58

Currently moving to Amazon EC2 from another VPS provider. We have your typical web server / database server needs. Web servers in front of our database servers. Database servers are not directly accessible from the Internet.

I am wondering if there is any reason to put these servers into an AWS Virtual Private Cloud (VPC) instead of just creating the instances and using security groups to firewall them off.

We are not doing anything fancy just a typical web app.

Any reason to use a VPC or not using a VPC?

Thanks.

spicer
  • 865
  • 1
  • 8
  • 9
  • 5
    The original "best answer" to this question is no longer valid since amazon EC2 instances are automatically assigned a new VPC or require you to choose which VPC you want it on. They are essentially services that rely directly on each other now / are not unrelated things now. Given that Amir pointed out that Amazon was going to go in this direction, his answer should warrant the best now in my opinion. – skrilled May 01 '14 at 17:49
  • 1
    And now Amir's answer is nowhere to be found. – Randy L Oct 03 '16 at 21:16

6 Answers6

58

NOTE: New accounts in AWS launch with a "default VPC" enabled immediately, and make "EC2-Classic" unavailable. As such, this question and answer makes less sense now than they did in August 2012. I'm leaving the answer as-is because it helps frame differences between "EC2-Classic" and the VPC product line. Please see Amazon's FAQ for more details.

Yes. If you're security conscious, a heavy CloudFormation user, or want complete control over autoscaling (as opposed to Beanstalk, which abstracts certain facets of it but still gives you complete access to the scaling parameters), use a VPC. This blog post does a great job summarizing both the pros and cons. Some highlights from the blog post (written by kiip.me):

What’s Wrong with EC2?

All nodes are internet addressable. This doesn’t make much sense for nodes which have no reason to exist on the global internet. For example: a database node should not have any public internet hostname/IP.

All nodes are on a shared network, and are addressable to each other. That means an EC2 node launched by a user “Bob” can access any of EC2 nodes launched by a user “Fred.” Note that by default, the security groups disallow this, but its quite easy to undo this protection, especially when using custom security groups.

No public vs private interface. Even if you wanted to disable all traffic on the public hostname, you can’t. At the network interface level each EC2 instance only has one network interface. Public hostnames and Elastic IPs are routed onto the “private” network.

What's Great About the VPC

First and foremost, VPC provides an incredible amount of security compared to EC2. Nodes launched within a VPC aren’t addressable via the global internet, by EC2, or by any other VPC. This doesn’t mean you can forget about security, but it provides a much saner starting point versus EC2. Additionally, it makes firewall rules much easier, since private nodes can simply say “allow any traffic from our private network.” Our time from launching a node to having a fully running web server has gone from 20 minutes down to around 5 minutes, solely due to the time saved in avoiding propagating firewall changes around.

DHCP option sets let you specify the domain name, DNS servers, NTP servers, etc. that new nodes will use when they’re launched within the VPC. This makes implementing custom DNS much easier. In EC2 you have to spin up a new node, modify DNS configuration, then restart networking services in order to gain the same effect. We run our own DNS server at Kiip for internal node resolution, and DHCP option sets make that painless (it just makes much more sense to type east-web-001 into your browser instead of 10.101.84.22).

And finally, VPC simply provides a much more realistic server environment. While VPC is a unique product to AWS and appears to “lock you in” to AWS, the model that VPC takes is more akin to if you decided to start running your own dedicated hardware. Having this knowledge beforehand and building up the real world experience surrounding it will be invaluable in case you need to move to your own hardware.

The post also lists some difficulties with the VPC, all of which more or less relate to routing: Getting an internet gateway or NAT instance out of the VPC, communicating between VPCs, setting up a VPN to your datacenter. These can be quite frustrating at times, and the learning curve isn't trivial. All the same, the security advantages alone are probably worth the move, and Amazon support (if you're willing to pay for it) is extremely helpful when it comes to VPC configuration.

