This video explores VPC so you can learn about and understand the default VPC.
- [Instructor] Virtual Private Cloud, or VPC, is one of the cornerstone AWS tools to understand. This tool lets you set up your network and IP space however you want. When you create an AWS account, you get a default VPC in every region that is ready to use. As an example, let's look at the northern California region in US West to understand what comes in the box. First off, the default VPC has a classless Internet domain routing, or CIDR, of /16.
This means that the default VPC can handle over 65,000 private IP addresses. The default VPC also creates a subnet in each availability zone in the region. Some regions have two AZs, some have more than two. Each default subnet has a CIDR of /20 which can handle just over 4,000 IP addresses. AWS reserves some IPs for internal services. The default VPC also comes with an Internet gateway attached and with a rule in the main route table that sends all traffic intended for the Internet to the Internet Gateway.
A default security group is created as well as a network access control list allowing all inbound and outbound traffic. While you are free to use the default VPC and modify its configuration, its out of the box setup is broadly permissive. It is designed as the catch-all location into which EC2 virtual machines, called instances, get dumped in the event that they aren't assigned to a VPC. I prefer to create my own VPCs and avoid using the default VPC. This way, I can be sure that when I create servers or databases in AWS, I know exactly where they are going.
Deleting a region's default VPC is a dangerous proposition as doing so can render some AWS services in that region inoperable. While it is possible for AWS support to create a new default VPC for that region, it is a painful thing to be avoided. It's better to simply not use it. Let's go into the web console and annotate the default VPC so that we don't use it or its components accidentally. Here I am logged into the main AWS console. This is what it looks like today.
Of course, AWS iterates pretty quickly so it might look a little bit different when you're watching this. To get to the VPC configuration dashboard, you need to scroll down in the first column under the Networking section and find the link for VPC. Since there are so many AWS services, I prefer to customize the top-level menu bar with the services that I access the most frequently. I can do this by popping down the Edit menu and finding the services I want. In this case, the service that I'm interested in is VPC.
I can find it in the third column, then I just click it and drag it up to the menu bar. EC2 is another service which I will access frequently so I'm going to drag that up as well. Now that I've finished, I'm going to close this menu by clicking the up arrow. With the VPC shortcut in my menu bar, I can just click it and it will take me directly to the VPC dashboard. If I look at the information in the center of the screen, you can see that by default I have a single VPC, one Internet gateway, two subnets, one route table, one network access control list, or ACL, and one security group.
Clicking on the VPC link in the center of the screen brings me to the VPC detail page. This screen shows me that I have a single /16 VPC available, however, notice that the name is blank. All default VPC components are unnamed. Name is a tag of special significance in AWS and is particularly useful when interacting with the web console. Each item in AWS has an internal unique identifier. In this case, we are looking at VPCs and we can see that the default VPC has a VPC ID that is relatively unfriendly to humans.
4F0E842A. That's certainly not something I can remember easily. One of the reasons the name tag is so special is that once assigned it permeates throughout the web console. For instance, when referring to this VPC in a different screen, instead of specifying the VPC ID, I can simply specify the name. You'll see how this works as the course progresses. Since I don't want to accidentally use the default VPC, I'm going to give it a name to remind me that it is a place I don't want to put things.
Clicking the VPC Dashboard link in the upper left corner brings me back to the dashboard. The next thing I want to look at is the Internet Gateway. Clicking the Internet Gateway link brings me to the Internet Gateway configuration page. I see a single IGW and that it is attached to the VPC in question. Let me expand that VPC column just a bit and you can see what I was talking about. You can see that this IGW is attached to this VPC name, the 4F0 blah, blah, blah. You'll also see that after the pipe symbol is the name that I assigned.
That's much easier for me to reference while the VPC ID is sufficient for computer programs. I'm going to give this IGW a name that reminds me not to use it. I want to do the same for the nameless default subnets so I click the Subnets link in the left-hand nav. This brings up the subnets configuration page where I can see one subnet for each availability zone in this region. I'm going to go ahead and rename them per my convention. That's much better. Let's go ahead and do the same thing for the Route Table.
I can do that by clicking the Route Tables link under Subnets in the left-hand nav. Here I see the default subnet associated with the default VPC. Let's go ahead and rename it. Okay, only two resources to go. The Network ACL and the Security Group. Scrolling down in the left-hand nav, under the Security heading, I see the Network ACLs link. Clicking on it takes me to the configurations page. Here I see the single network ACL and I'm going to go ahead and name it. While we're here, let's take a quick peek at the Inbound and Outbound Rules tabs in the bottom half of the screen.
I'm going to drag the screen up to give us a little bit more space. Clicking on the Inbound Rules tab, I can see that all inbound network traffic is allowed from any source. Let's pop over to the Outbound Rules tab. I can see the same thing is true. This permissiveness is unique to the default NACL. Every NACL you create denies all traffic, by default. Let's look at one more thing while we're here. The Subnet Associations tab. Clicking on that tab tells us that this NACL is associated with both of the default subnets.
Looking at the subnet entries, we can see the merit of using the name tag. The internal subnet identifiers are not very human friendly while the name tag is. Finally, let's get that Security Group taken care of. In the left-hand nav, let's go under the network ACL's link to the Security Group's link. Clicking on it takes me to the Security Group configuration page. I'm going to go ahead and finish this out by assigning a name to the default security group. At this point, we've flown through the default VPC components and have assigned each component a name tag.
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
This course includes trademarks owned by Amazon Web Services. This course has not been prepared, approved, or endorsed by Amazon Web Services.
- Exploring Virtual Private Cloud (VPC)
- Configuring subnets, route tables, and gateways
- Working with access control lists (ACLs)
- Maintaining network security
- Implementing VPC peering and peer routing
- Using Route 53
- Managing a private DNS