19 Matching Annotations
  1. Apr 2021
  2. May 2020
    1. A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network.
    1. Endpoint policies are currently supported by CodeBuild, CodeCommit, ELB API, SQS, SNS, CloudWatch Logs, API Gateway, SageMaker notebooks, SageMaker API, SageMaker Runtime, Cloudwatch Events and Kinesis Firehose.
    1. Using VPC endpoint policies A VPC endpoint policy is an IAM resource policy that you attach to an endpoint when you create or modify the endpoint. If you do not attach a policy when you create an endpoint, we attach a default policy for you that allows full access to the service. If a service does not support endpoint policies, the endpoint allows full access to the service. An endpoint policy does not override or replace IAM user policies or service-specific policies (such as S3 bucket policies). It is a separate policy for controlling access from the endpoint to the specified service.
    1. An interface VPC endpoint (interface endpoint) enables you to connect to services powered by AWS PrivateLink.

      let you connect to aws service in private vpc

    1. TGW coupled with AWS Resource Access Manager will allow you to use a single Transit Gateway across multiple AWS accounts, however, it’s still limited to a single region.

      TGW, cross multi accounts

    2. Direct Connect Gateway – DGW DGW builds upon VGW capabilities adding the ability to connect VPCs in one region to a Direct Connect in another region. CIDR addresses cannot overlap. In addition, traffic will not route from VPC-A to the Direct Connect Gateway and to VPC-B. Traffic will have to route from the VPC-A —> Direct Connect —-> Data Centre Router —-> Direct Connect —> VPC-B.

      besides VGW, connect to another region through direct connect.

    3. Virtual Private Gateway – VGW The introduction of the VGW introduced the ability to let multiple VPCs, in the same region, on the same account, share a Direct Connect. Prior to this, you’d need a Direct Connect Private Virtual Interface (VIF) for each VPC, establishing a 1:1 correlation, which didn’t scale well both in terms of cost and administrative overhead.  VGW became a solution that reduced the expense of requiring new Direct Connect circuits for each VPC as long as both VPCs were in the same region, on the same account. This construct can be used with either Direct Connect or the Site-to-Site VPN.

      VGW, save direct connect fee, by using one to coonect all vpcs in same region

  3. May 2019
    1. When designing the addressing plan for an application, the primary consideration is to keep the CIDR blocks used for creating subnets within a single zone as contiguous as possible
    1. The CIDR block must not be the same or larger than the CIDR range of a route in any of the VPC route tables.
    2. You have a limit on the number of CIDR blocks you can associate with a VPC and the number of routes you can add to a route table. You cannot associate a CIDR block if this results in you exceeding your limits.
      • IPv4 CIDR blocks per VPC 5 This limit is made up of your primary CIDR block plus 4 secondary CIDR blocks.

      • Route tables per VPC


      This limit includes the main route table.

      • Routes per route table (non-propagated routes)


      You can increase this limit up to a maximum of 1000; however, network performance might be impacted. This limit is enforced separately for IPv4 routes and IPv6 routes.

      If you have more than 125 routes, we recommend that you paginate calls to describe your route tables for better performance.

    3. You cannot increase or decrease the size of an existing CIDR block.
    4. The allowed block size is between a /28 netmask and /16 netmask.
    5. Adding IPv4 CIDR Blocks to a VPC

      Expanding a VPC IPv4 CIDR block

    1. The permissible size of the block ranges between /16 netmask and a /28 netmask.

      Permissible AWS CIDR block range for AWS VPC

    1. When creating VPCs and VSwitches, you have to specify the private IP address range for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block. Private IP address range of VPC Use,, and or their subsets as the private IP address range for your VPC. Note the following when planning the private IP address range of VPC: If you have only one VPC and it does not have to communicate with a local data center, you are free to use any of the preceding IP address ranges or their subnets. If you have multiple VPCs, or you want to build a hybrid cloud composed of one or more VPCs and local data centers, we recommend that you use a subset of these standard IP address ranges as the IP address range for your VPC and make sure that the netmask is no larger than /16. You also need to consider whether the classic network is used when selecting a VPC CIDR block. If you plan to connect ECS instances in a classic network with a VPC, we recommend that you do not use the IP address range, which is also used by the classic network.

      VPC CIDR / IP Addressing plan