

Q. Can I use the full library of public, private, and paid Amazon EC2 AMIs within Amazon VPC, and vice versa?

Yes, all public and private AMIs currently available within the Amazon EC2 AMI catalog can be launched within Amazon VPC. Please note that Amazon DevPay AMIs cannot currently be used within Amazon VPC.

Q. Is there a difference in how Amazon EC2 Linux instances are bundled within Amazon VPC vs. Amazon EC2?

You may experience latency in bundling Amazon S3-backed Linux instances within Amazon VPC. When you bundle an S3-backed Linux instance, it is transferred from the instance, through the VPN connection, through your network, and to the public Amazon S3 endpoint. You may need to create firewall exceptions to allow VPC-based instances to access the Internet (and possibly NAT) from your existing IT infrastructure.

Q. When I call DescribeInstances(), do I see all of my Amazon EC2 instances, including those in Amazon EC2 and Amazon VPC?

Yes. DescribeInstances() will return all running Amazon EC2 instances. You can differentiate Amazon EC2 instances within a VPC from instances not in a VPC by an entry in the subnet field. If there is a subnet ID listed, the instance is within a VPC.

Q. When I call DescribeVolumes(), do I see all of my Amazon EBS volumes, including those in Amazon EC2 and Amazon VPC?

Yes. DescribeVolumes() will return all your EBS volumes.

Q. How many Amazon EC2 instances can I use within a VPC?

You can run any number of Amazon EC2 instances within a VPC, so long as your VPC is appropriately sized to have an IP address assigned to each instance. You are initially limited to launching 20 Amazon EC2 instances per VPC at any one time and a maximum VPC size of /16 (65,536 IPs). If you would like to exceed these limits, please complete the following form.

Q. Can I use my existing AMIs in Amazon VPC?

You can use AMIs in Amazon VPC that are registered within the same region as your VPC. For example, you can use AMIs registered in us-east-1 with a VPC in us-east-1. More information is available in the Amazon EC2 Region and Availability Zone FAQ. Please note that Amazon DevPay AMIs are currently unsupported in Amazon VPC.

Q. Can I use my existing Amazon EBS snapshots?

Yes, you may use Amazon EBS snapshots if they are located in the same region as your VPC. More details are available in the Amazon EC2 Region and Availability Zone FAQ.

Q. I have an Amazon EBS volume that I have been using with Amazon EC2. Can I re-use the same volume with Amazon VPC?

Yes, you may use your existing Amazon EBS volumes if they are located in the same Availability Zone (AZ) as your VPC.

Q. Can I create an Amazon EBS snapshot in Amazon EC2 and attach it as a volume to an Amazon EC2 instance within a VPC, and vice versa?

Yes.

Q: Can I boot an Amazon EC2 instance from an Amazon EBS volume within Amazon VPC?

Yes, however, an instance launched in a VPC using an Amazon EBS-backed AMI maintains the same IP address when stopped and restarted. This is in contrast to similar instances launched outside a VPC, which get a new IP address. The IP addresses for any stopped instances in a subnet are considered unavailable. It’s therefore possible to have a subnet with no running instances (they’re all stopped), and also no available IP addresses.

Q. Can I use Amazon EC2 Reserved Instances with Amazon VPC?

Yes. You are charged the standard EC2 instance-hour rate for the Reserved Instance type you selected as long as you have a free Reserved Instance available. However, please note that during the beta we do not guarantee instance availability.

Q. Can I employ Amazon CloudWatch within Amazon VPC?

Yes. Your Amazon EC2 instances within Amazon VPC can be monitored via Amazon CloudWatch.

Q. Can I employ Elastic Load Balancing or Auto Scaling within Amazon VPC?

Not currently.

Q. Can I employ Amazon Elastic MapReduce within Amazon VPC?

Not currently.

Q. Can I launch Amazon Cluster Compute Instances within Amazon VPC?

Not currently.

Additional Questions

Q. Can I use the AWS Management Console to control and manage Amazon VPC?

Yes, once you have an Amazon EC2 instance running in Amazon VPC you can use the AWS Management Console to terminate instances, perform bundling operations, and obtain detailed information about your instances. Full support on the AWS Management Console is coming soon.

Q. Are there any limitations to the number of VPCs, subnets, customer gateways, VPN gateways, and VPN connections that I can create?

Yes. We are currently limiting the number of Amazon VPC objects that you can create as follows:

• One VPC per region per AWS account
• Twenty subnets per VPC
• One VPN gateway per region per AWS account
• One customer gateway per region per AWS account
• One VPN connection per VPN gateway

Q. Does Amazon VPC have a Service Level Agreement (SLA)?

Not currently.

Q. Can I obtain AWS Premium Support with Amazon VPC?

Yes. Click here for more information on AWS Premium Support.

Q. Can I use ElasticFox with Amazon VPC?

Yes, ElasticFox 1.7-000108 and later supports Amazon VPC, and is available here.

Q. Might Amazon delete VPCs, subnets, VPN gateways and/or customer gateways that are inactive for an extended period of time?

Yes. An inactive VPC or subnet is defined as not having at least one EC2 instance running within it; an inactive VPN gateway or customer gateway is defined as not having an associated VPN connection.