Amazon VPC is not a private cloud offering. It is a connectivity option for a public cloud.

This allows VPC users to segregate their EC2 instances from “the masses” and get a VPN connection from their own data center to their VPC, which then looks like a part of their internal network.

VPC is a logical concept, not a physical one, meaning that the boundary around your instances in your VPC is at the network level, there is no separate room with your servers! What that means is that a VPC is truly a cloud with all the attributes we expect: virtually infinite, on-demand resource availability, pay-per-use pricing, etc. You’re not forking out $$$ to have someone build you a finite cloud-like datacenter, that takes months to build, and is charged up-front.

Amazon VPC does not isolate any resources for an individual customer’s use. It provides Internet VPN connectivity to a shared resource pool, rather than public Internet connectivity. It’s still the Internet — the same physical cables in Amazon’s data center and across the world, and the same logical Internet infrastructure, just with a Layer 3 IPsec encrypted tunnel on top of it. VPC is “virtual private” in the same sense that “virtual private” is used in VPN, not in the sense of “private cloud”.

VPN

A VPN is created by building a secure communications link between two nodes by emulating the properties of a point-to-point private link.

 A VPN can be used to facilitate secure remote access into the cloud, securely connect two networks together, or create a secure data tunnel within a network. The portion of the link in which the private data is encapsulated is known as the tunnel. It may be referred to as a

secure, encrypted tunnel, although it’s more accurately defined as an encapsulated tunnel, as encryption may or may not be used. To emulate a point-to-point link, data is encapsulated, or wrapped, with a header that provides routing information. Most often the data is encrypted for confidentiality. This encrypted part of the link is considered the actual virtual private network connection.

The two general types of VPNs relevant to cloud computing are remote access and network-to-network. These VPN types are described in the following sections.

Remote Access VPNs

A VPN can be configured to provide remote access to corporate resources over the public Internet to maintain confidentiality and integrity. This configuration enables the remote user to utilize whatever local ISP is available to access the Internet without forcing the user to make a long-distance or 800 call to a third-party access provider. Using the connection to the local ISP, the VPN software creates a virtual private network between the dial-up user and the corporate VPN server across the Internet.

Network-to-Network VPNs

A VPN is commonly used to connect two networks, perhaps the main corporate LAN and a remote branch office LAN, through the Internet. This connection can use either dedicated lines to the Internet or dial-up connections to the Internet.

However, the corporate hub router that acts as a VPN server must be connected to a local ISP with a dedicated line if the VPN server needs to be available 24/7.

The VPN software uses the connection to the local ISP to create a VPN tunnel between the branch office router and the corporate hub router across the Internet. Figure shows a remote branch office connected to the corporate main office using a VPN tunnel through the Internet.

VPN Tunneling

Tunneling is a method of transferring data from one network to another network by encapsulating the packets in an additional header. The additional header provides routing information so that the encapsulated payload can traverse the intermediate networks.

For a tunnel to be established, both the tunnel client and the tunnel server must be using the same tunneling protocol. Tunneling technology can be based on either a Layer 2 or a Layer 3 tunneling protocol. These layers correspond to the Open Systems Interconnection (OSI) Reference Model.

Tunneling, and the use of a VPN, is not intended as a substitute for encryption/ decryption. In cases where a high level of security is necessary, the strongest possible encryption should be used within the VPN itself, and tunneling should serve only as a convenience.

IPSec

A popular tunneling protocol for network-to-network connectivity is IPSec, which encapsulates IP packets in an additional IP header. IPSec operates at the Network Layer of the OSI Reference Model and allows multiple simultaneous tunnels. IPSec contains the functionality to encrypt and authenticate IP data. It is built into the new IPv6 standard and is used as an add-on to the current IPv4. IPSec tunnel mode allows IP packets to be encrypted and then encapsulated in an IP header to be sent across a corporate IP Intranet or a public IP Internetwork, such as the Internet.

