Can we change Default VPC = No for default VPC in AWS? - amazon-web-services

I have a complete setup of instances and vpn connection done using default VPC. Due to some reasons, I need to delete default VPC and create new VPC to setup again from scratch.
However I don't want to do that. Can I change flag default VPC to "No" by using any trick? We can't do it directly.

I dont think you can do that. Since Default VPC has some standard component configuration which is configured by aws for you. Because Default VPC has default security group, NACL and Internet gateway configured for your account.
As per AWS documentation:
When you create a default VPC, it is created with the standard
components of a default VPC, including a default subnet in each
Availability Zone. You cannot specify your own components.
So In your default VPC you might have configured few things which wont be available to your new custom VPC.
I think that's where Cloudformation template can help you to build stack easily across different environment. If you have created Cloudformation template / terraform, then you can easily migrate to new VPC.
Note:
You can still check with AWS support, if they are ready to do it for you.( may take support charges).

Related

How can I have a default security group without a VPC?

I saw this today and it seemed odd. In one region I have no VPC, but I apparently have a default security group that can't be deleted because "This is a default security group. Default security groups cannot be deleted."
How did this default security group come to exist without a VPC?
At one point there must have been a VPC, which came with this default security group, but I thought if the VPC is deleted the corresponding default security group would be deleted along with it.
All modern AWS accounts are provisioned with a VPC. VPCs can be deleted but the default security group can not.
I believe this dates back to the beginning of the EC2 service (i.e. EC2 Classic). In 2013 and earlier, users were able to create instances on a flat network that was shared with other customers and there was no concept of VPCs. AWS required EC2 instances to be associated with a security group but if none were created/selected by the user, AWS could rely on the default security group being available.
So the reason that we can have a default security group without a VPC is that security groups were actually a concept before VPCs and AWS still keeps this default security group requirement as a side effect of some of those earlier infrastructure requirements.
Ran into this yesterday.
Was using EC2 Classic Resource Finder and came across this resource along with some Security Groups(including the default) and an EIP. Deleted the non-default SG's and released the EIP without issue. Was unable to delete the default SG with the error "The following security groups can't be deleted. They are either default security groups, referenced by other security groups or they are associated with instances or network interfaces".
Ensuring this was not associated with a VPC or any other resources were referencing it, we reached out to support. Support confirmed that this resource will be sunset with EC2 Classic in 2023.
I think that must be it. I remembered deleting a default VPC for security reasons, but the default security group persisted.
Security is one of the key aspects in this term.
It is useful to note that security is always considered a top priority job at AWS. Therefore, Default Security Group cannot be deleted partially because they it is the last line of defense for potentially malicious attack on your Amazon EC2 instances. Amazon relies on Security Groups as virtual firewalls that your instances will be paired-up with exclusively for safety reasons. That is also why default SGs by default block any incoming traffic.
On the hand, protective NACL (Network Access Control Lists) feature is only one aspect of the VPC setup. VPCs are primarily logical networking compartments in your cloud infrastructure and you have absolute freedom to define them in any way you see fit. One use case is that you can have complex routing solutions that define many of the aspects of your cloud infrastructure, and accidentally adding Amazon EC2 instances to a default VPC by your developers can lead to hours of debugging why your resource is not behaving as expected.
In summary, security and the mentioned legacy aspects of the Amazon EC2 Classic instances related to the VPC concept (EC2-Classic and a VPC ) are one of the key reasons why default SGs can not be deleted compared to the default VPCs. Still, if you delete the default VPC, you will not be able to restore it or to provision new Amazon EC2 instances until you create at least one custom VPC in the respective region.
If you delete the default VPC, any running EC2 instances, network interfaces, it will automatically delete the default security group as well.
Can you delete a default VPC for a region?
You can delete a default subnet or default VPC just as you can delete
any other subnet or VPC.
However, if you delete your default subnets or default VPC, you must
explicitly specify a subnet in another VPC in which to launch your
instance, because you can't launch instances into EC2-Classic. If you
do not have another VPC, you must create a nondefault VPC and
nondefault subnet. For more information, see Create a VPC.
Reference: https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html