Community
  • 1
  • 1
Christopher
  • 36,834
  • 9
  • 72
  • 91
  • 22
    "All nodes are internet addressable" => This can be easily controlled by security groups."All nodes are on a shared network.." => This can be easily controlled by security groups. "Even if you wanted to disable all traffic on the public hostname, you can’t." => again, security groups. So far none of these are valid reasons OR anyway less secure than the VPC. I hear people say, oh you can make mistake in configuring security group. I would say, you can make the same configuring subnets AND NATs – Stewie Dec 07 '12 at 00:36
  • 6
    @Stewie, It's true that security groups can do those things. One thing that they can't do in EC2 yet can do in VPC is block specific traffic with deny rules. For example, block a specific IP from hitting your public webserver. Also, I would not discount layered-security so easily. Sure you can make mistakes anywhere, but in EC2 the public internet is only one mistake away, while in VPC you'd need several. – Martijn Heemels Dec 07 '12 at 13:42
  • 6
    Yes, you can't deny IP, but there are different ways you can mimic that feature at the instance level; IP tables, mod security, thirdparty IPS etc. layered security is so 2000 ! its 2012, era of cloud. I run an ops team for a company who is PCI level 1 certified and we process over $10M of credit card transactions per year, so I do take security seriously. Why do you want to mimic the traditional environment when you already made a switch to cloud ? According to me VPC is for someone who need a backward compatible system for psychological benefit. – Stewie Dec 07 '12 at 15:15
  • 1
    I need VPC so I can easily extend our local network into the cloud. Without specifically controlled address space (either public or private), it's going to be really really hard to route our local traffic up into those instances through a VPN. – RandomInsano Jun 10 '13 at 14:53
  • This answer is no longer correct, especially since new EC2 instances are by default assigned to a VPC now. They work together now, you cannot physically create an instance without either assigning it to an existing VPC or allowing amazon to create a generic new one. – skrilled May 01 '14 at 17:46
  • @skrilled: That's not quite true. Old accounts can still use EC2-Classic, based on [this FAQ](http://aws.amazon.com/vpc/faqs/). I've edited the question to add a warning up top. – Christopher May 02 '14 at 02:09
  • Yeah, what? I always get the query, "Use EC2-Classic or VPC?" when setting up a network. – rcd May 24 '14 at 17:54
  • @rcd: See the FAQ linked at the top of the question. New AWS accounts now have VPCs enabled by default, but older accounts can still access the "EC2-Classic" services, which are described in greater detail there. – Christopher May 25 '14 at 18:17
  • it is 2017, I still have some EC2-classic instances and I was looking for an answer if I should migrate to VPC. So I landed on this post. Well. Still no answer! I kinda *need* my servers to be public-addressable because I connect to them remotely from all over the world. I don't care about IP ranges and internal IPs, I don't care about DHCP. Probably "deny" rules in ACL is the only advantage. But sill - a very minor one. – jazzcat May 19 '17 at 07:35
  • Overall, I guess if you don't need to "extend" you private LAN into the cloud via VPN you don't need vpc – jazzcat May 19 '17 at 07:41
13

Currently VPC has some useful advantages over EC2, such as:

  • multiple NICs per instance
  • multiple IP's per NIC
  • 'deny'-rules in security-groups
  • DHCP options
  • predictable internal IP ranges
  • moving NICs and internal IPs between instances
  • VPN

Presumably Amazon will upgrade EC2 with some of those features as well, but currently they're VPC-only.

