Amazon VPC Functionality
With Amazon Virtual Private Cloud (Amazon VPC), you can:
- Create an Amazon VPC on AWS's scalable infrastructure and specify its private IP address range from any range you choose.
- Expand your VPC by adding secondary IP ranges.
- Divide your VPC’s private IP address range into one or more public or private subnets to facilitate running applications and services in your VPC.
- Control inbound and outbound access to and from individual subnets using network access control lists.
- Store data in Amazon S3 and set permissions such that the data can only be accessed from within your Amazon VPC.
- Assign multiple IP addresses and attach multiple elastic network interfaces to instances in your VPC.
- Attach one or more Amazon Elastic IP addresses to any instance in your VPC so it can be reached directly from the Internet.
- Connect your VPC with other VPCs and access resources in the other VPCs via private IP addresses using VPC Peering.
- Privately connect to AWS services without using an internet gateway, NAT or firewall proxy through a VPC Endpoint. Available AWS services include S3, DynamoDB, Kinesis Streams, Service Catalog, EC2 Systems Manager (SSM), Elastic Load Balancing (ELB) API, Amazon Elastic Compute Cloud (EC2) API, and Amazon SNS.
- Privately connect to your own services or SaaS solutions powered by AWS PrivateLink.
- Bridge your Amazon VPC and your on-site IT infrastructure with AWS Site-to-Site VPN.
- Enable EC2 instances in the EC2-Classic platform to communicate with instances in a VPC using private IP addresses.
- Associate VPC Security Groups with instances on EC2-Classic.
- Use VPC Flow Logs to log information about network traffic going in and out of network interfaces in your VPC.
- Enable both IPv4 and IPv6 in your VPC.
- Use Amazon VPC traffic mirroring to capture and mirror network traffic for Amazon EC2 instances
Using Other AWS Resources
AWS resources such as Elastic Load Balancing, Amazon ElastiCache, Amazon RDS, and Amazon Redshift are provisioned with IP addresses within your VPC. Other AWS resources such as Amazon S3 are accessible via your VPC’s Internet Gateway, NAT gateways, VPC Endpoints, or Virtual Private Gateway.
Using the built-in security features of Amazon Web Services like Amazon Identity and Access Management (IAM) policies, VPC Endpoint policies, and Amazon EC2 security groups, you can restrict access to your AWS resources to only accept connections or requests that originate from your VPC. To limit access to your AWS resources like Amazon S3 buckets, Amazon SNS topics and Amazon SQS queues, you can create IAM policies which limit access to those resources to only the Elastic IP addresses associated with your VPC. You can also use VPC Endpoint policies to control access to Amazon S3 from within your VPC.
AWS PrivateLink enables customers to access services hosted on AWS easily but securely by keeping all the network traffic within the AWS network.
You can use this capability to privately access services supported by AWS PrivateLink from your Amazon Virtual Private Cloud (VPC), without using public IPs, securely on the Amazon network. When you create endpoints for services that are available on AWS PrivateLink, these service endpoints will appear as Elastic Network Interfaces (ENIs) with private IPs in your VPCs. PrivateLink removes the need of whitelisting public IPs, or using an Internet Gateway, VPN, a Network Address Translation (NAT) device, or firewall proxies to connect to AWS services. Services available on PrivateLink also support private connectivity over AWS Direct Connect or AWS VPN, so that applications in your premises will be able to connect to these services via the Amazon private network. AWS services including Amazon Elastic Compute Cloud (EC2) API, Elastic Load Balancing (ELB) API, Kinesis Streams, EC2 Systems Manager (SSM), Service Catalog, and Amazon SNS are currently available on PrivateLink. To learn more about PrivateLink, read the PrivateLink documentation.
AWS PrivateLink also offers AWS partners the ability to offer services that look and feel like services that are hosted directly on a customer’s private network, accessible securely both from the cloud and customer’s premises via AWS Direct Connect and AWS VPN in a highly available and scalable manner. With AWS PrivateLink, you can setup your service that is fronted by a Network Load Balancer (NLB) and expose the service as private endpoints to other VPCs and other AWS customers, while the service receives connections and requests as normal. The traffic remains within the secure AWS network and does not need to traverse the Internet.
Please note the following about Amazon VPC right now:
You can have up to five (5) nondefault Amazon VPCs per AWS account per AWS Region*.
You can have up to four (4) secondary IP ranges per Amazon VPC*.
You can create up to two hundred (200) subnets per Amazon VPC*.
You can have up to five (5) Amazon VPC Elastic IP Addresses per AWS account per AWS Region*.
Intended Usage and Restrictions
Your use of this service is subject to the Amazon Web Services Customer Agreement.