AWS Default VPC

Every AWS account comes with a default VPC for a region. AWS creates these default VPCs for its users to get started quickly. As many new AWS users just use the default VPC created by the system in the region that they choose to create their resources, it is quite important to understand its out of the box characteristics, its components, the default security, connectivity it offers etc. A solid understanding of system created default VPC can also be a firm foundation for VPCs and advanced design

AWS Regions and Availability Zones

VPCs are regionally significant

Regions have multiple Availability Zones(usually 2 to 4, Northern Virginia has 6). To check the current number of Availability zones in a Region you can check the AWS Global Infrastructure https://aws.amazon.com/about-aws/global-infrastructure/

The diagram below shows us-west-2 Region which is located in Oregon.

There are 4 Availability Zones in us-west2 Region.

us-west-2a / us-west-2b / us-west-2c / us-west-2d

Diagram 1: us-west-2 Region and its 4 Availability Zones

Default VPC and Default Subnets

When a AWS user chooses to work in us-west-2 region, the system will automatically create a default VPC for this region along with 4 default subnets. A subnet each in every Availability Zone(us-west-2a /us-west-2b /us-west-2c /us-west-2d)

Diagram 2: Default VPC

The Diagram 3 below is the VPC dashboard for region us-west-2 showing the default VPC and 4 subnets(corresponding to 4 AZs)

Diagram 3: VPC Dashboard for us-west-2

The default VPC is allocated IPv4 CIDR 172.31.0.0/16 and the default subnets are allocated 172.31.0.0/20, 172.31.16.0/20, 172.31.32.0/20, 172.31.48.0/20 as shown in Diagram 4

Diagram 4: CIDR allocation for Default VPC and Default Subnets

Default VPC - Routing and Security

To demonstrate the routing and security in default VPC we will create EC2 instances and place them in 2 different AZs(us-west-2a and us-west-2b)

Diagram 5: IP addresses of EC2 instances created in 2 AZs

EC2 Instance1 Details

AZ: us-west-2a

IP: 172.31.54.167 Subnet Mask: 255.255.240.0

EC2 Instance2 Details

AZ: us-west-2a

IP: 172.31.58.77 Subnet Mask: 255.255.240.0

EC2 Instance3 Details

AZ: us-west-2b

IP: 172.31.22.190 Subnet Mask: 255.255.240.0

Diagram 6: EC2 Instances

The system will try and create new security groups “luanch-wizard-n” for each new instance. However for the purpose of demonstrating the default security group we will assign the instances to this VPC’s default security group instead.

Default Security Group

The default security group comprises of the following rules (inbound and outbound). The security group provides “Stateful Firewall” functionality bound to the interface of the instances. So the traffic in reverse direction will not require any explicit rules.

Diagram 7: Default Security Group Rules

Internet Connectivity

The default VPC provides Internet connectivity via an Internet Gateway and public IP addressing.

Diagram 8Internet Gateway

Lets allow SSH access to instances by adding the following in default security group’s inbound rule

Diagram 9: Inbound Rule added to default security group to allow SSH access

Lets initiate a SSH Session to Instance3 in us-west-2n AZ and Subnet 172.31.16.0/20

The instance has been assigned

Public IP address: 54.186.132.154

Public DNS: ec2–54–186–132–154.us-west-2.compute.amazonaws.com

Diagram 10: Instance3 Details

Internet Gateway

The internet connectivity is provided by the default route in EC2 instances which point to the Next-Hop VPC route table addresses

Digaram 11: Inbound SSH Session to Instance3

The default-gateway of the Instance3 is set to 172.31.16.1 of VPC Route Table

Diagram 12: Interface IP and Routing Table of the Instance3

Internal VPC and Internet connectivity route lookups

Lets check the route lookups(host level and VPC level)for Intra-AZ, Inter-AZ and Internet connectivity

VPC Route Table

The instances will have the following as Next-Hop Address in their routing table for Inter-AZ and Internet connectivity

Instance1 VPC Next-Hop IP — Inter-AZ and Internet connectivity: 172.31.48.1

Instance2 VPC Next-Hop IP — Inter-AZ and Internet connectivity: 172.31.48.1

Instance3 VPC Next-Hop IP — Inter-AZ and Internet connectivity: 172.31.16.1

Diagram 13: VPC Route Table and Next-Hop Addresses

Scenario1: Intra-AZ connectivity (Instance1 <-> Instance2)

Host Lookup: The packet to be routed via eth0 on to VPC

Diagram 14: Local Subnet route lookup on Instance1

VPC route lookup

Diagram 15: VPR Route Table Lookup for Intra-AZ Lookup

The VPC will then route the packet locally within VPC

Lets ping Instance2 from Instance1

It is interesting to notice that we do not have any explicit rules in default security-group to allow connectivity between Instance1 and Instance2

Diagram 16: Successful Ping from Src:Instance1 to Dst:Instance2

So how are we able to ping these instances successfully ?

This is due to the inbound rule with the source set to security group ID. This rule will enable reachability within the instances in the VPC bound to the same security group.

Scenario2: Inter-AZ connectivity(Instance1 <-> Instance3)

Host Lookup: The packet to be routed to VPC Router address 172.31.48.1

VPC Route Table

Diagram: VPC Route Table Lookup for Inter-AZ Connectivity

The VPC will then route the packet locally within VPC

Lets ping Instance3 from Instance1

Diagram 16: Successful Ping from Src:Instance1 to Dst:Instance3

Scenario3: Internet Connectivity(Instance1 <-> Internet)

Host Lookup: The packet to be routed to VPC Router address 172.31.48.1

VPC Route Table

The VPC will then route the packet to Internet-Gateway

Lets ping internet from Instance1

Diagram 16: Successful Ping from Src:Instance1 to Dst:Internet