Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Setting AWS network VPC (Virtual Private Cloud), Security Groups, WAF, BGP, etc.

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This tutorial covers how to access servers and other resources within AWS.

NOTE: Content here are my personal opinions, and not intended to represent any employer (past or present). “PROTIP:” here highlight information I haven’t seen elsewhere on the internet because it is hard-won, little-know but significant facts based on my personal research and experience.

TODO: Add WAF. Make above diagram into a video.

Consider the types of architectures: – Subnets vs. VPCs and VPC peering


Virtual Private Cloud ()

VPC Public Networking


Transit Gateway

A transit gateway can simplify multi-VPC architectures significantly.



https://wpengine.linuxacademy.com/amazon-web-services-2/learn-how-to-master-aws-vpc-inside-and-out/ Basic usage with tags:

resource "aws_vpc" "main" {
  cidr_block       = ""
  instance_tenancy = "dedicated"
  tags {
    Name = "main"

Create VPCs using Management Console

This chapter condenses Amazon’s docs on this topic and adds additional PROTIPs and NOTEs.

  1. A default VPC is a pre-requisite for setting up an EC2 server instance.

  2. At https://console.aws.amazon.com/vpc/

  3. Select “Your VPC”.

  4. Click the “Create VPC” blue button.

  5. For Name tag, consider a naming convention to include:

    • “dev”, “qa”, “prod” since many use isolated VPCs for different environments.

    • “public” or “private” network access.

  6. For CIDR block, see below.

    CIDR Ranges

    An example CIDR block looks like this:


    PROTIP: To avoid naming conflicts, some organizations use a convention replacing the “1” in the address with other numbers for each separate environment and tier as well as duplicate zones:

    Env Tier zone A zone B Routes
    Prd ELB 1 11 Public
    Prd WEB 2 12 Private
    Prd APP 3 13 Private
    Prd Cache 4 14 Private
    Prd DB 5 15 Private
    Dev ELB 21 31 Public
    Dev WEB 22 32 Private
    Dev APP 23 33 Private
    Dev Cache 24 34 Private
    Dev DB 25 35 Private

    PROTIP: Use the table above to pre-define your own numbering scheme, which can also be used as shortcuts in other names.

    PROTIP: Some organizations allocate the bottom half of the 255 possibilities to private and upper half to public addresses:

    • private   (< 129)
    • public (> 128)

    Address ranges for private (non-routed) use (per RFC 1918):

    • -> within “Class A” addresses 1 -> 126
    • -> within “Class B” addresses 127 -> 191
    • -> within “Class C” addresses 192 -> 223

    The CIDR block for a default VPC is always

    PROTIP: Use addresses from different IP classes. For example, for the production site, use VPC CIDR and for DR regions VPC CIDR

    PROTIP: Carefully predict how many nodes each subnet might need. Once assigned, AWS VPC subnet blocks can’t be modified. If you find an established VPC is too small, you’ll need to terminate all of the instances of the VPC, delete it, and then create a new, larger VPC, then instantiate again.

    Refer to this table of nodes for each netmask Amazon allows:

    # Nodes Netmask Subnet Mask
    14 /28
    30 /27
    62 /26
    126 /25
    254 /24
    510 /23
    65,534 /16

    For example, if all you’ll need are 14 nodes, specify /28. Notice that the larger the CIDR netmask, the less hosts in the subnet.

    Bucket of Candies Analogy

    If you must know why, here is my analogy (best for kinesthetic learners): When we say a sports star makes a “7 figure salary”, we figure out what that means with a table like this:

    Figure: 7 6 5 4 3 2 1
    # Values: 1,000,000 100,000 10,000 1,000 100 10 1

    Now imagine a bucket for each figure level, a different size bucket containing candies of various colors and patterns, unique one for each possible value. People earning 7 figures can choose from the bucket holding a million possible values.

    If we add up the values (colors) possible in the right-most 3 buckets, we would have 100 + 10 + 1 = 111 possibilities.

    Counting in Base 2

    Instead of the way bankers do arithmetic where ten $1 bills is equivalent to a 10 dollar bill (called “base 10” or decimal calculation), computers count using “base 2” or binary arithmetic using 0’s and 1’s. So each of their “buckets” have a different number of possibility values:

    Position: 8 7 6 5 4 3 2 1
    # Values: 254 128 64 32 16 8 4 2
    Cumulative possible addresses: 510 254 126 62 30 14 6 2

    If we add up the possible addresses just from the right-most 3 buckets (from right to left), we would have 2 + 4 + 8 = 14 possibilities.

    Look back above at the table of nodes, we see 14 possibilities can be obtained from a specification of 28 bits.

    This is all one needs to know to use AWS VPC.

    But if you would like to know how we get 3 buckets from the 28 bit specification, read on.