IPSec uses an authentication header (AH) to provide source authentication and integrity without encryption, and it uses the Encapsulating Security Payload (ESP) to provide authentication and integrity along with encryption. With IPSec, only the sender and recipient know the key. If the authentication data is valid, then the recipient knows that the communication came from the sender and was not changed in transit.

Security Considerations

Support variety of security measures in securing tenancy of virtual resources such as resource locking, containment, authentication, access control, encryption, integrity measure, and etc.

Allow the security to be configure end-to-end on a per VPN per-user bases. For example, the Virtual Systems MUST resource locks resources such as memory, but must also provides a cleaning function to insure confidentiality, before being reallocated.

Specify an authentication mechanism based on an authentication algorithms (MD5, HMAC-SHA-1)for both header and payload.

Encryption MAY also be use to provide confidentiality.

Security boundaries MAY also be create to maintain domains of TRUSTED, UNTRUSTED, and Hybrid. Within each domain access control techniques MAY be uses to secure resource and administrative domains.

Amazon Virtual Private Cloud (Amazon VPC)

Amazon Virtual Private Cloud (Amazon VPC) is a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud. Amazon VPC integrates today with Amazon EC2, and will integrate with other AWS services in the future.

Amazon VPC provides end-to-end network isolation by utilizing a customer-provided IP address range, and routing all network traffic between the customer’s VPC and datacenter through an industry-standard encrypted IPsec VPN. This allows the customer to leverage their preexisting security infrastructure.

How Amazon VPC works?

1. In your existing EC2 account you create a VPC, that’s the container for all your instances
2. In that VPC, you define one or multiple subnets (e.g. 10.34.1.0/24) chosen so they integrate well into your enterprise-wide internal addressing structure
3. You now set-up your IPsec VPN device (preferably a major-brand router) and connect to a VPN endpoint you create within your VPC
4. Finally, you launch your first VPC instance almost the same way as you would launch a public instance, the only difference being that you specify to which of your VPC subnets it should be attached
5. You now have a server in your VPN that, with a small amount of router config, is indistinguishable from any of your other servers in your datacenter, except that you didn’t have to buy it, rack it, or hook it up!

Objects in Amazon VPC

Amazon VPC is comprised of a variety of familiar objects:

1.      A Virtual Private Cloud (VPC): an isolated portion of the AWS cloud. You define a VPC’s IP address space from a range you select.

2.      Subnet: a segment of a VPC’s IP address range where you can place groups of isolated resources.

3.      VPN Connection: a connection between your Amazon VPC and datacenter, home network, or co-location facility.

4.      VPN Gateway: the Amazon VPC side of a VPN Connection.

5.      Customer Gateway: your side of a VPN Connection.

You can use any device; however, it MUST be able to:

• Establish IKE Security Association using Pre-Shared Keys
• Establish IPsec Security Associations in Tunnel mode
• Utilize the AES 128-bit encryption function
• Utilize the SHA-1 hashing function
• Utilize Diffie-Hellman Perfect Forward Secrecy in “Group 2” mode
• Establish Border Gateway Protocol (BGP) peerings
• Bind tunnels to logical interfaces (route-based VPN)
• Utilize IPsec Dead Peer Detection

The following devices meeting the aforementioned requirements are known to work with Amazon VPC, and have support in the command line tools for automatic generation of configuration files appropriate for your device:

• Cisco ISR running Cisco IOS 12.4 (or later) software
• Juniper J-Series Service Router running JunOS 9.5 (or later) software
• Juniper SSG running ScreenOS 6.1, or 6.2 (or later) software
• Juniper ISG running ScreenOS 6.1, or 6.2 (or later) software

A list of Cisco Systems and Juniper Networks resellers are available here and here, respectively.

6.      Router: routers interconnect Subnets, and direct traffic between VPN Gateways and Subnets.

An Amazon VPC router enables Amazon EC2 instances within subnets to communicate with Amazon EC2 instances in other subnets within the same VPC. They also enable subnets and VPN gateways to communicate with each other. You can create and delete subnets attached to your router. Network usage data is not available from the router; however, you can obtain network usage statistics from your instances using Amazon CloudWatch.