Elastic Beanstalk in VPC

I made and deployed my Django application in AWS Elastic Beanstalk. It has a connection to a Postgres DB in RDS, through the EBS console.
When I click configuration -> network in EBS, I see: "This environment is not part of a VPC."
How can I make it a part of a VPC? Thanks!
NOTE: very new to this ;)
You have to recreate the Elastic Beanstalk environment and pick the VPC during the creation. It is not possible to move an existing environment into a VPC.
But, unless you have access to EC2-Classic, the EC2 servers that were launched are already be in a VPC. They are just in the default VPC. But as far as Elastic Beanstalk is concerned, it seems oblivious to this.
I am not sure if there are any features that are exclusively available to VPC environments. My suggestion is to try to use your current environment, and if you happen to recreate the environment later for some other reason, then you can try picking a VPC and see if it offers anything new.
As already explained by #stefansundin you can't move existing EB into a custom VPC. You have to create new one.
These are general steps to consider:
Create a custom VPC with public and private subnets as described in the docs: VPC with public and private subnets (NAT). NAT is needed for instances and rds in private subnet to communicate with internet, but no inbound internet traffic will be allowed. This ensures that your instances and rds are not accessible from the outside.
Create new RDS, external to EB. This is good practice as otherwise the lifetime of your RDS is coupled with EB environment. Starting point is the following AWS documentation: Launching and connecting to an external Amazon RDS instance in a default VPC
Create new EB environment and ensure to customize its settings to use the VPC. Pass the RDS endpoint to the EB instances using environmental variables. Depending on how you want to handle password to the RDS, there are few options, starting from using environmental variables (low security) through SSM Parameter Store (free) or AWS Secrets Manager (not free).
Setting this all up correctly can be difficult for someone new to AWS. But with patience and practice it can be done. Thus, I would recommend with starting with default VPC, as you have now. Then once you are comfortable with how to work with external RDS, think on creating custom VPC as described.

When to set up a nondefault VPC in AWS?

When creating an EC2 instance (or some other kind of stuff) on AWS, there appears a default VPC.
Also, as another option, a VPC can be created beforehand and selected during the EC2 instance creation etc..
So, in which use cases should we create a new VPC instead of using the default one?
The AWS Documentation does a pretty good job describing how they create the default VPC.
When we create a default VPC, we do the following to set it up for
you:
Create a VPC with a size /16 IPv4 CIDR block (172.31.0.0/16). This provides up to 65,536 private IPv4 addresses.
Create a size /20 default subnet in each Availability Zone. This provides up to 4,096 addresses per subnet, a few of which are reserved
for our use.
Create an internet gateway and connect it to your default VPC.
Create a main route table for your default VPC with a rule that sends all IPv4 traffic destined for the internet to the internet
gateway.
Create a default security group and associate it with your default VPC.
Create a default network access control list (ACL) and associate it with your default VPC.
Associate the default DHCP options set for your AWS account with your default VPC.
This is great with simple applications and proof of concepts, but not for productions deployments. A DB instance should for example not be publicly available, and should there for be placed in a private subnet, something the default VPC does not have. You would then create some sort of backend instance that would connect to the DB and expose a REST interface to the public.
Another reason may be if you are running multiple environments (DEV, QA, PROD) that are all copies of each other. In this case you would want them to be totally isolated from each other as to not risk a bad deployment in the DEV environment to accidentally affect the PROD environment.
The list can go on with other reasons, and there are probably some that are better than those that I have presented you with today.
If you understand VPC reasonably well, then you should always create your own VPC. This is because you have full control over the structure.
I suspect that the primary reason for providing a Default VPC is so that people can launch an Amazon EC2 instance without having to understand VPCs first.

What will happen if I delete the default VPC in AWS?

I don't use the default VPC. I have created another VPC. However, I haven't assigned my other VPC as default. I would like to delete my default VPC and set my other VPC as default.
I read some arguments on the Internet. If I delete the default VPC then I will not be able to create instances. Is this correct?
What will happen if I delete the default VPC in AWS?
AWS has recently announced a feature to self restore the default VPC.
Also its not mandatory to have a default VPC in place for a region. However, at least one is needed if you plan to start EC2 instances in the particular region.
Note: In the past, if the default VPC is deleted, it was required to contact AWS Support to restore it back.
To answer your question, if there are no resources in your default VPC, and you delete it, nothing will happen. Any VPC other than the default will need to be "manually" selected and may not auto-populate for other services - there is no existing way (and no real need) to call another VPC the "default VPC", however.

AWS CLI Create Default VPC

I've got an OLD AWS account that apparently does NOT have a default VPC:
aws ec2 describe-security-groups --group-names webserviced --region us-west-1
A client error (VPCIdNotSpecified) occurred when calling the DescribeSecurityGroups operation: No default VPC for this user
There's no switch on create-vpc...only a boolean (IsDefault) in the output. I'm trying to replicate my infrastructure to the east coast and this is blocking me :( I don't have ANYTHING created on the east-coast (except for a single VPC that apparently isn't set as the default) so I'd at least like to figure out how to do it there so I don't have these issues in the future.
How can I define a default VPC?
P.S. Please don't say that I can't because there's already one defined...unless there's something I'm missing in which case I'd expect a big explanation :)
You cannot mark an existing VPC as a default VPC. You have to contact AWS support to mark your created VPC as the default VPC.
You must provide the following details: your AWS account ID, the region, and the subnet ID. To ensure that your new default subnet behaves as expected, modify the subnet attribute to assign public IP addresses to instances that are launched in that subnet.
I can confirm that it's not possible to set a custom VPC to your default VPC. Most use-cases don't require a lot of customization on a VPC since you can map the network in/out of the tunnel.
Now you can create a New Default VPC using AWS Console or CLI.