4 Fundamental Options to Securely Design AWS Virtual Private Cloud

Many IT leaders are apprehensive about heading into the wilds of a public cloud which is why Amazon Web Services’ VPC provides hybrid private cloud capabilities combining the openness of a public network and the security of a private one. But here’s what you should know about it first.

Destination: The Amazon

The Amazon. It’s still a relatively unexplored and expansive place which, for those uninitiated, can be a little scary, if not outright dangerous. Of course, I’m talking about Amazon Web Services, or AWS – the array of cloud-based offerings which Amazon is hoping you’ll build your nextgen business strategies around. And, while the cloud may not be as physically dangerous as the Amazon rainforest, to voyage throughout it safely means having a good understanding of the landscape and a sound game plan once you’ve arrived.

So, now that your planning committee has done its research, you’ve used the AWS pricing calculator to identify the total fare, and the business has concluded that booking passage into Amazon’s cloud is the best direction to go, the real work of getting there begins.

From the surface it seems easy enough, right? Put this over here. Put that over there. Setup this feature, add that feature, etc. I can tell you from experience it definitely does not parallel Amazon’s online Prime shopping experience. I am not saying it is overly complex nor am I putting down AWS, but there are many up front considerations which require advanced planning. Making the trip to Amazon’s cloud isn’t as easy as signing up and getting your gear ready to fly. 

To enjoy the full impact of your new Amazonian adventure, and so your organization can take full advantage of AWS’ resources, there’s some ground work which must be laid to get your company’s IT environment linked to their cloud. After all, it’s critical that your IT assets can securely talk to AWS and vice versa, and that any large troves of data can flow quickly and unfettered. AWS addresses each of these challenges with their own take on the solution;  cloud-connected data is kept secure inside your organization through the use of Virtual Private Clouds (VPC) and all of this data is kept moving through the use of AWS Direct Connect.

Let’s dive into what each of these solutions are as well as the main options AWS provides for setting them up.


A VPC is basically a smaller sub-cloud which has been isolated inside a logical network partition inside the larger plublic cloud. It keeps unwanted servers from being able to see any instances occurring within the VPC. Virtual private clouds (VPC) are made possible because of sub networks, also known as “subnets.” A subnet is a part of a larger network. AWS’s VPCs have an infrastructure within its construction of subnets that gives users an extra layer of security. As a logical grouping of connected network devices, it becomes imperative for the subnets to be in close propinquity to one another. The network designers make use of a system of paneling networks into logical segments for better flexibility of administration.

One major flaw of any virtual private cloud is the vulnerability encountered when subnets are located only in a single geographic location. Amazon’s feature comes with numerous Availability Zones which are found across many regions, throughout nine countries in the world. Availability Zones are very important because they are created to be isolated from failures in other Availability Zones. Since these zones are independent from each other, customers can have multiple ID registration that protect them from the unlikely chance of a compromise in the Availability Zones.

Security is currently a preoccupation with data sharing usage in cyberspace. This is something that Amazon paid close attention to when designing their VPC architecture, and  is one of the reasons their VPC is very much solicited by clients with a discerning need for security. Their trust is ensured as security is the main priority of the VPC since the datacenter and network provided by this package is constructed to meet the security protection needs optimally. There is also great flexibility with this option, which allow clients to scale and upgrade with the guarantee of a continuously safe environment.

AWS provides multiple security options with their VPC, namely, security groups and network access control lists (ACLs), so privacy concerns are no longer an issue, as is the case with other cloud options.  In the security groups selection, there is the protection of inbound and outbound traffic for subnets. While these security groups can usually give adequate security, some customers choose to go further by adding the ACL, which basically affixes an extra layer of security. Additional security features include webserverSG and DBServerSG, which makes launching of databases into public and private subnets secured.

AWS enables customers to leverage a robust VPC. This is achieved through sectioning data inside an Amazon Web Service Cloud. Just as in the cases of the traditional cloud, applications and services are shared via the web through the Amazon Elastic Compute Cloud over an IPsec, which is established in the virtual private network. This helps users to access information by sending an IP number of choice from one or multiple location or subnets.

AWS Direct Connect 

Direct Connect  is one of the most interesting elements of the AWS Private Cloud. It enables the connection from the individual’s location to the AWS location. Think of it as a dedicated pipe which helps users to connect privately with AWS via datacenter, office, or any other location of choice. This usually increases bandwidth and reduces cost, along with ensuring a better network satisfaction than is the case with internet based connections.

When I first explored this, I thought the Direct Connect was a physical device that AWS put at your site for use in connecting to their datacenters. It’s a bit different than this. In fact, AWS’s Direct Connect leverages other companies like AT&T. For example, in about 45 days, AT&T can setup their version of Direct Connect called NetBond. This establishes a direct pipe from your office to AWS’s datacenter. AT&T will only charge you for the bandwidth you use. Keep in mind you must select a minimum of let’s say 60 MB and pay for that amount each month. While there is generally a 3 year commitment to the NetBond arrangement, there is flexibility, as you have the opportunity to adjust your minimums once a month. AT&T is a good solution due to their global reach. So if you have a location in NY as well as Hong Kong, they can setup the direct pipes for all the locations. It’s also not uncommon to establish 2 pipes to AWS for redundancy, but that’s a topic for another day.

