Amazon VPC on the AWS Cloud

Quick Start Reference Deployment

QS

July, 2020

Santiago Cardenas, AWS Quick Start team

Visit our GitHub repository for source files and to post feedback, report bugs, or submit feature ideas for this Quick Start.

This Quick Start was created by in collaboration with Amazon Web Services (AWS). Quick Starts are automated reference deployments that use AWS CloudFormation templates to deploy key technologies on AWS, following AWS best practices.

Overview

This Quick Start provides a networking foundation for AWS Cloud infrastructures. It deploys an Amazon Virtual Private Cloud (Amazon VPC) according to AWS best practices and guidelines. Amazon VPC is the networking layer for Amazon Elastic Compute Cloud (Amazon EC2) and provides a private, isolated section of the AWS Cloud where you can launch AWS services and other resources in a virtual network. For a discussion of best design practices for Amazon VPC environments, see the documentation and articles listed in the Other useful information section.

Amazon may share who uses AWS Quick Starts with the AWS Partner Network (APN) Partner that collaborated with AWS on the content of the Quick Start.

Amazon VPC on AWS

The Amazon VPC architecture includes public and private subnets. The first set of private subnets share the default network access control list (ACL) from the Amazon VPC, and a second, optional set of private subnets includes dedicated custom network ACLs per subnet.

Optionally you may choose to deploy a completely public VPC (no private subnets), or a completely private VPC (no public subnets).

The Quick Start divides the Amazon VPC address space in a predictable manner across multiple Availability Zones, and deploys either NAT instances or NAT gateways for outbound Internet access, depending on the AWS Region you deploy the Quick Start in.

You can use this Quick Start as a building block for your own deployments. You can scale it up or down by adding or removing subnets and Availability Zones according to your needs, and add other infrastructure components and software layers to complete your AWS environment.

Cost

You are responsible for the cost of the AWS services used while running this Quick Start. There is no additional cost for using the Quick Start.

The AWS CloudFormation template for this Quick Start includes configuration parameters that you can customize. Some of the settings, such as the instance type, affect the cost of deployment. For cost estimates, see the pricing pages for each AWS service you use. Prices are subject to change.

After you deploy the Quick Start, enable the AWS Cost and Usage Report to deliver billing metrics to an Amazon Simple Storage Service (Amazon S3) bucket in your account. It provides cost estimates based on usage throughout each month and aggregates the data at the end of the month. For more information about the report, see the AWS documentation.

Software licenses

There are no licencing requirements for this Quick Start

Architecture

Deploying this Quick Start for a new virtual private cloud (VPC) with default parameters builds the following Amazon VPC environment in the AWS Cloud.

Architecture
Figure 1. Quick Start architecture for Amazon VPC on AWS
The IP addresses exclude five addresses from each subnet that are reserved and unavailable for use *

As shown in Figure 1, the Quick Start sets up the following:

The AWS CloudFormation template sets up the virtual network and creates networking resources.

The template creates a Multi-AZ, multi-subnet VPC infrastructure with managed NAT gateways in the public subnet for each Availability Zone. You can also create additional private subnets with dedicated custom network access control lists (ACLs). If you deploy the Quick Start in a region that doesn’t support NAT gateways, NAT instances are deployed instead. Default subnet sizes are based on a typical deployment but can be reconfigured, as discussed in the Subnet Sizing section.

The Quick Start also includes VPC endpoints, which provide a secure, reliable connection to Amazon S3 without requiring an Internet gateway, a NAT device, or a virtual private gateway. With these endpoints, you can access S3 resources from within the VPC created by the Quick Start. These endpoints are valid only for the AWS Region in which you launch the Quick Start.

The Quick Start uses the default endpoint policy, which gives any user or service within the VPC full access to Amazon S3 resources. This policy supplements any IAM user policies or S3 bucket policies that you may have in place.

The Quick Start also enables Domain Name System (DNS) resolution in the VPC. For more information about VPC endpoints, see the AWS documentation.

Planning the deployment

Specialized knowledge

This deployment guide requires a moderate level of familiarity with AWS services. If you’re new to AWS, visit the Getting Started Resource Center and the AWS Training and Certification website. These sites provide materials for learning how to design, deploy, and operate your infrastructure and applications on the AWS Cloud.

This Quick Start assumes familiarity with VPC architecure and CloudFormation.