Martijn Heemels
  • 3,007
  • 5
  • 30
  • 35
  • I've found carefully constructed security groups in EC2 to be very powerful--I certainly agree with Stewie's comments to Christopher's answer--but it's some of these more finely-grained networking controls that make VPC worthwhile. – Schwartzie Dec 23 '12 at 00:47
  • To supplement @Schwartzie's comment, the NIC feature is pretty much required if you run any sort of licensed on-site software in the cloud (e.g. [AppDynamics](http://www.appdynamics.com/)). Many of those licensing schemes require a consistent MAC address. – Christopher Nov 15 '13 at 17:20
  • Security groups (SGs) in VPC don't have "deny" rules, instead they have outgoing rules. Also in VPC you can reassign SGs to an instance anytime. However, VPC's SGs can't refer to SGs from others AWS accounts. – kirikaza Feb 10 '14 at 20:54
  • It would be nice if they would add (at least some of) these to EC2-Classic. Sometimes you don't need an entire VPC. Yet, having to re-attach the Elastic IP every time you make a change in EC2-Classic, but not having to in VPC, seems like a simple software limitation. – rcd May 24 '14 at 17:55
  • @rcd That's true, but I wouldn't count on many changes to the classic EC2. Amazon seems to really focus on VPC. We've migrated to VPC. The lack of IPv6 is my only annoyance. New AWS accounts or existing accounts in new regions can't even use the old EC2 anymore. The old EC2 is now referred to as "EC2-Classic" while the modern EC2 is named "EC2-VPC". If they launch a new instance a "default VPC" is automatically created which, Amazon claim, provides the same easy of use as EC2-Classic. See http://aws.typepad.com/aws/2013/03/amazon-ec2-update-virtual-private-clouds-for-everyone.html – Martijn Heemels May 27 '14 at 13:03
2

VPCs are useful if your app needs to access servers outside of EC2, e.g. if you have a common service that's hosted in your own physical data center and not accessible via the internet. If you're going to put all of your web and DB servers on EC2, there's no reason to use VPC.

gareth_bowles
  • 19,908
  • 5
  • 52
  • 79
  • That's a bit simplistic. Currently VPC has some more advantages over EC2, such as multiple NICs per instance, multiple IP's per NIC, 'deny'-rules in security-groups, DHCP options, predictable IP ranges, etc. To me those are far more important than the VPN-to-local-DC feature. Presumably Amazon will upgrade EC2 with some of those features as well, but currently they're VPC-only. – Martijn Heemels Dec 07 '12 at 13:36
2

Right now VPC is the only way to have internal load balancers

Delcasda
  • 372
  • 4
  • 13
1

If you choose RDS to provide your database services, you can configure DB Security Groups to allow database connections from a given EC2 Security Groups, then even if you have dynamic IP addresses in your EC2 cluster, the RDS will automatically create the firewall rules to allow connections only from your instances, reducing the benefit of a VPS in this case.

VPS in the other hand is great when your EC2 instances have to access your local network, then you can establish a VPN connection between your VPS and your local network, controlling the IP range, sub networks, routes and outgoing firewall rules, which I think is not what you are looking for.

I would also highly recommend trying the Elastic Beanstalk, which will provide a console that makes easy to setup your EC2 cluster for PHP, Java and .Net applications, enabling Auto Scaling, Elastic Load Balancer and Automatic Application Versioning, allowing easy rollback from bad deployments.

Alessandro Oliveira
  • 1,838
  • 1
  • 13
  • 23
0

You have raised a good concern here.

I would like to focus on the viability in terms of cost...

What about the cost factor?

I think You will be paying for that server per hour. Even if you pick $20-$50 dollars a month instance it will be something you will pay the rest of your server life. The VPN server is something you can easily set on old hardware very cheap and even free for open source solution.

Adding VPN to existing AWS servers park make sense, setting a solo VPN server on AWS doesn't. I don't think it is the best cost-effective option but that just my opinion.

Thanks,

Alisa

Alex Scott
  • 1
  • 3
    Your profile says Alex but you signed this as Alisa. Which one is you? Are you a bot, or perhaps a spammer? Anyway, don't put a signature - you already have a profile avatar which tells everyone your name and various other things about you, and links to your profile for those who want to know more. – tripleee Jun 18 '19 at 07:13