Direct Connect feature enables the user to harness AWS’s resources. Direct Connect guarantees consistent network performance since clients have the choice of picking the data they want to utilize as well as the connection. This is better than the traditional network possibilities which routinely get bogged down with data overload, making network connections slow and frustrating at times. The Direct Connect is also compatible with all AWS services, has private connectivity to every customer’s Amazon VPC, and is elastic and simple to use. 

VPC Packages and Use Scenarios

There are four primary VPC packages available from AWS. We’ll explore them below along with some possible use scenarios. Understandably, each arrangement has its own advantages and leverage different functionality, so you’ll need to determine which setup meets your particular needs. 

Option 1: VPC with Single Public Subnet

The most straightforward VPC package has a single public subnet. This makes it a good option for simple, information-only providing websites or blog sites. With this selection, the customer uses the VPC wizard to create a single-tier public web application, as is the instance with a website or blog. Although there is only the possibility of a public subnet with internet entrance that enables communication over the internet, this selection is tailored to suit the needs of the uncomplicated user. It has everything necessary like a virtual private cloud with its size estimated to be 16 IPv4 CIDR block and over sixty five thousand private IPv4 addresses. Its subnet is about 24 IPv4 CIDR in size and offers additional features like a custom route linked to the subnet. 

Option 2: VPC with Public and Private Subnets

The next AWS VPC package offers both public and private subnets. Here there are two possibilities; one is a public web application while the other is a private application which ensures access to back-end servers in a second subnet. This setup enables one to use a public web application and still maintain backend servers that are private. It gives you a choice of either setting up a NAT instance or a NAT gateway to do the translation. Both subnets are the same 24 IPv4 CIDR size as in option one. This selection provides two routes, a main route table and a custom route table. The custom route table allows the instances within the VPC to communicate with each other. This is not a perk that the first package has, because it’s only given access to the default setting for local routing within the VPC.  for details on configuring this option within your organization.

Option 3: VPC with Public and Private Subnets and Hardware VPN

Option three gives the user the capacity of extending personal data center into the cloud, as well as get direct access into the internet space via the VPC.  It has two subnets like the second option along with a private virtual gateway communication network over an IPsec VPN tunnel. This package is ideal for those who wish to run a multi-tier system with a scalable web in a public subnet and store data in a private subnet connected to your individual IPsec and VPN. The security options attached to this package are also much more robust. The webserverSG ensures safe launching of database servers in the Public subnet and the DBServerSG ascertains security when launching database servers in the VPN-only subnet.

Option 4: VPC with a Private Subnet Only and Hardware VPN Access

The fourth option adds a shield to the direct internet access alternative by ensuring that the customer’s network is not exposed to the internet.  There are two additional choices which are more elaborate than the others with supplementary items like the use of the AWS CLI to generate a VPC with both public and private subnets. The final package throws in an associated IPv6 CIDR block as well.


Cost efficiency is one of the reasons why AWS VPC is appealing to more people in comparison to public internet. It reduces network cost, which helps price efficiency since customers are not expected to pay cover charges. There is no reason for a client to be charged for applications they are not using under the AWS package since billing is itemized and the client pays only for what they need. From our experience, there’s also a great support team on standby to ensure customers are given the right orientation in terms of packages and items.

VPCs are an incredibly safe way to store and access information which has made them a popular option since their inception. As a leader in cloud programming, Amazon has taken into consideration the major security liabilities which many traditional private clouds are still vulnerable to. This has allowed them to produce their own version which is more secured, easier to use, and cost efficient. The AWS VPC is cutting edge with its construction and thoughtfully crafted to give users the best satisfaction in terms of net connectivity, elasticity, simplicity, security and sophistication. Individuals and organizations with the need of more secure, cloud-based storage possibilities will be pleased with Amazon’s AWS VPC.

About Allari

Allari helps I.T. leaders shine by leveraging proven IT-as-a-Service success models to create customized plans for I.T. Operations & Cybersecurity functions. Customers leverage Allari’s basic services to fulfill specific Roles, Work Areas, Knowledge Capture initiatives as well as reinforcing their core competencies such as Security Operations Center, Application Services, Help Desk Services and Software Product Sales allowing them to be more productive and cost efficient.Allari takes pride in helping these leaders take control of their destinies by providing them the space they need to build stronger relationships with their businesses. As a result, these leaders get the recognition they deserve which ultimately helps to make I.T. fun again!

The company provides services via offices in the United States, Ecuador, Brazil and India serving customers in over 55 countries. Visit www.allari.com.