When we create a VPC, we generally allocate it a private IPv4 address range as specified in RFC 1918.
I am making an assumption that Internet Gateway, NAT Gateway etc. are hosted on AWS managed VPCs as they are highly available and scalable same like how a customer would design a service on AWS.
Are there private IPv4 ranges AWS reserves for its use to solve overlaps between Customer's VPC and their own VPCs that hosts Internet Gateway / NAT Gateway? How is the CIDR overlaps managed?
It appears that you are asking about overlaps between customer VPCs and the actual networks used to 'run' AWS. However, there is no such overlap.
All networking in VPCs is virtual. Infrastructure deployed within VPCs are given IP addresses from the VPC's CIDR range. For example, a NAT Gateway connects to a VPC via an Elastic Network Interface (ENI), which consumes a private IP address from within the VPC. This allows it to communicate with other resources in the VPC, such as EC2 instances, RDS databases and Load Balancers.
The Internet Gateway does not consume any private IP addresses. It is simply a routing concept between a VPC and the Internet.
The actual equipment that AWS uses to operate services runs on separate networks that exist 'outside of' VPCs.
Yes there are some ways AWS reserves ip addresses in your VPC :).
Firstly, the internet gateway actually does not use up an address in your VPC. The vpc router basically takes care of routes to the internet gateway (more on the vpc router below). I guess that they use all kinds of fancy network overlays and tricks to handle this traffic. Unfortunately I'm not enough of a network specialist to know the exact tech they use for this.
When creating a NAT gateway, AWS actually creates an elastic network interface inside your subnet with a a private ip address attached to it. You can see these when going to the 'elastic network interface' view in the EC2 console. Obviously, you can't reuse these addresses.
Thirdly, aws actually reserves several addresses per subnet. From the aws docs:
The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
If you create a VPC or subnet using a command line tool or the Amazon EC2 API, the CIDR block is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR block, we create a CIDR block of 100.68.0.0/18.
So in short, the vpc router takes care of routing requests to AWS internet gateway, NAT gateways get their own elastic network interface and there are some other addresses reserved as well.
Private IP address can reuse in different network and can not be use in public, that's why it is called private.
If you use AWS services and if it is in a VPC, it will get an IP address in your CIDR range. Otherwise, it will allocate in AWS network.
Related
The IP address 10.20.1.1 came up during our security scan and I was wondering which resource this IP belongs to. I searched through the EC2 instances and wasn't able to find this IP, it looks like a network interface IP or something like this so was wondering if someone could please point me to the right direction so I can find the resource and match it to that IP.
From Subnets for your VPC - Amazon Virtual Private Cloud:
The first four IP addresses and the last IP address in each subnet CIDR block are not available for your use, and they cannot be assigned to a resource, such as an EC2 instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
10.0.0.0: Network address.
10.0.0.1: Reserved by AWS for the VPC router.
10.0.0.2: Reserved by AWS. The IP address of the DNS server is the base of the VPC network range plus two. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR. We also reserve the base of each subnet range plus two for all CIDR blocks in the VPC. For more information, see Amazon DNS server.
10.0.0.3: Reserved by AWS for future use.
10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.
Since you have a subnet of 10.20.1.0/24, the address of 10.20.1.1 is Reserved by AWS for the VPC router.
AWS is responsible for routing traffic within a VPC according to the DHCP option sets in Amazon VPC. When a new instance launches and uses DHCP to obtain an IP address in the subnet, it is provided with the address of the router. Some network settings (such as DNS server) can be set, but AWS retains control of the router.
Your network scan detected the IP address associated with this router.
I have 2 AZs on my VPC. A public and a private subnet in each of them.
Currently I have my application deployed on the private subnets and outbound traffic routed using a NAT Gateway on the public subnets of each AZ.
The thing is that some vendors have to whitelist my application's IP. Currently I have 2 IPs, one for each NAT Gateway.
Is there a way to use the same IP for both of them without losing AZ redundancy so vendor's only need to whitelist a single IP?
No, as each EIP can only be associated with a single network interface.
The following rules apply: An Elastic IP address can be associated with a single instance or network interface at a time.
See https://docs.aws.amazon.com/vpc/latest/userguide/vpc-eips.html
The other thing you could do is something like this: https://aws.amazon.com/blogs/networking-and-content-delivery/creating-a-single-internet-exit-point-from-multiple-vpcs-using-aws-transit-gateway/
Some vendors only allow you to whitelist a limited number of IP's which can be really annoying to deal with.
