In this post, we are going to see the AWS networking foundations, networks, subnetworks, firewall, Internet Gateway, Access Control List, NAT, and other services.
Building networks, segregating the network, configuring routing, and network permissions are architectural decisions important for communications between the systems. Compute Services (EC2, ECS, EKS), Database (RDS, Aurora, ElastiCache), and others allow us to choose the network, subnetwork, availability zone, and firewall for deployment and execution of the AWS service. It is our responsibility to set up the communications needed for the systems and protect them against security attacks that impact the availability and integrity
We start from inwards to towards with the services that are base to other services. Each service has a description, scope, limits, and an example to know their capabilities and boundaries. Let's start.
Virtual Private Cloud (VPC)
Type: Networking.
Scope: Create a virtual private network with an IP addresses block (CIDR). It allows logical isolate the resources deployed in the virtual network from other services that are in the AWS cloud.
Limits: 5 VPC per AWS region. You can adjust the limit by requesting it from AWS support.
Example: To create a VPC you need an IPv4 or IPv6 CIDR block, this value depends on the number of subnetworks and hosts you need. We use CIDR block 192.168.0.0/24 to create VPC on the Ohio AWS region. When you create a VPC by default create Route Table and Network Access Control List (NACL).
Subnets
Type: Networking.
Scope: Create virtual subnetwork inside VPC network to split the network and deploy systems in the subnetwork. You can choose the availability zone (AZ) of the AWS region to create the subnetwork and you can create more than one subnetwork in the same AZ.
Limits: 200 subnets per VPC. You can adjust the limit by requesting it from AWS support.
Example: To create a VPC you need an IPv4 CIDR block that is inside the IPv4 CIDR block of VPC.
Taken 3 bits of VPC network address then we can create 8 subnets (2^3=8). The IPv4 CIDR block for each subnet are:
- 192.168.0.0/27
- 192.168.0.32/27
- 192.168.0.64/27
- 192.168.0.96/27
- 192.168.0.128/27
- 192.168.0.160/27
- 192.168.0.192/27
The other 5 bits are to create hosts, the number of hosts per subnet is 27 (2^5 = 32 - 5). AWS reserves 5 IP addresses in each subnet, the first 4 addresses and the last one.
For the 192.168.0.0/27 CIDR block the IP addresses reserved by AWS are:
- 192.168.0.0, Subnetwork address.
- 192.168.0.1, reserved by AWS for VPC Router.
- 192.168.0.2, reserved by AWS for Amazon-provided DNS.
- 192.168.0.3, reserved by AWS for future use.
- 192.168.0.31, Broadcast, AWS does not support Broadcast communication inside VPC.
For the 192.168.0.32/27 CIDR block the IP addresses reserved by AWS are:
- 192.168.0.32, Subnetwork address.
- 192.168.0.33, reserved by AWS for VPC Router.
- 192.168.0.34, reserved by AWS for Amazon-provided DNS.
- 192.168.0.35, reserved by AWS for future use.
- 192.168.0.63, Broadcast, AWS does not support Broadcast communication inside VPC.
We are going to use the 192.168.0.0/27 CIDR block for Public Subnet (Internet access) and 192.168.0.32/27 CIDR block for Private Subnet (Internal access) on availability zone us-east-2a.
Internet Gateway
Type: Networking.
Scope: Internet access gateway for the resources deployed in subnet and VPC. Also, it is a NAT for instances (EC2, RDS) that has a public IP address.
Limits: 5 Internet Gateway per AWS Region. You can adjust the limit by requesting it from AWS support.
Example: Create Internet Gateway for the VPC 192.168.0.0/24. Just can attach one Internet Gateway per VPC.
Route Table
Type: Networking.
Scope: Create routing rules to address the communications from the resource inside subnet and VPC to destination. Route Table attaches to VPC applies to all subnets of the VPC. Route Table attach directly to subnet has priority over Route Table of VPC.
Limits: 200 Route Tables per VPC and 50 routing rules by Route Table. You can adjust the limit by requesting it from AWS support.