AWS account

If you don’t already have an AWS account, create one at https://aws.amazon.com by following the on-screen instructions. Part of the sign-up process involves receiving a phone call and entering a PIN using the phone keypad.

Your AWS account is automatically signed up for all AWS services. You are charged only for the services you use.

Technical requirements

Before you launch the Quick Start, your account must be configured as specified in the following table. Otherwise, deployment might fail.

Resource limits

If necessary, request service quota increases for the following resources. You might need to request increases if your existing deployment currently uses these resources, and this Quick Start deployment could result in exceeding the default quotas. The Service Quotas console displays your usage and quotas for some aspects of some services. For more information, see the AWS documentation.

Resource This deployment uses

VPCs

1

Supported Regions

Code Name Opt-in Status

us-east-2

US East (Ohio)

Not required

us-east-1

US East (N. Virginia)

Not required

us-west-1

US West (N. California)

Not required

us-west-2

US West (Oregon)

Not required

af-south-1

Africa (Cape Town)

Required

ap-east-1

Asia Pacific (Hong Kong)

Required

ap-south-1

Asia Pacific (Mumbai)

Not required

ap-northeast-3

Asia Pacific (Osaka-Local)

Not required

ap-northeast-2

Asia Pacific (Seoul)

Not required

ap-southeast-1

Asia Pacific (Singapore)

Not required

ap-southeast-2

Asia Pacific (Sydney)

Not required

ap-northeast-1

Asia Pacific (Tokyo)

Not required

ca-central-1

Canada (Central)

Not required

eu-central-1

Europe (Frankfurt)

Not required

eu-west-1

Europe (Ireland)

Not required

eu-west-2

Europe (London)

Not required

eu-south-1

Europe (Milan)

Required

eu-west-3

Europe (Paris)

Not required

eu-north-1

Europe (Stockholm)

Not required

me-south-1

Middle East (Bahrain)

Required

sa-east-1

South America (São Paulo)

Not required

Certain Regions are available on an opt-in basis. Refer to the AWS Documentation on Managing Regions for more information.

EC2 key pairs

Make sure that at least one Amazon EC2 key pair exists in your AWS account in the Region where you plan to deploy the Quick Start. Make note of the key pair name. You need it during deployment. To create a key pair, follow the instructions in the AWS documentation.

For testing or proof-of-concept purposes, we recommend creating a new key pair instead of using one that’s already being used by a production instance.

IAM permissions

Before launching the Quick Start, you must log in to the AWS Management Console with IAM permissions for the resources and actions the templates deploy.

The AdministratorAccess managed policy within IAM provides sufficient permissions, although your organization may choose to use a custom policy with more restrictions.

Deployment options

This Quick Start provides one deployment option:

  • Deploy a new VPC (end-to-end deployment). This option builds a new AWS environment consisting of the VPC, subnets, NAT gateways, security groups, and other infrastructure components.

Deployment steps

Sign in to your AWS account

  1. Sign in to your AWS account at https://aws.amazon.com with an IAM user role that has the necessary permissions. For details, see Planning the deployment earlier in this guide.

  2. Make sure that your AWS account is configured correctly, as discussed in the Technical requirements section.

Launch the Quick Start

You are responsible for the cost of the AWS services used while running this Quick Start reference deployment. There is no additional cost for using this Quick Start. For full details, see the pricing pages for each AWS service used by this Quick Start. Prices are subject to change.
  1. Sign in to your AWS account, and choose the following option to launch the AWS CloudFormation template.

Deploy Amazon VPC on AWS

View template

Also, make sure that the domain name option in the DHCP options is configured as explained in the Amazon VPC documentation. You provide your VPC settings when you launch the Quick Start.

Each deployment takes about 5 minutes to complete.

  1. Check the AWS Region that’s displayed in the upper-right corner of the navigation bar, and change it if necessary. This is where the network infrastructure for Amazon VPC will be built. The template is launched in the us-west-2 Region by default.

  1. On the Create stack page, keep the default setting for the template URL, and then choose Next.

  2. On the Specify stack details page, change the stack name if needed. Review the parameters for the template. Provide values for the parameters that require input. For all other parameters, review the default settings and customize them as necessary. For example, you can change the network configuration parameters if you want to reconfigure the subnet segmentation used for the VPC, as discussed earlier in the Subnet Sizing section.

In the following tables, parameters are listed by category and described separately for the deployment options. When you finish reviewing and customizing the parameters, choose Next.