As described in the aws VPC scenario 2 page I have a VPC with 2 subnets defined - one private and one public. The private subnet uses a NAT gateway for the outbound traffic (the NAT gateway lives in the public subnet). The public subnet uses an internet gateway for inbound and outbound.
The usage of the NAT gateway requires an ElasticIP to be registered and associated with that NAT. Now, I need a public IP for the EC2 instance I have in the public subnet, that remains static even after restarting the instance, where outside traffic can come into. Do I need to register another ElasticIP for that purpose, or can I reuse the same ElasticIP that I already created for the NAT Gateway?
An Elastic IP address can only be registered to one ENI at a single time. When you create it a mapping is formed to resolve the elastic IP address to a single private address on an ENI (be that a NAT Gateway or an EC2 host).
When you associate an Elastic IP address with an instance, it is also associated with the instance's primary network interface. When you associate an Elastic IP address with a network interface that is attached to an instance, it is also associated with the instance.
You will need to create a new one for your EC2 host, by default you can use 5 elastic IP addresses in a region, if you need more than this you would need to contact Amazon to increase your accounts quota.
For more information take a look at the Elastic IP addresses page.
I see that AWS allows one to create a VPC with a cidr that can be outside the private IPv4 address space, but why would one ever do so?
When someone chooses a non private IP range CIDR for their VPC, it could be:
For convenience
Run out of CIDRs, if you keep allocating /16
For testing. I remember a setup where the CIDR overlapped Microsoft's. They did it to route the traffic that was supposed to go to Microsoft was routed internally for analyzing the data
When a non private IP range CIDR is used, traffic is never routed from outside AWS into the VPC because no router will have a route to the VPC. It is only for internal routing
If you have only a private subnet (with customer gateway to connect to your corporate network) - a.k.a Scenario 4, you can have any CIDR range.
This is available in order to host a public network and although surprising, there are organizations that use public IP space for their internal network. These are primarily organizations that own a massive amount of public IP space. This is typically a carryover from the early days of the internet.
From the AWS VPC FAQ
Q. What IP address ranges can I use within my VPC?
You can use any IPv4 address range, including RFC 1918 or publicly
routable IP ranges for the primary CIDR block. For the secondary CIDR
blocks certain restrictions apply. Publicly routable IP blocks are
only reachable via the Virtual Private Gateway and cannot be accessed
over the Internet through the Internet gateway. AWS does not advertise
customer-owned IP address blocks to the Internet. You can allocate an
Amazon-provided IPv6 CIDR block to a VPC by calling the relevant API
or via the AWS Management Console.
As I mentioned, cases where this would typically be seen is if an organization owns a set of public IP space and use those IP addresses on their internal network. This would then allow traffic from the internal network to communicate via Direct Connect to network interfaces in the VPC. This is a very uncommon scenario but is why this exists.
While it may be uncommon, some of the largest companies in the world, which acquired massive amounts of IPv4 addresses in the early to mid 90s, are still migrating their internal network to RFC-1918 space. I suspect these large potential customers also drove AWS to support public address space in this way. Keep in mind that RFC-1918 didn't exist until 1996 and even then it wasn't broadly adopted.
https://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks
I am trying out AWS free tier and choose to set up a VPC with Public and Private Subnets.
The IP CIDR Block is defaulted to: 10.0.0.0/16 which is 65531 ip addresses. Both public and private subnets are set to 10.0.0.0/24.
Isn't the less the number of ip addresses that will fit my need the better for security? So for example, if I intend to run 2 EC2 then all I need is just 2 ip addresses?
I need to deploy a Meteor web application to be used by the public. Could some one please explain if I need to have the most number of ip address to server the hieghtest number of connection to my app? I am confused.
In VPC number of IP address does not matter as per the security goes. For better security it depends how you are exposing the application and the resources in your VPC to open world.
65531 IP address means your VPC can have 65531 EC2 instances into it. So if your application is going to have more than 65531 EC2 instances then you need to create a new VPC. And if you need less IP address for your VPC you can any time create another VPC with less IP address by tweaking the CIDR block as per your requirement.
As per the security goes you need to follow the AWS best practices when you are creating the infrastructure in a AWS VPC.
This is a good read
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html
http://harish11g.blogspot.com/2014/01/Amazon-Virtual-Private-Cloud-VPC-best-practices-tips-for-architecture-migration.html