ネットワーキング

Amazon VPC

A service for building a logically isolated virtual network within the AWS cloud, giving you full control over IP address ranges, routing, and security

About 4 min read

Overview

Amazon Virtual Private Cloud (VPC) is a service that creates a dedicated virtual network space within the AWS cloud. You define IP address ranges with CIDR blocks and freely configure network components such as subnets, route tables, internet gateways, NAT gateways, security groups, and network ACLs. Resources accessible from the internet are placed in public subnets, while databases and internal services go in private subnets, enabling a defense-in-depth network design. VPC Peering and Transit Gateway connect multiple VPCs, and VPN or Direct Connect enables hybrid connectivity with on-premises environments. VPC Flow Logs record network traffic for security auditing and troubleshooting.

Subnet Design and Defense in Depth

VPC subnet design is a foundational element of AWS architecture. A common design pattern creates one public subnet and one private subnet in each Availability Zone. Public subnets are associated with a route table that has a route to the internet gateway, and ALBs or NAT gateways are placed there. Private subnets have routes to the internet via the NAT gateway, and EC2 instances or RDS instances are placed there. For medium and larger workloads, a three-tier configuration adding a dedicated database subnet layer (public, application, database x 2 AZs) is recommended. For CIDR block design, it is common to allocate a /16 (65,536 IPs) to the VPC and /24 (251 IPs) to each subnet, allowing room for future expansion. Security groups act as stateful firewalls at the instance level, controlling inbound and outbound traffic by port number and source/destination. Network ACLs are stateless firewalls that provide additional access control at the subnet level.

VPC Endpoints and NAT Gateway Cost Control

NAT gateways must be created per AZ, costing approximately $0.062 per hour plus data processing charges. In environments with heavy outbound traffic, this can reach hundreds of dollars per month and is an often-overlooked cost factor. For S3 and DynamoDB access, Gateway-type VPC endpoints (free) allow direct communication without routing through the NAT gateway, reducing data processing charges. For other AWS services, Interface-type endpoints (hourly charged) are available, though the decision to adopt them should weigh traffic volume against the hourly cost. Azure NAT Gateway follows a similar pricing model but supports zone-redundant configurations, eliminating the need to create separate instances per AZ. For a comprehensive study of Amazon VPC best practices, technical books on Amazon are a helpful reference.

Transit Gateway and Hybrid Connectivity

Inter-VPC connectivity options should be chosen based on scale. For small configurations with two or three VPCs, VPC Peering is sufficient, with no additional charges beyond data transfer. For larger environments, Transit Gateway provides a hub-and-spoke topology that can aggregate thousands of VPCs and on-premises networks into a single gateway, dramatically simplifying route management. For on-premises connectivity, there are two options: Site-to-Site VPN (encrypted tunnels over the internet) and Direct Connect (dedicated physical connections). VPN can be set up in hours and is easy to get started with, while Direct Connect is the choice when stable bandwidth and low latency are required. Enabling VPC Flow Logs records traffic at the network interface level, providing valuable data for security auditing and troubleshooting connectivity issues.

共有するXB!

Related Terms

Amazon EC2Elastic Load BalancingAWS Direct ConnectAmazon CloudFront

Related Services

Amazon EC2Elastic Load BalancingAWS Direct Connect

Related Articles

Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.Hybrid Cloud Infrastructure - Integrating On-Premises and AWS with AWS OutpostsLearn how to extend AWS infrastructure to on-premises environments with AWS Outposts and build hybrid cloud architectures with EC2 integration. Covers design patterns for data residency and low-latency requirements.Why Auto Scaling Scales Out Fast but Scales In Cautiously - The Design Intent Behind Asymmetric Decision LogicThis article explains why EC2 Auto Scaling executes scale-out immediately while applying a cooldown period for scale-in, the flapping prevention mechanism, and the internal logic of target tracking scaling.Demand-Driven Infrastructure with AWS Auto Scaling - Designing and Optimizing Scaling PoliciesLearn how to use target tracking, predictive, and scheduled scaling policies effectively, and optimize costs with mixed instances policies that leverage Spot Instances.Why AWS APIs Return XML - The Evolution from Query APIs to REST JSONExplore the historical reasons why S3 and EC2 APIs return XML responses, the differences between Query APIs and REST APIs, the evolution of authentication from Signature V2 to V4, and the complexity that SDKs abstract away.

Similar Terms and Articles

Amazon VPC Network Design - Subnet Architecture and NAT Gateway OptimizationLearn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.Amazon VPCBuild a logically isolated virtual network on AWSAWS Transit GatewayA service that interconnects multiple VPCs and on-premises networks in a hub-and-spoke topology, dramatically simplifying network architectureThe Real Reason NAT Gateway Is Expensive - How Data Processing Charges Work and How to Avoid ThemBreak down the mechanisms behind NAT Gateway's high hourly and data processing charges, and explore practical cost-reduction strategies including VPC endpoints, NAT instances, and IPv6 migration.The Depth of AWS Networking Services - Enterprise Network Design with VPC, Transit Gateway, and PrivateLinkThis article examines AWS networking services centered on VPC, Transit Gateway, PrivateLink, Direct Connect, and Network Firewall, comparing them with Azure VNet/ExpressRoute and GCP VPC/Cloud Interconnect to explain the flexibility advantages in enterprise network design.