Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Do Amazon VPC benefits outweigh downsides?

Amazon VPC lets companies quickly deploy resources and integrate them with existing IT architectures, as long IT teams can accept AWS's peculiarities.

Virtual private networks are nothing new. Most IT teams are familiar with extending virtualization to servers and...

networks. But what if companies applied those concepts of virtualizing the network into the cloud through a virtual private cloud? Amazon Virtual Private Cloud is a service that allows users to build and manage a network infrastructure within a virtual network.

The inherent flexibility of Amazon Virtual Private Cloud (VPC) allows it to fulfill many requirements, such as a company's need to store duplicate data in multiple locations. Companies only pay for the computing resources they need.

Like a traditional network plan, a VPC revolves around IP address allocation. It uses the classless inter-domain routing (CIDR) address ranges to allocate IP addresses to servers and organizes them in subnets. For example, you can create a VPC with an allocation of 2^16 addresses, and then divide this range into smaller subnets of 2^x. This is where the distinction between traditional network planning and Amazon VPC starts.

A VPC is designed to have data parallel in time and location. To do this, AWS deploys subnets into different availability zones (AZs), each of which is located in an independent and physically separate location.

What does that mean for companies planning to move to AWS? Amazon VPC's flexibility creates a lot of possibilities for an organization, including clustering for high data availability, disaster recovery (DR) and build-out of test and stage environments.

Clustering for high availability. Clustering for high data availability is a way to replicate data across multiple nodes and quickly switch to a functioning node when the current serving node goes down. Deploying clusters across different subnets located in different AZs isolates them environmentally. Communication between VPC subnets is low latency, which reduces the overhead of maintaining data consistency across the cluster. Proper load switching ensures faults remain nearly invisible to end users.

Disaster recovery. When data is replicated within a cluster, the next step is a system-wide replication for DR. In this case, data and application servers must be brought up quickly in the event of unrecoverable error. AWS does this by combining VPC with CloudFormation and Elastic Compute Cloud (EC2).

  • CloudFormation can bring up an EC2 server instance in accordance with a network plan.
  • EC2s bring up specific Amazon Machine Images (AMIs) to serve specific functions within the network.

This means the organization only pays AWS for the time used by active EC2s during a disaster as well as a nominal storage cost for custom AMIs. In contrast, many organizations use duplicate hot standbys, which means they pay deployment and maintenance fees twice. Paying only for the time EC2s use is one way Amazon VPC can save companies money.

Test-and-stage environments. The same technique could be extended from the operational teams to the test-and-dev teams within an organization. Development frameworks such as Spring offer IT pros a flexible way to test single components of a system by hiding other system components. There will be times when an entire system needs to be tested as a whole (fault tolerance, load limit, acceptance testing, etc.). You can use a test data set, Amazon VPC, CloudFormation and EC2s to build out a test environment as similar as possible to the real system. When the test finishes, you can tear down the entire system. You get the benefit of the pay-as-you-go model here, just as you do in the DR environment.

Amazon VPC downsides

Out of the box, Amazon VPC has some benefits, but large organizations may find certain features lacking. For example, such companies may prefer to deploy sophisticated hardware-based router and network appliances. AWS does not support bringing your own hardware.

In terms of network security and access control, VPC uses a security group and a network access control list (ACL). The security group applies control within a subset while the network ACL applies control across subnets. Both the ACL and the security group apply control-based on IP range, protocol type and port ranges. For certain organizations, this level of filtering may not be fine-grained enough.

ACL only allows for 18 application protocols; expanding beyond this limitation requires users to deploy their own software security applications running on EC2. However, companies such as Cisco, F5 and Barracuda, among others, package options as Amazon Machine Instances.

About the author:
Liang Cheng
is an enterprise architect at BLT Global Ventures, which works with companies to leverage cloud services such as AWS, Salesforce and Zuora. Cheng has a master's degree in electrical engineering.  


Next Steps

Explore common reasons to move to a VPC

This was last published in December 2014

Dig Deeper on AWS security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.