AWS - Default VPC

  • Default VPC setup in AWS
  • Created - 2020/10/10
  • AWS VPC Networking

1. Overview

A Default VPC is created in each region when an AWS account is created. The default VPC comes up with few already configured VPC elements. They're:

  • Subnet in each Availability Zone
  • Main Route table
  • Main Network Access Control List (NACL)
  • Internet Gateway
  • Security Group

2. VPC

  • In this case, the VPC CIDR (Classless Inter-Domain Routing) range is 172.31.0.0/16
  • /16 means the first 16 bits of this range is fixed. It allows a maximum of 65536 IP addresses, starting with 172.31.0.0 and ending with 172.31.255.255
  • This is the largest VPC that AWS allows.

3. Subnets

  • Subnet is nothing but Sub network
  • The address space of VPC (In this case, the pool of 65536 addresses) can be sub-divided into multiple networks.

Subnet 1

  • CIDR is 172.31.0.0/20
  • This gives 4096 IP addresses (first 20 bits fixed. This leaves 32 - 20 = 12 bits for the Subnet. 2 Power 12 is 4096)
  • Out of these, AWS reserves 5 addresses for management.
  • This allows 4091 addresses for the subnet.
  • First address in the subnet is 172.31.0.0 and last address is 172.31.15.255

Subnet 2

  • CIDR is 172.31.16.0/20
  • The subnet has 4091 addresses (After leaving 5 for AWS)
  • First address is 172.31.16.0 , last address is 172.31.31.255

Subnet 3

  • CIDR is 172.31.32.0/20
  • The subnet has 4091 addresses (After leaving 5 for AWS)
  • First address is 172.31.32.0, last address is 172.31.47.255

4. Default Route

  • Route tables are associated with Subnets.
  • Every Subnet in a VPC should be associated with a route table.
  • If a Subnet has no explicit association with a route table, It will be implicitly associated with the main route table.
  • In the Default VPC, all subnets are implicitly associated with the following route table.
  • A Route table directs network traffic in the VPC. The way to interpret the following table is:
    • Any traffic destined for any of VPC addresses (the 65K addresses) will remain local to the VPC.
      • Any traffic destined for the internet (0.0.0.0/0), will be directed to the Internet Gateway that is already created and attached to the VPC.

5. Default NACL

  • NACL is the Security Layer for Subnet.
  • Any Inbound/Outbound rule defined in a NACL impacts all the services defined in the subnet with which the NACL is associated.
  • The Default NACL Inbound rule allows traffic from internet (0.0.0.0/0) on any Protocol/Port. Similarly, the default outbound rule allows traffic to leave the subnet on any Protocol/Port.
  • In other words, the default NACL does not do any favor to protect the Subnet as it allows traffic to enter and leave the subnet.
  • This is the reason the Subnets are dipected as Public Subnets as they're reachable from the Internet.

6. Default Security Group

  • Security Groups act as firewalls for Instances in a Subnet.
  • Once traffic pass the screening @ subnet level (via NACLs), It is evaluated again by Security Group Rules before reaching the Destination (For Inbound)
  • Unlike NACLs, there is no DENY configuration for Security Groups. There should be an explicit rule specified in the security group in order for the traffic to be passed. otherwise, traffic is not allowed.
  • As per AWS documentation, the default Inbound rule allows traffic from network interfaces that are assigned to the same security group.
  • The Default Outbound rule allows all traffic to leave the Instance.

Finding Default VPC components from CLI

VPC ID

# Print Default VPC ID (in the region configured when setting up CLI)
aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output table

------------------
|  DescribeVpcs  |
+----------------+
|  vpc-522b2535  |
+----------------+

VPC_ID=$(aws ec2 describe-vpcs --filters "Name=isDefault,Values=true" --query 'Vpcs[].VpcId' --output text) && echo ${VPC_ID}
echo $VPC_ID

vpc-522b2535

Describe Subnets in the VPC

# Describe Subnets
aws ec2 describe-subnets \
    --filters "Name=vpc-id,Values=${VPC_ID}" \
    --query 'Subnets[].[SubnetId,CidrBlock,AvailabilityZone, Tags[?Key==`Name`]|[0].Value]' \
    --output table

+-----------------+------------------+-------------------+-------+
|  subnet-f82987a1|  172.31.0.0/20   |  ap-southeast-1c  |  None |
|  subnet-2234d76a|  172.31.32.0/20  |  ap-southeast-1a  |  None |
|  subnet-2c45b64a|  172.31.16.0/20  |  ap-southeast-1b  |  None |
+-----------------+------------------+-------------------+-------+

Describe Security Groups

# Security Groups
aws ec2 describe-security-groups \
    --filters "Name=vpc-id,Values=${VPC_ID}" \
    --query 'SecurityGroups[].[GroupId, Description]' \
    --output table

-----------------------------------------------
|           DescribeSecurityGroups            |
+--------------+------------------------------+
|  sg-4b59a835 |  default VPC security group  |
+--------------+------------------------------+

Describe Main Route table

aws ec2 describe-route-tables \
   --filters "Name=vpc-id,Values=${VPC_ID}" \
   --filters "Name=association.main,Values=true" \
   --query 'RouteTables[].Associations[].{RouteTableId:RouteTableId}' \
   --output table