AWS VPC: Secure Cloud Networking

An Amazon VPC is an isolated portion of the AWS cloud. You use Amazon VPC to create a virtual network topology for your Amazon EC2 resources.
You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
You can create a public-facing subnet for your webservers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access

A subnet defines a range of IP addresses in your VPC.
You can launch AWS resources into a subnet that you select.
A private subnet should be used for resources that won’t be accessible over the Internet.
A public subnet should be used for resources that will be accessed over the Internet.
Each subnet must reside entirely within one Availability Zone and cannot span zones.

When you create your VPC, you specify its set of IP addresses with CIDR notation
Classless Inter-Domain Routing (CIDR) notation is a simplified way to show a specific range of IP addresses
Example: 10.0.0.0/16 = all IPs from 10.0.0.0 to 10.0.255.255
How does that work? What does the 16 define?

Public subnets : Include a routing table entry to an Internet gateway to support inbound/outbound access to the public Internet.
Private subnets : Do not have a routing table entry to an Internet gateway and are not directly accessible from the public Internet. Typically use a "jump box" (NAT/proxy/bastion host) to support restricted, outbound-only public Internet access.

Securing VPC Traffic With Security Groups

Are virtual firewalls that control inbound and outbound traffic for one or more instances.
Deny all incoming traffic by default and use allow rules that can filter based on TCP, UDP, and ICMP protocols.
Are stateful, which means that if your inbound request is allowed, the outbound response does not have to be inspected/tracked, and vice versa.
Can define a source/target as either a CIDR block or another security group to handle situations like auto scaling.

Use security groups to control traffic into, out of, and between resources.

By default, all newly created security groups allow all outbound traffic to all destinations.
Modifying the default outbound rule on security groups increases complexity and is not recommended unless required for compliance.
Most organizations create security groups with inbound rules for each functional tier (web/app/data/etc.) within an application.

Security group rules per application tier

Are optional virtual firewalls that control traffic in and out of a subnet.
Allow all incoming/outgoing traffic by default and use stateless rules to allow or deny traffic. "Stateless rules" inspect all inbound and outbound traffic and do not keep track of connections.
Enforce rules only at the boundary of the subnet, not at the instancelevel, like security groups.

Directing Traffic To Your VPC

Attach an Internet gateway to your VPC
Ensure that your subnet's route table points to the Internet gateway
Ensure that instances in your subnet have public IP addresses or Elastic IP addresses
Ensure that your NACLs and security groups allow the relevant traffic to flow to and from your instance

Virtual Private Cloud (VPC) in AWS