How to USE Amazon VPC

1. Subscribe to Amazon EC2 & Amazon VPC
2. Use the CreateVpc API to create your VPC, within which you define the IP address space you wish to use.
3. Create one or more subnets where your isolated resources, such as Amazon EC2 instances, are placed (Min 1 Subnet).
4. To establish VPN connectivity to your VPC, you need a compatible router or VPN device. To make Amazon VPC aware of your compatible router or VPN device, use the CreateCustomerGateway API to create a Customer Gateway, providing information about your device such as its IP address and other networking-related information. Amazon VPC will then provide you with a Customer Gateway ID that you can use to represent your compatible router or VPN device when interacting with the service.
5. Use the CreateVpnGateway API to create a VPN Gateway, which anchors the VPC-side of your VPN Connection and encrypts/decrypts messages to/from your Customer Gateway via the VPN connection.
6. Use the CreateVpnConnection API to create a VPN Connection between the Customer Gateway and the VPN Gateway.
7. When you launch Amazon EC2 instances into your VPC, they are automatically addressed from the subnet you connect them to.
8. If you want the instance to have a specific IP address, you optionally can specify that when you launch the instance. You can then use your pre-existing security infrastructure, such as firewalls, intrusion detection systems, and management systems, to enforce policies based on these IP address ranges and control who and what has access to your resources running inside your VPC.

Support programming language

AWS provides libraries, sample code, tutorials, and other resources for software developers who prefer to build applications using language-specific APIs instead of Amazon VPC’s SOAP and REST APIs.

These libraries provide basic functions (not included in Amazon VPC’s SOAP and REST APIs), such as request authentication, request retries, and error handling so that it’s easier to get started. Libraries and resources are available for the following languages:

• Java
• PHP
• Ruby
• Windows and .NET

AWS infrastructure services within Amazon VPC

• Amazon EC2 instances running Linux/UNIX or Windows,
• Amazon Elastic Block Store volumes for persistent block storage, and
• Amazon CloudWatch to monitor the resource utilization of your Amazon EC2 instances.
• ElasticFox 1.7-000108 and later supports Amazon VPC

