AWS VPC - Logical isolation from other virtual networks
Documentation says, "A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud."
My understanding is, reason, my VPC is isolated from other virtual network
is due to CIDR notation(network 1xx.xx.0.0/16) assigned to VPC.
So, if the CIDR notation for my VPC is 10.10.0.0/16 then this CIDR notation(10.10.0.0/16) is not being used in other virtual networks of AWS cloud.
Private IPv4 range
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
1) Is AWS cloud a big private network? with each VPC assigned a CIDR from private IP space. If AWS cloud is a private network, then, can we assign public IP to a resource within private network?
2) Is it CIDR parameter, that allows isolation of my VPC from other virtual networks in AWS cloud?
3) Does AWS cloud have overlapping IP domain? Across AWS vpc
CIDR
From the early birth of IP, addressing was stiched to a classfull behaviour. what does this mean.... a Routers maximum prefix for a class A network was 10.0.0.0 /8 (10.0.0.0 - 10.255.255.255) for a class B Network it was 172.26.0.0 (172.26.0.0 - 172.26.255.255). This is called classfull addressing "RFC 791". But hey, what if i want to subdivide those ranges and have one subnet in USA and the other in europe. There comes CIDR (CLASSLESS interdomain routing ) into the game. Since CIDR RFCs (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) we are not stiched to that Classfull restriction anymore. Now, we are free to subdivide as we want (variable length subnetmasking or VLSM)
AWS
on AWS you can have a VPC which is a VirtualPrivateCloud. Its a isolated construct with its own virtual Router and its own private (not Public!!) IP-Range (a CIDR Range). It is completely isolatet from everything... like you would install a switch, router and computers in your bedroom. You can Subdivide your VPC in smaller portitions (availability Zones). Then you'll make a nonoverlapping ip addressing, lets say, AZ1=10.0.1.0/24, AZ2=10.0.2.0/24, AZ3=10.0.3.0/24. With your router in the bedroom... aahh sorry, VPC, you are interconnecting those Zones together. lets say AZ1=Web, AZ2=APP, AZ3=DB... so, how can you bring AZ1 to the Internet? you are placing a Internet-Gateway in front of the VPC. What about public IP now? AWS has 2 scenario. public IP and Elastic public IP... whats the difference? with public IP, the IP is stiched to your instance, not your account. Elastic IP is stiched to your account which means, you can move the public ip between instances in your VPC. Both variants working with NAT (NetworkAddressTranslation)... as you remember, you have a private IP on your instance, so, packets arriving from WWW addressed to your public IP are translated on the Internet-GW to your Private IP. thats it! there are many services like egress-oly gateway (only ipv6), NAT-Gateway (like egress only for ipv4) and so on... you can combine things and build your own logic, but it would blow this thread to explain everything.
one thinig left... you are reaching the Public IP from other VPCs via nat/internet-gateway... but, what if you realy want to interconnect 2 VCPs?? Yes, its possible but, they are not allowed to overlapp CIDR Range! https://docs.aws.amazon.com/vpc/latest/peering/invalid-peering-configurations.html
a good starting point is : https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html
to answer your third question: every Customer (respectively every VPC) can have its own private range which YOU are defining. So, yes, there are overlapping IPs accross the VPCs. The problem beginns there, if you want to join them (VPC peering). the unique identifier between (unjoined) VPCs is the public IP in it, and they are unique! no overlapping between VPCs
i hope that helps a bit
edit: of course they are not using physical stuff to create VPCs, they are doing it with virtualized network components (network function virtualisation NFV)
- What does "eksctl create iamserviceaccount" do under the hood on an EKS cluster?
- Reporting AWS Tools RDS or Redshift?
- Configure Selenium Nodes without a JSON file
- How to bypass expectation of S3 server 100-contiune response in Boto3 put_object method
- Deleting Perforce depot from AWS EC2 server does not free up space on EC2
- Middy is not getting a secret from Secret Manager in a NodeJS AWS Lambda
- Can I include a display name when sending email from the AWS SES Javascript v3 SDK?
- Is it possible to add fields to struct in an existing AWS Athena table?
- AWS SNS - Message missing a phone number
- How to run a one-off task on AWS ECS Fargate?
- AWS FIFO queues subscription with SNS: passing message group id
- AWS CLI to get all matching CloudFronts using the "--query" option?
- What is the best way to read a csv and text file from S3 on AWS glue without having to read it as a Dynamic daataframe?
- Why is CloudFormation saying AlreadyExists when creating a AWS::ApiGateway::Authorizer
- AWS sts assume role in one command
- GetSecretValue, get identity: get credentials: failed to refresh cached credentials
- Does PutACLAsync make a copy of an object?
- How to use AWS CodeArtifact *within* A Dockerfile in AWSCodeBuild
- AWS CodeBuild: Accessing CodeCommit repository in another account?
- AWS Java SDK SSL Certificates
- How can I use AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY to perform actions in AWS through a Jenkins pipeline?
- Syntax error when executing Invoke-DDBQuery to fetch dynamodb record using Powershell
- How can I delete a specific record from my AWS Glue table?
- Start cfn-init in Ubuntu instance with cloudformation (yaml)
- How to check ephemeral storage that is allocated to EKS node
- Permission Error Running Container in AWS CodeBuild
- retrieve list of urls from Amazon S3 bucket using R
- New volume in ec2 instance not reflecting
- How to allocate GPUs on AWS Free Tier?
- Get source repo commit hash in AWS code build step