Unless you are customizing the Quick Start templates for your own deployment projects, we recommend that you keep the default settings for the parameters labeled Quick Start S3 bucket name, Quick Start S3 bucket Region, and Quick Start S3 key prefix. Changing these parameter settings automatically updates code references to point to a new Quick Start location. For more information, see the AWS Quick Start Contributor’s Guide.

Launch a New VPC

Table 1. Availability Zone Configuration
Parameter label (name) Default value Description

Availability Zones (AvailabilityZones)

Requires input

List of Availability Zones to use for the subnets in the VPC. Note: The logical order is preserved.

Number of Availability Zones (NumberOfAZs)

2

Number of Availability Zones to use in the VPC. This must match your selections in the list of Availability Zones parameter.

Table 2. Network Configuration
Parameter label (name) Default value Description

VPC CIDR (VPCCIDR)

10.0.0.0/16

CIDR block for the VPC

Create public subnets (CreatePublicSubnets)

true

Set to false to create only private subnets. If false, CreatePrivateSubnets must be True and the CIDR parameters for ALL public subnets will be ignored

Public subnet 1 CIDR (PublicSubnet1CIDR)

10.0.128.0/20

CIDR block for the public DMZ subnet 1 located in Availability Zone 1

Public subnet 2 CIDR (PublicSubnet2CIDR)

10.0.144.0/20

CIDR block for the public DMZ subnet 2 located in Availability Zone 2

Public subnet 3 CIDR (PublicSubnet3CIDR)

10.0.160.0/20

CIDR block for the public DMZ subnet 3 located in Availability Zone 3

Public subnet 4 CIDR (PublicSubnet4CIDR)

10.0.176.0/20

CIDR block for the public DMZ subnet 4 located in Availability Zone 4

Tag for Public Subnets (PublicSubnetTag1)

Network=Public

tag to add to public subnets, in format Key=Value (Optional)

Tag for Public Subnets (PublicSubnetTag2)

Blank string

tag to add to public subnets, in format Key=Value (Optional)

Tag for Public Subnets (PublicSubnetTag3)

Blank string

tag to add to public subnets, in format Key=Value (Optional)

Create private subnets (CreatePrivateSubnets)

true

Set to false to create only public subnets. If false, the CIDR parameters for ALL private subnets will be ignored.

Create NAT Gateways (CreateNATGateways)

true

Set to false when creating only private subnets. If True, both CreatePublicSubnets and CreatePrivateSubnets must also be true.

Private subnet 1A CIDR (PrivateSubnet1ACIDR)

10.0.0.0/19

CIDR block for private subnet 1A located in Availability Zone 1

Private subnet 2A CIDR (PrivateSubnet2ACIDR)

10.0.32.0/19

CIDR block for private subnet 2A located in Availability Zone 2

Private subnet 3A CIDR (PrivateSubnet3ACIDR)

10.0.64.0/19

CIDR block for private subnet 3A located in Availability Zone 3

Private subnet 4A CIDR (PrivateSubnet4ACIDR)

10.0.96.0/19

CIDR block for private subnet 4A located in Availability Zone 4

Tag for Private A Subnets (PrivateSubnetATag1)

Network=Private

tag to add to private subnets A, in format Key=Value (Optional)

Tag for Private A Subnets (PrivateSubnetATag2)

Blank string

tag to add to private subnets A, in format Key=Value (Optional)

Tag for Private A Subnets (PrivateSubnetATag3)

Blank string

tag to add to private subnets A, in format Key=Value (Optional)

Create additional private subnets with dedicated network ACLs (CreateAdditionalPrivateSubnets)

false

Set to true to create a network ACL protected subnet in each Availability Zone. If false, the CIDR parameters for those subnets will be ignored. If true, it also requires that the 'Create private subnets' parameter is also true to have any effect.