Example: Create and attach new Route Table on Public Subnet (192.168.0.0/27) with routing rules to Internet and VPC network destinations through Internet Gateway and local routing:
For Private Subnet (192.168.0.32/27) create a new Route Table and attach to it with routing rule to VPC network destination through local routing:
Network Access Control List (NACL)
Type: Security.
Scope: Network firewall to control inbound and outbound communication to resources deployed in the subnet using rules. The rule specifies communication protocol, port, source/destination, and allow or deny communication. The rules are sorted by number, have precedence, and are stateless, you need to create inbound and outbound rules to requests and responses.
Limits: 200 NACL per VPC and 20 rules to IPv4 or IPV6 per NACL. You can adjust the limit by requesting it from AWS support.
Example: For Public Subnet (192.168.0.0/27) create and attach NACL with inbound and outbound rules to allow internet access (All traffic).
For Private Subnet (192.168.0.32/27) create and attach NACL with inbound and outbound rules to allow communications from and to Public Subnet (192.168.0.0/27).
Security Group
Type: Security.
Scope: Instance firewall to control inbound and outbound communication to instances (EC2, RDS) using rules. The rule specifies communication protocol, port, and source/destination. The rules are stateful you just need to create inbound/outbound rules for requests received/generated by the instance and is not necessary to create rules for the response.
Limits: 2500 Security Groups per AWS Region and 60 inbound and outbound rules per Security Group. You can adjust the limit by requesting it from AWS support.
Example: For EC2 instance access over internet using HTTP and SSH protocols, deploy on Public Subnet (192.168.0.0/27), create and attach Security Group with inbound rules with sources anywhere and ip address (your ip).
For EC2 instance to internal access only (no internet access), deploy on Private Subnet (192.168.0.32/27), create and attach Security Group with an inbound rule that allows communication from Security Group EC2 Instance of Public Subnet (192.168.0.0/27) over TCP protocol and port 22.
For RDS instance to internal access only (no Internet access), deploy on Private Subnet (192.168.0.32/27), create and attach Security Group with an inbound rule that allows communication from Security Group EC2 Instance of Public Subnet (192.168.0.0/27) and Security Group EC2 Instance of Private Subnet (192.168.0.32/27), both of them over TCP protocol and port 3306.
The EC2 instance on Public Subnet is a Bastion Host (Bridge) to connect to EC2 and RDS instances on Private Subnet witout internet access.
NAT Instance & NAT Gateway
Type: Networking
Scope: Internet access from instances on Private Subnet (without Internet Access) through exchange of ip addresses. Taken the ip address of communication packages send by instances and replace it with the ip address of NAT.
NAT Instance: It is EC2 instances with preconfigured Amazon Machine Image (AMI) and elastic ip address or public ip. The bandwidth depends on the bandwidth of the instance type.
NAT Gateway: Is a NAT service managed by AWS with high availability and elastic ip. Scale up to 45 Gbps in bandwidth. It can handle communication to internet, between VPCs and between VPC and on-premise corporate network.
Limits NAT Instance: Apply EC2 limits.
Limits NAT Gateway: 5 NAT Gateway per availability zone of AWS region. You can adjust the limit by requesting it to AWS support.
Example:
NAT Instance: Create EC2 instance with NAT AMI and deploy on Public Subnet (192.168.0.0/27) with internet access through Internet Gateway.
On Route Table of Private Subnet (192.168.0.32/27) add routing rule to NAT instance when destination is internet.
NAT Gateway: Create NAT Gateway and deploy on Public Subnet (192.168.0.0/27) with internet access through Internet Gateway.
On Route Table of Private Subnet (192.168.0.32/27) add routing rule to NAT Gateway when destination is internet.
Update NACL of Private Subnet (192.168.0.32/27) with inbound and outbound rules that allow internet communications (Request and Response).
Route Table and NACL of Public Subnet (192.168.0.0/27) without changes.
Conclusion
In this post we saw the main networking and security aws services to build a network and allow or deny the communication between the systems deployed on it. We also build a solution to protect the instances by restricting access to and from the internet with network and instance Firewall and allowing connection through Bastion Host and NAT.
Top comments (1)
Very Simple walk through and explanation. Thanks.