A virtual private cloud (VPC) is a logically isolated private network environment in the cloud. Leveraging Software Defined Network (SDN) and VXLAN tunnel technology, VPCs separate the data plane from the control plane. Each VPC is assigned a unique VXLAN network identifier (VNI) to isolate its virtual network.
Service architecture
Data plane: Path for packet forwarding
The data plane processes and forwards network traffic. It consists of distributed vSwitches and gateway clusters.
Network isolation: VPC isolation is achieved with VXLAN tunnel technology. Traditional VLANs max out at 4,096 virtual networks and cannot meet hyperscale cloud needs. VXLAN overcomes physical network limitations by encapsulating Layer-2 Ethernet messages in Layer 3 UDP packets. This allows VXLAN to support millions of virtual networks.
Communication flow:
Intra-VPC communication: When Elastic Compute Service (ECS) instances within the same VPC communicate, their outgoing packets are encapsulated and marked with the VPC's unique VNI. The packets are then transmitted over the physical network, but only instances in the same VPC will decapsulate and accept them.
Inter-VPC isolation: Instances in different VPCs have different VNIs and belong to different logical routing planes. Packets are not forwarded between them, which ensures network isolation.
Control plane: Centralized network management
The control plane, the core component of a VPC, consists of an SDN controller cluster. It handles centralized network management and policy distribution.
Decoupling: SDN technology decouples the control plane from the data plane. Network configurations made through the console or API, such as defining routes and setting security rules, are handled by the SDN controller. Administrators can dynamically adjust network behavior through the controller without managing underlying hardware details.
Configuration delivery: The controller computes configurations, such as forwarding tables, and delivers them to the vSwitches and gateways on the data plane using a proprietary protocol to guide traffic forwarding. This separation lets you change network configurations without operating the physical hardware, which improves flexibility and automation.
High availability
The VPC architecture incorporates high availability and redundancy mechanisms to ensure service stability.
Distributed nodes: Use distributed vSwitches to prevent single points of failure (SPOFs).
Cluster deployment: Gateways and controllers are deployed in clusters and support failover across multiple data centers (zones).
Link redundancy: All physical links are configured with redundancy and disaster recovery.
Architecture
VPCs provide a rich set of features for you to build network architectures that meet your business needs with fine-grained access control, monitoring, and operations and maintenance capabilities.
vSwitch: Segments the VPC network for resource deployment (subnetting). It's an zone-level resource.
Route table: Directs VPC traffic. vSwitches are bound to route tables, whose entries specify the next hop for packets passing through that vSwitch.
IP Address Manager (IPAM): An IP address management tool that automates IP allocation and management. This simplifies network management and prevents address conflicts.
IPv4 gateway/IPv6 gateway: Use with route tables to centrally control Internet traffic. This reduces the security risks associated with decentralized access.
VPC peering connection: Connect VPCs that are in the same or different accounts and in the same or different regions.
Network ACL: Attached to a vSwitch. Configure ACL rules to manage inbound and outbound traffic to/from the vSwitch.
Flow log: Collects and records inbound and outbound traffic for elastic network interfaces (ENIs). Use the information to monitor network performance, troubleshoot issues, or reduce traffic costs.
Traffic mirroring: A bypass monitoring solution. Traffic that matches the filters is mirrored and forwarded to security analysis appliances for real-time detection, without impacting production traffic.