    IP address octets

    IPV4 subnet addresses such as “” are 4 sets of there are 32 “buckets” separated by dots into four 8 bit “octets”:

    The 127 in the figure above is obtained by adding the base 10 value of each bit “bucket”. Looking at a single octet of 8 bits:

    “Bucket” position: 8 7 6 5 4 3 2 1
    Base 10 value of each bucket: 128 64 32 16 8 4 2 1
    Cumulative base 10 (left to right) 255 127 63 31 15 7 3 1
    Base 2 for 127 in base 10 1 1 0 1 1 0 0 1
    Cumulative base 10 (left to right) 217 89 25 25 9 1 1 1

    To translate a base 2 number of all 1’s (“1111111”) to a base 10 value of 255 we accumulate base 10 values for each “bucket”, left to right.

    To translate the Base 2 set of 1’s and 0’s to a base 10 number of 217, we accumulate the equivalent base 10 number at each position where there is a 1.

    Now let’s look at the relationship between /28 and the “” subnet mask associated with the /28 in the table of nodes above.

    The “240” base 10 number in the right-most quartet is equivalent to “11110000” in base 2.

    “Bucket” position: 8 7 6 5 4 3 2 1
    Base 10 value of bucket: 128 64 32 16 8 4 2 1
    Base 2 for 240 in base 10 1 1 1 1 0 0 0 0
    Cumulative base 10 (left to right) 240 122 48 16 0 0 0 0

    Putting the three 255 and 240 together we get a continuous set of 1’s followed by four 0’s:


    • The 1’s “buckets” on the left side are used to address subnets managed by Amazon.

    • The 0’s buckets on the right side are used to address your individual nodes.

    REMEMBER: Although there are four 0’s buckets, only 3 are used to specify node addresses because one digit (two values) are reserved for network broadcast use (addresses containing all 0’s and all 1’s).

    More on CIDR (Classless Inter-Domain Routing), aka “supernetting”:

    • https://www.youtube.com/watch?v=POPoAjWFkGg IP Subnetting from CIDR Notations (getting network and broadcast addresses).

    • http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html

    • VLSM (Variable Length Subnet Mask)

    • https://cloudacademy.com/amazon-web-services/amazon-vpc-networking-course/build-and-configure-a-nat-instance.html

Do you really know the above? Take Pearson’s IP Subnetting exam on OReilly.com [subscription required]

### Automatically create VPC using CloudFormation #

VPCs are really software-defined networks (SDN).

     "Resources" : {
        "VPC" : {
         "Type" : "AWS::EC2::VPC",
         "Properties" : {
           "CidrBlock" : ""

       "InternetGateway" : {
         "Type" : "AWS::EC2::InternetGateway",
         "Properties" : {

       "AttachGateway" : {
          "Type" : "AWS::EC2::VPCGatewayAttachment",
          "Properties" : {
            "VpcId" : { "Ref" : "VPC" },
            "InternetGatewayId" : { "Ref" : "InternetGateway" }

In the CF JSON to define a VPC, CF automatically populates the “VpcId” : { “Ref” : “VPC” },

  REMEMBER: There is one VPC per Availability Zone.

A single Gateway serves all VPCs because that is the address the public DNS resolves corporate host names to.

## Static Elastic IPs #

NOTE: The use of static IP addresses in configurations in EC2 can be an annoyance to some and a comfort to others.

Historically, working on a physical servers involves use of specific static IPs associated with particular purposes. External monitoring server was manually configured with the IP assigned to each machine. This also creates time pressure (panic) to get specific servers up and running. This led to pressure for servers to be patched rather than risking losing configurations during rebuilds.

Static IPs needed to be protected as secrets because of their long-lived nature in traditional server environments.

A “paradigm shift” in thinking is necessary when moving to the “cloud” because there IP address assignments can be transitory ephemeral. When a server dies in a “12 factor app” environment, additional servers can be brought up automatically by auto-scaling from a common public pool.

AWS provides static IPs in their Elastic IP service.

  WARNING: AWS charges $1 per month for reserved static IPs that are not assigned to a running instance.

PROTIP: Long-lived elastic static IPs are useful to avoid shared IPs that may have been black-listed due to abuse by others.

Resources on this topic:

  * https://launchbylunch.com/posts/2014/Jan/29/aws-tips/
  * https://wblinks.com/notes/aws-tips-i-wish-id-known-before-i-started/


DNS servers maintain a database of host names to IP addresses.

Amazon’s DNS service is called Route 53 because the default part for DNS servers is TCP 53 / UDP 53.

Its competitors include Dyn.com, GoDaddy, etc.

DIAGRAM: Advanced Demo - Hybrid DNS between AWS and Simulated On-Premises

Routing Rules

AWS VPC Routing Rules are what makes subnets public or private.



  1. Launch an EC2 instance of a Community AMI built for NATting. Search for “NAT”.

    NAT provides IP address assignment and DNS Proxy name resolution services to internal network clients.

    A NAT server allows outbound traffic to the external internet. By default, a NAT server allows inbound traffic only through connections already established by an internet host (typically port 80/443).

    To access traffic from a special port from an external host:

    • If the public interface of the NAT server is configured with a single IP address, add a Special Port (for Windows, in the Routing and Remote Assess MMC console).

    • If the public interface of the NAT server is configured with multiple IP addresses, make address reservations to map specific external addresses to specific internal addresses.

