A Default VPC is created in each region when an AWS account is created. The default VPC comes up with few already configured VPC elements. They're:
- Subnet in each Availability Zone
- Main Route table
- Main Network Access Control List (NACL)
- Internet Gateway
- Security Group
VPC
- In this case, the VPC CIDR (Classless Inter-Domain Routing) range is
172.31.0.0/16 -
/16means the first16bits of this range is fixed. It allows a maximum of65536IP addresses, starting with172.31.0.0and ending with172.31.255.255 - This is the largest VPC that AWS allows.
Subnets
- Subnet is nothing but Sub network
- The address space of VPC (In this case, the pool of 65536 addresses) can be sub-divided into multiple networks.
Subnet 1
- CIDR is
172.31.0.0/20 - This gives
4096IP addresses (first 20 bits fixed. This leaves 32 - 20 = 12 bits for the Subnet. 2 Power 12 is 4096) - Out of these, AWS reserves
5addresses for management. - This allows
4091addresses for the subnet. - First address in the subnet is
172.31.0.0and last address is172.31.15.255
Subnet 2
- CIDR is
172.31.16.0/20 - The subnet has
4091addresses (After leaving5for AWS) - First address is
172.31.16.0, last address is172.31.31.255
Subnet 3
- CIDR is
172.31.32.0/20 - The subnet has
4091addresses (After leaving5for AWS) - First address is
172.31.32.0, last address is172.31.47.255
Default Route
- Route tables are associated with Subnets.
- Every Subnet in a VPC should be associated with a route table.
- If a Subnet has no explicit association with a route table, It will be implicitly associated with the main route table.
- In the Default VPC, all subnets are implicitly associated with the following route table.
- A Route table directs network traffic in the VPC.
The way to interpret the following table is:
Any traffic destined for any of VPC addresses (the 65K addresses) will remain local to the VPC.
Any traffic destined for the internet (
0.0.0.0/0), will be directed to the Internet Gateway that is already created and attached to the VPC.
Default NACL
- NACL is the Security Layer for Subnet.
- Any Inbound/Outbound rule defined in a NACL impacts all the services defined in the subnet with which the NACL is associated.
- The Default NACL Inbound rule allows traffic from internet (
0.0.0.0/0) on any Protocol/Port. Similarly, the default outbound rule allows traffic to leave the subnet on any Protocol/Port. - In other words, the default NACL does not do any favor to protect the Subnet as it allows traffic to enter and leave the subnet.
- This is the reason the Subnets are dipected as Public Subnets as they're reachable from the Internet.
Default Security Group
- Security Groups act as firewalls for Instances in a Subnet.
- Once traffic pass the screening @ subnet level (via NACLs), It is evaluated again by Security Group Rules before reaching the Destination (For Inbound)
- Unlike NACLs, there is no DENY configuration for Security Groups. There should be an explicit rule specified in the security group in order for the traffic to be passed. otherwise, traffic is not allowed.
- As per AWS documentation, the default Inbound rule allows traffic from network interfaces that are assigned to the same security group.
- The Default Outbound rule allows all traffic to leave the Instance.
Finding Default VPC components from CLI
VPC ID
# Print Default VPC ID (in the region configured when setting up CLI)
aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output table
------------------
| DescribeVpcs |
+----------------+
| vpc-522b2535 |
+----------------+
VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output text) && echo ${VPC_ID}
echo $VPC_ID
vpc-522b2535
Describe Subnets in the VPC
# Describe Subnets
aws ec2 describe-subnets \
--filters "Name=vpc-id,Values=${VPC_ID}" \
--query 'Subnets[].[SubnetId,CidrBlock,AvailabilityZone, Tags[?Key==`Name`]|[0].Value]' \
--output table
+-----------------+------------------+-------------------+-------+
| subnet-f82987a1| 172.31.0.0/20 | ap-southeast-1c | None |
| subnet-2234d76a| 172.31.32.0/20 | ap-southeast-1a | None |
| subnet-2c45b64a| 172.31.16.0/20 | ap-southeast-1b | None |
+-----------------+------------------+-------------------+-------+
Describe Security Groups
# Security Groups
aws ec2 describe-security-groups \
--filters "Name=vpc-id,Values=${VPC_ID}" \
--query 'SecurityGroups[].[GroupId, Description]' \
--output table
-----------------------------------------------
| DescribeSecurityGroups |
+--------------+------------------------------+
| sg-4b59a835 | default VPC security group |
+--------------+------------------------------+
Describe Main Route table
aws ec2 describe-route-tables \
--filters "Name=vpc-id,Values=${VPC_ID}" \
--filters "Name=association.main,Values=true" \
--query 'RouteTables[].Associations[].{RouteTableId:RouteTableId}' \
--output table
Top comments (0)