Private subnet 1B with dedicated network ACL CIDR (PrivateSubnet1BCIDR)

10.0.192.0/21

CIDR block for private subnet 1B with dedicated network ACL located in Availability Zone 1

Private subnet 2B with dedicated network ACL CIDR (PrivateSubnet2BCIDR)

10.0.200.0/21

CIDR block for private subnet 2B with dedicated network ACL located in Availability Zone 2

Private subnet 3B with dedicated network ACL CIDR (PrivateSubnet3BCIDR)

10.0.208.0/21

CIDR block for private subnet 3B with dedicated network ACL located in Availability Zone 3

Private subnet 4B with dedicated network ACL CIDR (PrivateSubnet4BCIDR)

10.0.216.0/21

CIDR block for private subnet 4B with dedicated network ACL located in Availability Zone 4

Tag for Private B Subnets (PrivateSubnetBTag1)

Network=Private

tag to add to private subnets B, in format Key=Value (Optional)

Tag for Private B Subnets (PrivateSubnetBTag2)

Blank string

tag to add to private subnets B, in format Key=Value (Optional)

Tag for Private B Subnets (PrivateSubnetBTag3)

Blank string

tag to add to private subnets B, in format Key=Value (Optional)

VPC Tenancy (VPCTenancy)

default

The allowed tenancy of instances launched into the VPC

Table 3. Deprecated: NAT Instance Configuration
Parameter label (name) Default value Description

Deprecated: Key pair name (KeyPairName)

deprecated

Deprecated. NAT gateways are now supported in all regions.

Deprecated: NAT instance type (NATInstanceType)

deprecated

Deprecated. NAT gateways are now supported in all regions.

  1. On the options page, you can specify tags (key-value pairs) for resources in your stack and set advanced options. When you’re done, choose Next.

  2. On the Review page, review and confirm the template settings. Under Capabilities, select the two check boxes to acknowledge that the template creates IAM resources and might require the ability to automatically expand macros.

  3. Choose Create stack to deploy the stack.

  4. Monitor the status of the stack. When the status is CREATE_COMPLETE, the Amazon VPC deployment is ready.

  5. Use the values displayed in the Outputs tab for the stack, as shown in Amazon VPC outputs after successful deployment, to view the created resources.

cfn_outputs
Figure 2. Amazon VPC outputs after successful deployment

Add AWS services or other applications

After you use this Quick Start to build your VPC environment, you can deploy additional Quick Starts or deploy your own applications on top of this AWS infrastructure. If you decide to extend your AWS environment with additional Quick Starts for trial or production use, we recommend that you choose the option to deploy the Quick Start into an existing VPC, where that option is available.

If you decide to deploy additional private subnets with dedicated network ACLs, make sure you review the configuration and adjust it accordingly. By default, the custom ACLs are configured to allow all inbound and outbound traffic to flow in order to facilitate the deployment of additional infrastructure. For more information, see Network ACLs and Recommended Network ACL Rules for Your VPC in the Amazon VPC documentation.

Best practices for using Amazon VPC on AWS

The architecture built by this Quick Start supports AWS best practices for high availability and security. The Quick Start provides:

  • Up to four Availability Zones for high availability and disaster recovery. (AWS recommends maximizing your use of Availability Zones to isolate a data center outage.) Availability Zones are geographically distributed within a region and spaced for best insulation and stability in the event of a natural disaster.

  • Separate subnets for unique routing requirements. AWS recommends using public subnets for external-facing resources and private subnets for internal resources. For each Availability Zone, this Quick Start provisions one public subnet and one private subnet by default. (If you need public subnets only, you can disable the creation of the private subnets.) For subnet sizing strategies, see the next section.

  • Additional layer of security. AWS recommends using network ACLs as firewalls to control inbound and outbound traffic at the subnet level. This Quick Start provides an option to create a network ACL protected subnet in each Availability Zone. These network ACLs provide individual controls that you can customize as a second layer of defense.

We recommend that you use network ACLs sparingly for the following reasons: they can be complex to manage, they are stateless, every IP address must be explicitly opened in each (inbound/outbound) direction, and they affect a complete subnet. We recommend that you use security groups more often than network ACLs, and create and apply these based on a schema that works for your organization. Some examples are server roles and application roles. For more information about security groups and network ACLs, see the Security section later in this guide.

  • Independent route tables configured for every private subnet to control the flow of traffic within and outside the Amazon VPC. The public subnets share a single routing table, because they all use the same Internet gateway as the sole route to communicate with the Internet.

  • Highly available NAT gateways, where supported, instead of NAT instances. NAT gateways offer major advantages in terms of deployment, availability, and maintenance. For more information see the comparison provided in the Amazon VPC documentation.

  • Spare capacity for additional subnets, to support your environment as it grows or changes over time.

For additional information about these best practices, see the following documentation:

Subnet Sizing

In this Quick Start, the sizing of CIDR blocks used in the subnets is based on a typical deployment, where private subnets would have roughly double the number of instances found in public subnets. However, during deployment, you can use the CIDR block parameters to resize the CIDR scopes to meet your architectural needs.