Features

• Any number of Amazon EC2 instances within a VPC, so long as your VPC is appropriately sized to have an IP address assigned to each instance. You are initially limited to launching 20 Amazon EC2 instances per VPC at any one time and a maximum VPC size of /16 (65,536 IPs).
• Amazon does not enforce any restrictions on VPN throughput. However, other factors, such as the cryptographic capability of your customer gateway, the capacity of your Internet connection, average packet size, the protocol being used (TCP vs. UDP), and the network latency between your customer gateway and the VPN gateway can affect throughput.
• All traffic transiting your VPN connection can be inspected by your on-premise security infrastructure, including network firewalls, intrusion detection and prevention systems. You can also run and manage host-based firewalls upon Amazon EC2 instances running within your VPC.
• To preserve the isolation of your VPC, Amazon VPC traffic bound for Amazon EC2 instances not within a VPC traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network. Data transferred between Amazon EC2 instances within your VPC and Amazon EC2 instances not within a VPC is charged at standard Amazon VPC VPN data transfer and Amazon EC2 Internet data transfer rates.
• It is possible to connect two VPCs operating in different regions through your home network. Please note that you will be charged standard VPN Data Transfer rates per VPN Connection.
• All traffic to other Amazon Web Services traverses the VPN connection, egresses from your datacenter, and then re-enters the public AWS network. Data transferred between Amazon EC2 instances within your VPC and other AWS services is charged at standard Amazon VPC VPN data transfer rates and the respective AWS services’ standard Internet data transfer rates.
• Ping (ICMP Echo) requests to the router that interconnects subnets within your VPC is not supported. Ping between Amazon EC2 instances within VPC is supported, as is ping between resources in your VPC and resources in your home datacenter, as long as the security policy on your corporate network permits such traffic.
• An IP address assigned to a running instance can only be used again by another instance once that original running instance is in a “terminated” state.
• The VPN connection uses industry-standard IPsec tunnel mode (with IKE-PSK, AES-128, HMAC-SHA-1, PFS) to authenticate the gateways to each other and to protect the data in transit from eavesdropping and tampering. IPsec adds minimal overhead to the traffic stream—encryption and encapsulation add about 7% additional bandwidth utilization.
• Instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. (Amazon doesn’t say anything of substance about the nature of this isolation.)
• Instances in the VPC can seamlessly integrate into a company’s internal network routing. This is significant because it means that tools used to inventory, secure, audit, manage, and access all servers in the IT infrastructure can now be brought to bear on instances in the cloud as well.
• Launching instances is only slightly different from before in that one additional parameter specifies the subnet to launch the instance into. Most everything else is unchanged.
• The only extra cost of having a VPC over using standard EC2 instances is the VPN charge
• Add AWS resources, such as Amazon EC2 instances, to your VPC.
• freely create subnets to organize your resources based on the criteria you define;
• Amazon VPC is built using Amazon’s own world-class technology infrastructure. Like other Amazon Web Services, the service runs within Amazon’s proven global network infrastructure and datacenters.
• AWS Premium Support with Amazon VPC
• AWS Management Console to manage Amazon VPC objects such as VPCs, subnets, and IPSec VPN connections. Additionally, you can use a simple wizard to create and connect to a VPC.
• Amazon EBS snapshot in Amazon EC2 and attach it as a volume to an Amazon EC2 instance within a VPC, and vice versa
• Existing AMIs in Amazon VPC can be used that are registered within the same region as your VPC
• Amazon EBS snapshots can be used if they are located in the same region as your VPC.
• Existing Amazon EBS volumes can be used if they are located in the same Availability Zone (AZ) as your VPC.
• Full library of public, private, and paid Amazon EC2 AMIs can be used within Amazon VPC, and vice versa

Benefits

For the customer:

–         Isolates network & compute resources

•         Cloud resources are only accessible through VPN

–         Simplifies deployment since cloud looks same as local resources

–         Unifies resource pools across cloud/data center sites

For the service provider:

–         Provides mechanism for control over resource reservation within provider network

–         Simplifies management of multiple data centers by combining them into large resource pools

Limitations

• One (1) VPC per AWS account
• Twenty (20) subnets per VPC
• One (1) VPN gateway per AWS account
• One (1) VPN connection per VPN gateway
• One (1) customer gateway per AWS account
• No SLA
• No Elastic Load Balancing or Auto Scaling within Amazon VPC
• No Amazon Elastic MapReduce within Amazon VPC
• No Amazon Cluster Compute Instances within Amazon VPC
• Cant deploy a VPC in multiple Availability Zones (AZs)
• Amazon VPC is currently available in a single Availability Zone within the us-east-1 region, and in a single AZ within the eu-west-1 region.
• Amazon VPC doesn’t support multicast or broadcast
• Cannot directly access the Internet from a VPC.
• To change the size of a VPC you must terminate your existing VPC and create a new one.
• The minimum size of a subnet is a /28 (or 14 IP addresses.) Subnets cannot be larger than the VPC in which they are created.
• Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes.
• IPv6 isn’t currently supported
• one IP address range to your VPC
• Once you create a VPC or subnet, you can’t change its IP address range
• Access from your VPC to other AWS services is through the VPN connection, then through your corporate network and its connection to the Internet
• Amazon DevPay paid AMIs do not work with a VPC
• Amazon EC2 Spot Instances do not work with a VPC
• AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC
• Reserved Instances (with their discounted rates) are available; however, there’s currently no capacity guarantee for Reserved Instances in a VPC

Pricing/Payment Models

Pay only for what you use; there is no minimum fee. Both On-Demand and Reserved Amazon EC2 instances are available for use within your Amazon VPC for no additional fee beyond normal Amazon EC2 usage charges. Estimate your monthly bill using the AWS Simple Monthly Calculator.

