How to configure small AWS virtual private clouds

Small VPCs conjure up Alladin's lamp
Small VPCs conjure up Aladdin’s lamp – click to hear the famous phrase from the film

Remember that famous quote from the animated film Aladdin in which the genie (voiced by the late Robin Williams) compares his power to the size of the lamp he’s contained in: “Phenomenal cosmic poweritty-bitty living space”?

That’s exactly how you’ll feel when you have to architect AWS virtual private clouds (VPC) in which there is a requirement that all VPC IPv4 subnet addresses be available via VPN or Direct Connect to the client’s on-premises networks, and the client’s network is short on IPv4 RFC1918 private address space.

Doing this recently revealed a number of considerations that you might wish to keep in mind if and when you need to architect a small VPC for a client.

  • Brush up on your binary math and review everything you knew about CIDR addressing. For example, shifting a single bit left in the network portion of a CIDR doubles the number of subnets available; shifting a bit right halves the number of available subnets. So, a /27 contains two /28s. Changing the number of available network address bits also affects number of available IPs in each subnet. So it’s important to find a balance between number of available subnets — which determines you high-availability strategy — and the number of available IPv4 addresses in that subnet. Reminder: AWS takes four addresses out of each subnet. In the case of a /28, that’s almost 20% of the available IPv4 addresses.
  • Run, don’t walk to the best IP calculator I have used for figuring out how to “chop up” smallish client address spaces, like a /20, into smaller VPCs. ipcalc is also available as an installable package for macOS ( brew install ipcalc) and from apt-get on Ubuntu (and therefore on Windows via the Linux subsystem). ipcalc is unique among tools I found because it lets you quickly calculate the IPs for any given CIDR “moving into” a smaller network. The installed version even outputs HTML files you can use in you documentation. Here’s an example showing ipcalc output for a set of addresses going “from” a /27 “to” a /28

    Using ipcalc to compute CIDRs for an AWS VPC
    Using ipcalc to compute CIDRs for an AWS VPC — click to enlarge
  • Allocate the IPv4 allocation from the client asymmetrically. This may not be obvious and I wouldn’t recommend it unless you have to. But in some cases, it’s the only way to address the shortage of IPv4 address space. Ususally, the architect should create VPCs of the same size within a customer’s assigned address space. But doing so isn’t a AWS requirement for VPCs. So, you can have VPCs of varying size within an overall address space, allowing you to customize the VPCs to the environments you need. For example, development environments might need fewer IPs and can therefore be smaller. This will help fit the applications to the available address space. The following diagram shows how to chop up a smallish IPv4 private address range — a /22 — into three VPCs with two smaller ones comprising one of the two larger address spaces. Once again, ipcalc is invaluable in calculating these kinds of VPCs. And it clearly demonstrates the relationship between CIDR network address bit allocation and the number of available subnets. Note how the two /24s add up to one /23 and two /23s equal one /22. You can use ipcalc to experiment with all the possible calculations to arrive at the best VPC design based on whatever IPv4 space you client gives you.

    Asymmetrical VPC allocation in a small IPv4 address space
    Asymmetrical VPC allocation in a small IPv4 address space — click to enlarge

I hope this helps you design better VPCs and makes it easier to figure out how to manage the need for subnets and high-availability for EC2 instances running in AWS.


Posted

in

, ,

by

Tags:

Comments

2 responses to “How to configure small AWS virtual private clouds”

  1. Jeffm Avatar
    Jeffm

    Hi Alex,

    You might want to give these IP Address tools a try (each have multiple tools):

    http://ipaddressguide.com/cidr (this is what I use most of the time for CIDR block planning – the output pastes nicely into OneNote)
    http://www.whatsmyip.org/ (the Swiss Army Knife)
    http://www.subnet-calculator.com/ (the bit-twiddler tool)

    I keep running across your posts and it’s starting to inspire me to document some of the AWS practices and tools I’ve been developing. I’ve got some nice cheat-sheets I might start with that are helpful to me and when I’m training someone.

    Best wishes, Jeff

    1. Alex Neihaus Avatar
      Alex Neihaus

      Thank you, Jeff, for your kinds words.

      I’d encourage everyone to blog their AWS tips and techniques. I do it to “pay forward” a little for the immense help I’ve gotten from other bloggers on so many topics, especially those relating to AWS.

      I also appreciate your comment that you keep “running across my posts”. I assume that means you are finding them via Google search. I’ve worked hard to “appeal” to the Google search engine. For some search terms, you’ll find AWS documentation first and then, about three or four links down, you’ll find a link to an AWS post — on EC2, VPC, RDS, or Windows Server running on EC2 — as the first non-AWS link.

      I’m pleased that my blog posts have become popular as a result of Google thinking they are worthy of prime placement. So not only would I encourage you to blog about your experiences in the cloud, I’d recommend that you pay close attention to SEO techniques to make the content as widely accessible as possible.

      Best,
      Alex

Leave a Reply

Your email address will not be published. Required fields are marked *