In the default subnet allocation, the VPC is divided into subnet types and then further segmented per Availability Zone, as illustrated in Figure 1. The Quick Start provides the following default CIDR block sizes to maximize capacity:

VPC 10.0.0.0/16

Private subnets A

10.0.0.0/17

Availability Zone 1

10.0.0.0/19

Availability Zone 2

10.0.32.0/19

Availability Zone 3

10.0.64.0/19

Availability Zone 4

10.0.96.0/19

Public subnets

10.0.128.0/18

Availability Zone 1

10.0.128.0/20

Availability Zone 2

10.0.144.0/20

Availability Zone 3

10.0.160.0/20

Availability Zone 4

10.0.176.0/20

Private subnets B with dedicated custom network ACL

10.0.192.0/19

Availability Zone 1

10.0.192.0/21

Availability Zone 2

10.0.200.0/21

Availability Zone 3

10.0.208.0/21

Availability Zone 4

10.0.216.0/21

Spare subnet capacity

10.0.224.0/19

Availability Zone 1

10.0.224.0/21

Availability Zone 2

10.0.232.0/21

Availability Zone 3

10.0.240.0/21

Availability Zone 4

10.0.248.0/21

Alternatively, there may be situations where you would want to separate the CIDR scopes by dividing the VPC into Availability Zones and then into subnet types. The recommended CIDR blocks to maximize capacity for this scenario are as follows:

VPC 10.0.0.0/16

Availability Zone 1

10.0.0.0/18

Private subnet A

10.0.0.0/19

Public subnet

10.0.32.0/20

Private subnet B

10.0.48.0/21

Spare subnet capacity

10.0.56.0/21

Availability Zone 2

10.0.64.0/18

Private subnet A

10.0.64.0/19

Public subnet

10.0.96.0/20

Private subnet B

10.0.112.0/21

Spare subnet capacity

10.0.120.0/21

Availability Zone 3

10.0.128.0/18

Private subnet A

10.0.128.0/19

Public subnet

10.0.160.0/20

Private subnet B

10.0.176.0/21

Spare subnet capacity

10.0.184.0/21

Availability Zone 4

10.0.192.0/18

Private subnet A

10.0.192.0/19

Public subnet

10.0.224.0/20

Private subnet B

10.0.240.0/21

Spare subnet capacity

10.0.248.0/21

To customize the CIDR ranges for this scenario or to implement your own segmentation strategy, you can configure the Quick Start parameters described in Launch a new VPC. For more information about VPC and subnet sizing, see the AWS documentation.

Security

Public and Private Subnets

This Quick Start provisions one public and one private subnet in each Availability Zone by default. You can also choose to add additional private subnets with dedicated network ACLs.

A public subnet is directly routable to the Internet via a route in the route table that points to the Internet gateway. This type of subnet allows the use of Elastic IPs and public IPs, and (if the security group and network ACLs permit) a public subnet is reachable from the Internet. A public subnet is useful as a DMZ infrastructure for web servers and for Internetfacing Elastic Load Balancing (ELB) load balancers.

Private subnets can indirectly route to the Internet via a NAT instance or NAT gateway. These NAT devices reside in a public subnet in order to route directly to the Internet. Instances in a private subnet are not externally reachable from outside the Amazon VPC, regardless of whether they have a public or Elastic IP address attached. A private subnet is useful for application servers and databases.

Using Security Groups and Network ACLs

The following table describes the differences between security groups and network ACLs:

Security group Network ACL

Operates at the instance level (first layer of defense)

Operates at the subnet level (second layer of defense)

Supports allow rules only

Supports allow rules and deny rules

Is stateful: Return traffic is automatically allowed, regardless of any rules

Is stateless: Return traffic must be explicitly allowed by rules

We evaluate all rules before deciding whether to allow traffic

We process rules in numerical order when deciding whether to allow traffic

Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on

Automatically applies to all instances in the subnets it’s associated with (backup layer of defense, so you don’t have to rely on someone specifying the security group)

The network ACLs in this Quick Start are configured as follows:

  • All public and private subnets are associated with the same default network ACL, which is automatically created for all VPCs on AWS. This network ACL allows all inbound and outbound traffic. As you deploy instances and services, you should associate them with security groups and allow only the traffic and ports needed for your application.