When you create a VPN Connection, you are charged for each “VPN Connection-hour” in which the VPN Connection is available for your use, and for the data transferred via the VPN Connection; each partial VPN Connection-hour consumed is billed as a full hour. If you no longer wish to be charged for a VPN Connection, you simply terminate your VPN Connection using the DeleteVpnConnection API.

Each month, you pay for VPN Connection-hours and the amount of data transferred via the VPN connections. VPCs, subnets, VPN gateways, customer gateways, and data transferred between subnets within the same VPC are free. Charges for other AWS services, including Amazon EC2, are billed separately at published standard rates.

Your monthly AWS bill separates your usage and dollar amounts by service. Your Amazon VPC usage charges appear within the Amazon VPC portion of your bill. Your usage of other AWS services within your VPCs will continue to be listed in those services’ portion of your bill. For example, the Amazon EC2 portion of your bill includes EC2 instance hour charges for instances running within Amazon EC2 and Amazon VPC.

* As part of AWS’s Free Usage Tier, new AWS customers will receive free 15 GB of data transfer in and 15 GB of data transfer out each month aggregated across all AWS services for one year.

** Rate tiers take into account your aggregate Data Transfer Out usage across Amazon EC2, Amazon S3, Amazon RDS, Amazon SimpleDB, Amazon SQS, Amazon SNS, and Amazon VPC.

The characteristics of commercial VPC

Management and monitoring

CA Service Assurance and the Nimsoft Monitoring Solution can now easily plug into the Amazon Virtual Private Cloud (aws.amazon.com/vpc/).

CA Technologies supports Amazon VPC, as well as the shared Amazon Elastic Compute Cloud, enabling customers a variety of options for managing their IT resources across on-premise resources and AWS.

Interfaces

Because you use Amazon VPC in conjunction with Amazon EC2, the Amazon VPC operations are part of the Amazon EC2 WSDL, and Amazon VPC uses the Amazon EC2 web service entry point (i.e., endpoint).You can access the  Amazon VPC operations through the following interfaces:

• Command line
• API
• AWS Management Console (limited support at this time)

CloudWatch

• Amazon CloudWatch to monitor the resource utilization of your Amazon EC2 instances.

Governance

Governance is all about control and with Amazon VPC you have better control on resources in a secure manner. Objective of Amazon VPC is to allow our customers to seamlessly extend their IT infrastructure into the cloud while maintaining the levels of isolation required for their enterprise management tools to do their work.

Security

The success of VPN services in the enterprise and the government world is largely due to its ability to virtually segregate the customer traffic at layer 2 and layer 3. The lower the layer that segregation can be maintained, the safer it is for the customers from security and privacy perspectives.

Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources.

Instances in the VPC are separated from non-VPC instances at a deeper network level than instances in different security groups or belonging to different users. (Amazon doesn’t say anything of substance about the nature of this isolation.)

Route traffic between your VPC and the Internet over the VPN connection so that it can be examined by your existing security and networking assets before heading to the public Internet.

Extend your existing security and management policies within your IT infrastructure to your VPC as if they were running within your infrastructure.

Amazon EC2 Security Groups work in Amazon VPC

VPC & Dedicated managed hosting

With a typical dedicated server stack (outsourced or managed by you), select server, storage and networking needs, purchase them and live with that configuration for 3 to 5 years. To add memory, isn’t too difficult. Need to upgrade disk drives, which prove more difficult. Or you might need to upgrade CPU’s which is really difficult and expensive because you basically have to change the entire server.

With VPC, scalable resources are available with similar kind of control organization have on their private resources.

