From cwhite's wiki
Jump to: navigation, search


A range of IPs in a VPC or a CIDR block.
A public subnet is a subnet that has an association with an internet gateway.
Internet Gateway (IGW)
1-to-1 NAT gateway for inbound and outbound traffic to the internet.
Route Table
A set of routes that determines where traffic should be directed.
Security Groups
Acts as a virtual firewall that controls the traffic for one or more instances. This is stateful.
Network ACL
Control inbound and outbound access to the internet. This is stateless.
Elastic IP (EIP)
A static public IP that is reachable from the internet.
EIPs operate differently on EC2 Classic and VPC. The differences can be found here.
DHCP Options Set
Provides configurable parameters from the options field of a DHCP messages such as the domain name, DNS servers, NTP servers, etc.
Virtual Private Gateway (VGW)
A VPN concentrator on Amazon's side of the VPN connection.
Customer Gateway (CGW)
A physical device or software device on customer side of the VPN connection.


There are a couple of different types of NAT devices, NAT instances and NAT gateways. A NAT instance is an EC2 instance with a NAT AMI (or any AMI if you configure it properly). You can read more about NAT instances here. NAT instances can do port forwarding while NAT gateways do not have that functionality. Also, if you only setup one NAT instance, you will have a single point of failure. It is recommended you have a pair of instances to perform the NAT.

NAT gateways are managed by AWS and only support PAT (no port forwarding). NAT gateways provider better availability and bandwidth over NAT instances. NAT gateways can burst up to 10 Gbps. If you need more bandwidth, you'd need to create a new subnet with a new NAT gateway and setup your routes to utilize them. Only one EIP address is associated with a NAT gateway and it is not possible to change the IP. If you need to change the IP address, you would need to create a new NAT gateway. Also, you cannot attach security groups to NAT gateways and they do not support fragmentation. You can find more information here.


VPC peering is a feature that allows you to connect two of your VPCs together or two VPCs that reside on different accounts. You can only setup VPC peering between two VPCs in the same region. The VPCs cannot have overlapping CIDR blocks. Additional details can be found here.

ClassicLink is used to connect the Classic network to VPC. With ClassicLink, it allows you to connect services in your VPC to the classic network; examples of services are Redshift, ElastiCache, ELB, RDS and S3. It also provides support for VPC peering connections for ClassicLink enabled EC2-Classic instances. With ClassicLink, you can only link an EC2-Classic instance to one VPC and you cannot link it to a VPC in a different region or to a VPC on a different account. Additionally, you can not attach to a VPC that has a CIDR range in the range with the exception of or More on ClassicLink here.

VPC Endpoints enable you to create a private connection between your VPC and another AWS service (currently only S3) in the same region only without requiring internet access, NAT, VPN or DirectConnect. This is helpful so your service does not need to talk to resources over the public network, everything can stay on your private subnets. You use access control to services using Endpoint Policies and Security groups. You cannot use a prefix list ID for outbound rules in network ACL to allow or deny outbound traffic. The VPC endpoint and the service must be in the same region and you cannot extend endpoint connections out of a VPC. More information is here.

VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC, a subnet in your VPC or from your VPC as a whole. The flow records are stores in CloudWatch. The flow records contain the source and destination port, source and destination IP and the protocol. Flow logs do not support network interfaces in the EC2 Classic platform including instances linked via ClassicLink. This is no support for VPCs peered with another VPC in a different account. The logs display the primary private IP address in the destination IP address field when traffic is sent to a secondary IP out of multiple IP addresses for your ENI. They also do not log traffic going to Amazon DNS servers but does log for your own DNS servers. DHCP traffic and traffic to the reserver IP address for the default VPC router are also not logged. More information here.