    Selection of 006 DNS Servers option at the scope level overrides the selection at the server level.

    For security, define some servers to only make outbound calls to the internet (through the NAT server).

  2. PROTIP: A NAT instance provide whatever capacity a single AMI provides, so it should be configured with CloudWatch alarms and traffic metrics.

  3. Prepare before need a script to manually to manage Subnet failover to another NAT in this Amazon article.

NAT Gateway

A NAT Gateway is used for private subnets to reach the public internet.

An AWS NAT Gateway SaaS supports bursts of up to 10Gbps. NAT Gateways are managed by AWS, so they don’t have traffic metrics nor CloudWatch alarms, plus there is a per-hour charge for AWS to operate the NAT Gateway.

A NAT instance can be configured for port forwarding, bastion hosts.

Bastion host

Bastion hosts ???

PROTIP: Up to 5 different security groups can be applied to a single resource.

Only one NACL can be associated with a subnet, to deny specific IP addresses. Separate rules are for inbound and outbound.

PROTIP: NACL rules are numbered to sepcify sequence. To allow for insertion, leave gaps in the numbers. For example, create the first two with 100, 200, etc. so you can later add 150 between 100 and 200.

PROTIP: Remember that EC2 instances by default have Networking > Change Source/Dest. Check ON. But NAT instances require OFF or they wont’ show up on VPC Route Tables.


PROTIP: When an enterprise development team first begins working with an external vendor or customer, it would likely begin by using a private VPN while the project operates in “stealth mode”.

Configure Site to Site VPN to securely transfer data among Amazon VPCs in different regions or between Amazon VPC to your on-premise data center.

NOTE: Dual ports are usually configured on VPN hardware.

https://app.pluralsight.com/player?course=aws-certified-sysops-admin-associate&author=elias-khnaser&name=aws-certified-sysops-admin-associate-m5&clip=3&mode=live Customer Gateway.

It’s attached to a VPN.

VPC Peering

VPC peering enables organizations to link two distinct VPCs together, allowing assets in one network to talk to assets in another.

Peering connections were introduced to route traffic between two VPCs (AZs) in the same region using private (rather than public) IP addresses. This makes it like they are communicating as if they are within the same network.

Nodes in the same region can reference each other logically using the same peer SG (Security Group), which improves performance.

VPC peering is not transitive —- it must be specifically allowed for each VPC peered together.

Nevertheless, IP addresses must not overlap among VPCs.

Peering is neither a gateway nor a VPN connection, so doesn’t invoke separate physical hardware and the “single point of failure” nor bandwidth bottlenecks.

One useful use case is for more secure interconnection among Active Directory, Exchange, and other common business services:

  • more secure communication among business units/teams
  • stronger integration of CRM, HRMS, file sharing
  • tighter integrated access of core suppliers systems
  • provide monitoring and management of customer AWS resources
  1. Setup Peering in VPC

  2. Accept the Peering request on the target VPC.


Access Control Lists

  • Create Internet outbound allow and deny network ACL in your VPC. First network ACL: Allow all the HTTP and HTTPS outbound traffic on public internet facing subnet. Second network ACL: Deny all the HTTP/HTTPS traffic. Allow all the traffic to Squid proxy server or any virtual appliance. http://techlib.barracuda.com/display/BNGv54/How+to+Deploy+the+Barracuda+NG+Firewall+in+an+Amazon+Virtual+Private+Cloud


Negative ACLS.

Block all the inbound and outbound ports. Only allow application request ports.

These are stateless traffic filters that apply to all traffic inbound or outbound from a Subnet within VPC. AWS recommended Outbound rules

Security Group NACLs
Applicable to instances Operate on VPC subnets
Only supports Allow rules (layered on a default Deny) Support both allow and deny rules
Are stateful Are NOT stateful
Are considered in their entirety before traffic is allowed Are processed in numerical order
Must be associated with an instance to apply Apply automatically to all instances in a subnet

See http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html

Direct Connect (DX)

To Direct Connect to a customer’s Router in each DX Location, there is a port on a DX Router which is charged per hour of use. There are 1GB, 10GB, and 100GB wide pipes. The price is the same globally except for a few regions.

Outgoing data transfer charges apply, too, but cheaper than going through the public internet.

If the DX Location is in a different region, a DX Gateway is needed.


  • Add Intrusion Prevention or Intrusion Detection virtual appliances to secure protocols and to take preventive/corrective action.

  • Assign
  • Configure Privileged Identity access management solutions to monitor and audit access by Administrators of your VPC.

  • Add anti-virus for cleansing specific EC2 instances inside a VPC. Trend micro offers a product for this.

  • http://harish11g.blogspot.com/2015/06/best-practices-tips-on-amazon-web-services-security-groups-aws-security-managed-services.html

AMS needs to set limits http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_Limits.html

More on Amazon

This is one of a series on Amazon:

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible

  53. MySQL Setup

  54. SonarQube & SonarSource static code scan

  55. API Management Microsoft
  56. API Management Amazon

  57. Scenarios for load
  58. Chaos Engineering