Scenarios for Using Amazon VPC / Who should consider VPC? / Business case for VPC

Scenario	Description
Test Environment	Software changes must often be deployed rapidly, with little time to test how they might affect what’s already in production. In an ideal world you’d have a test lab that mirrors your production environment, and here you’d install and exercise software updates against a typical workload. Once the update or new version passes, then you can roll it into production with greater confidence.By building your lab in Amazon VPC, you don’t need to budget for extra hardware and you can easily modify your lab to remain current with your production environment. Test lab that looks like your production environment, but is isolated from it. Install the software on these instances and perform your tests. After you’re satisfied with the behavior, and have ensured that any other modifications to existing software don’t affect performance or exhibit unexpected behavior, install the updates into your production environment and repeat any modifications made to the test environment. Finally, bundle the updated instances into new custom AMIs and terminate the instances.
Model and establish a greenfield production environment	Start with Amazon’s standard machine images and construct new environment. Through the VPN connection, control how “local” the VPC resources appear to legacy environment. Expose VPC resources to internal users, authenticate to existing enterprise directory, and manage them with the tools and practices. Publish a timeline that lets users know when data will be migrated and create guidance that instructs users how to switch to the new environment. Existing infrastructure remains in place so easy roll back from Amazon VPC should this become necessary.
Create branch and business unit networks	Branch offices that require separate but interconnected local networks consider deploying resources inside Amazon VPC and assign each office its own subnet.Applications within a subnet can freely communicate with each other. Applications can also communicate across subnets through the virtual router. If you need to limit flows within or across subnets, you can configure software firewalls or create IPsec transport-mode security associations on the instances to define which servers are permitted to communicate with each other. Applications specific to particular business units can be installed into separate subnets, one for each unit. IT operations will need to utilize remote management tools to configure and maintain the resources.
Isolate legacy and trial applications from the corporate network	Legacy Apps might require using an operating system you’re migrating away from or a server configuration that isn’t compatible with your standard builds. Rather than maintaining the equipment and managing corresponding policy exceptions, consider creating a legacy subnet inside a VPC and housing your legacy applications there.Isolate this subnet from the rest of your corporate network with rules you create either on the customer gateway on your side of the VPN connection or elsewhere in your own security infrastructure. With rules configured in your gateway and infrastructure, you can limit what traffic is allowed to pass between the legacy subnet’s CIDR block and your corporate network. Conduct your evaluations on a few Amazon EC2 instances inside your VPC. If all goes well, then consider transitioning these images into production and granting access to authorized users through your customer gateway. This will save you the cost of purchasing, installing, and maintaining additional hardware in your own data center.
Establish a disaster recovery and business continuity plan	The elastic, dynamic nature of AWS is ideal for disaster scenarios where there are sudden spikes in resource requirements. Identify Business critical apps Build specialized Amazon EC2 AMIs inside your VPC that are customized to duplicate the functionality of your critical assets. Back up your production data into additional Amazon EBS volumes. Quickly transition your business to your VPC by starting new instances from your custom AMIs, attaching your data volumes, and directing access to these servers.
Stream applications and create virtual desktops	By moving the compute workload into Amazon VPC, you can delay the purchase of new desktop PCs and extend the life of existing client hardware.A centrally managed VDI allows you to more easily keep operating systems patched and updated and provides a simple way to deploy new client applications. Plus, in highly-regulated industries with non-mobile employees, a VDI can significantly reduce the risks of data loss and malware infection. Deliver training courses that require specific images, allow onsite contractors to run virtualized desktops that follow your corporate standards, and provide remote employees and home users connected to your corporate VPN with the same environment they have at the office. Use a virtual desktop infrastructure (VDI) to test new or updated client applications before deployment. If you have a business requirement to run a specific application that you want to keep isolated from the rest of your environment, a VDI can provide an effective sandbox. Energy Efficiency

http://tools.ietf.org/html/draft-so-vepc-00#page-3

http://support.rightscale.com/09-Clouds/AWS/02-Amazon_EC2/Virtual_Private_Cloud_(POC_redesign)

http://infocenter.guardiandigital.com/manuals/IDDS/node9.html

http://compnetworking.about.com/od/workingwithipaddresses/a/cidr_notation.htm

http://aws.typepad.com/aws/amazon-vpc/