  • Each additional private subnet is associated with a custom network ACL (1:1 ratio). These network ACLs are initially configured to allow all inbound and outbound traffic to facilitate the deployment of additional instances and services. As with the other subnets, you should use security groups to secure the environment internally, and you can lock down the custom network ACLs during or after deployment as required by your application.

If the Quick Start deploys NAT instances instead of NAT gateways in the AWS Region you selected, it adds a single security group as a virtual firewall. This security group is required for NAT instances and any other instances in the private subnets to access the Internet. The security group is configured as follows:

Inbound:

Source Protocol Ports

VPC CIDR

All

All

Outbound:

Destination Protocol Ports

0.0.0.0/0

All

All

For additional details, see Security in Your VPC in the Amazon VPC documentation.

Other useful information

Quick Start reference deployments

GitHub Repository

You can visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.

FAQ

Q. I encountered a CREATE_FAILED error when I launched the Quick Start.

A. If AWS CloudFormation fails to create the stack, we recommend that you relaunch the template with Rollback on failure set to No. (This setting is under Advanced in the AWS CloudFormation console, Options page.) With this setting, the stack’s state is retained and the instance is left running, so you can troubleshoot the issue. (For Windows, look at the log files in %ProgramFiles%\Amazon\EC2ConfigService and C:\cfn\log.)

When you set Rollback on failure to Disabled, you continue to incur AWS charges for this stack. Please make sure to delete the stack when you finish troubleshooting.

For additional information, see Troubleshooting AWS CloudFormation on the AWS website.

Q. I encountered a size limitation error when I deployed the AWS CloudFormation templates.

A. We recommend that you launch the Quick Start templates from the links in this guide or from another S3 bucket. If you deploy the templates from a local copy on your computer or from a location other than an S3 bucket, you might encounter template size limitations. For more information about AWS CloudFormation quotas, see the AWS documentation.

Troubleshooting

The following table lists specific CREATE_FAILED error messages you might encounter.

Error message Possible cause What to do

API: ec2: RunInstances Not authorized for images: ami-ID

The template is referencing an AMI that has expired.

We refresh AMIs on a regular basis, but our schedule isn’t always synchronized with AWS AMI updates. If you get this error message, notify us, and we’ll update the template with the new AMI ID.

If you’d like to fix the template yourself, you can download it and update the Mappings section with the latest AMI ID for your region.

We currently do not have sufficient t2.small capacity in the AZ you requested

The NAT instance requires a larger or different instance type

Switch to an instance type that supports higher capacity. If a higher-capacity instance type isn’t available, try a different Availability Zone or region. Or you can complete the request form in the AWS Support Center to increase the Amazon EC2 limit for the instance type or region. Limit increases are tied to the region they were requested for.

Instance ID did not stabilize

You have exceeded your IOPS for the region.

Request a limit increase by completing the request form in the AWS Support Center.

If you encounter a template validation error during deployment, check for a mismatch in the values of the Availability Zones and Number of Availability Zones parameters. If you select more Availability Zones than you request, the AWS CloudFormation template won’t validate. Correct the parameters so that they’re in sync, and redeploy the Quick Start.

Send us feedback

To post feedback, submit feature ideas, or report bugs, use the Issues section of the GitHub repository for this Quick Start. If you’d like to submit code, please review the Quick Start Contributor’s Guide.

Quick Start reference deployments

GitHub repository

You can visit our GitHub repository to download the templates and scripts for this Quick Start, to post your comments, and to share your customizations with others.


© 2020, Amazon Web Services Inc., or its affiliates, and . All rights reserved.

Notices

This document is provided for informational purposes only. It represents AWS’s current product offerings and practices as of the date of issue of this document, which are subject to change without notice. Customers are responsible for making their own independent assessment of the information in this document and any use of AWS’s products or services, each of which is provided “as is” without warranty of any kind, whether expressed or implied. This document does not create any warranties, representations, contractual commitments, conditions, or assurances from AWS, its affiliates, suppliers, or licensors. The responsibilities and liabilities of AWS to its customers are controlled by AWS agreements, and this document is not part of, nor does it modify, any agreement between AWS and its customers.

The software included with this paper is licensed under the Apache License, version 2.0 (the "License"). You may not use this file except in compliance with the License. A copy of the License is located at http://aws.amazon.com/apache2.0/ or in the accompanying "license" file. This code is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either expressed or implied. See the License for specific language governing permissions and limitations.