While studying and preparing for my AWS Certified Cloud Practitioner exam, one of the recurring concepts was AWS VPC, which I tried my best to understand the networking technology. You may ask or wonder what VPC is, I will attempt to break it down.
A virtual private cloud (VPC) is a virtual network/private network to deploy your resources (regional resource). All new AWS accounts have a default VPC and new EC2 instances are launched into the default VPC if no subnet is specified. Default VPC has Internet connectivity and all EC2 instances inside it have public IPv4 addresses. VPC is logically isolated from other virtual networks in the AWS cloud. VPC allows the user to select IP address range, create subnets, configure route tables, internet gateway, NAT gateway, security group and network access control list (NACL). There can be multiple VPCs in an AWS region, usually a maximum of 5 per region. You can imagine the AWS Cloud to be a well-architected Estate which contains several blocks of flats. A VPC is like one block of flat in that Estate that is well furnished. In a furnished apartment, some gadgets can be arranged in the living room while some in the bedroom. When expecting a visitor in this case a packet from the internet. This means that there can be a private network in AWS that allows you to provision resources such as applications, databases and servers. The concept of VPC components is thus further broken down:
Internet Gateway
This can be likened to the landline in your apartment, and it is the one means by which you can be reached if you have visitors visiting your apartment in the Estate. Think for a minute the landline is unavailable, and nobody can reach you or your apartment. Only residents within your apartment can communicate with one another. In AWS, this specifies that the default route to the internet which enables the resources in the VPC to communicate with the internet. An Internet gateway scales horizontally and is also a highly available and redundant VPC component that allows communication between EC2 instances in the VPC and the internet. The Internet gateway is usually created separately from a VPC and one VPC can only be attached to one Internet gateway and vice versa. It is worthy of note to state that Internet gateway on their own does not allow internet traffic and route tables must be configured to do so. An Internet gateway has two functionality A) To provide a target in the VPC route tables for Internet-routable traffic B) To perform network address translation (NAT) for instances that have not been assigned public IP addresses.
Subnets
Subnets are logical segmentation of your resources which can be likened to the gadgets in your flat. The gadgets arranged in the living room are public subnets, and every visiting friend can see or use them such as the television, sound system, PS5 etc. In AWS, servers are deployed in the public subnets, public users can access them and can be reachable via the internet. Think of gadgets in your bedroom as private subnets, they are only accessible to members of your household, that is, only members of your family can make use of them. Relating that to AWS Cloud, database servers are mostly provisioned in private subnets of the VPC because they are only reachable within your VPC network.
Subnets are tied to a single Availability Zone which are distinct locations designed to be isolated from failures and cannot span across Availablity Zones. A subnet can be configured with an Internet gateway to allow communication over the internet, or a virtual private gateway (VPN) connection to enable communication within your private network. EC2 Instances within the Public Subnet should be assigned a Public IP or Elastic IP address to be able to communicate with the internet. Subnets not connected to the Internet, but have traffic routed through the Virtual Private Gateway is known as VPN-only subnet. Subnets can also be configured to enable the assignment of the Public IP address to all the EC2 instances launched within the Subnet by default, but you can also manually assign subnet during the creation of the Instance.
Each Subnet is attached to a route table which controls the traffic. Subnet security is configured using Security groups and Network ACLs. Security groups function at the instance level, while Network ACLs function at the subnet level.
NAT Gateway
Think about your apartment and the residents. The residents in your apartment can meet visitors in your living room. Imagine you as the owner of the apartment is in the bedroom, and you have a visitor you need to welcome but a bit busy in the bedroom. You can use your mobile phone to speak with the visitor and you will need to initiate the call request to welcome your guest. In AWS, the NAT Gateway allows resources deployed in the private subnets to have access to the internet and it is principally used for upgrades and software patches for database servers or to enhance the security level of the system. NAT Gateway device enables instances in a private subnet to connect to the internet or other AWS services but prevents the internet from initiating connections with the instances. NAT Gateway devices do not support IPv6 traffic, use an egress-only Internet gateway instead. NAT Gateway is managed by AWS with higher bandwidth, high availability, and no administration. You get to pay per hour for usage and bandwidth and it is created in a specific Availability Zone which uses an Elastic IP.
Network Access Control List
These are the security guards guarding your home, they will check the visitors, to either grant access to your apartment or not. If they are granted access to your apartment, they also check the visitor and confirm clearance before they are granted access to leave your apartment.
Network ACL are like a firewall which control traffic packet from and to subnets. One Network ACL per subnet, and new subnets are assigned to the default Network ACL. In AWS, this serves as a security measure at the subnet level for your VPC network to deny or allow inbound and outbound traffic. At default, it allows both inbound and outbound traffic. Network ACL are a great way of blocking a specific IP address at the subnet level.
Inbound traffic: User's request entering the VPC
Outbound traffic: User's response leaving the VPC
It is also deemed stateless at it does not store the signature of incoming traffic and will always verify each time.
Security Group
You have a bouncer at the door who checks the visitors before they can come in for your party. If the guests have an invite tag, they will be granted access to your house party. When the guest is leaving, he/she would not be subjected to another check. In AWS, this is a security measure at the instance level, which only allows inbound traffic, and it is stateful which means once the traffic is allowed in, automatically the traffic will be permitted out. Security group supports allow rules only which can be attached to multiple instances and all inbound traffic is blocked by default same with all outbound traffic is authorised by default.
Route Tables
Route table defines rules, termed routes, which determine where network traffic from the subnet would be routed. To define access to the internet and between subnets, Route tables can be used. Each VPC has an implicit router to route network traffic which must be configured to route traffic from private subnets to the NAT Instance. Route tables must be edited to add routes from subnets to the Internet gateway, VPC Peering Connections, and VPC Endpoint. Each VPC has a main Route table and can have multiple custom route tables created. Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it. Subnet, if not explicitly associated with a route table, is implicitly associated with the main route table. Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted. Route priority is decided by matching the most specific route in the route table that matches the traffic. You must update route tables in each VPC’s subnets to ensure EC2 instances can communicate with each other.
I hope I have been able to break down VPC. Let me know your thoughts in the comment session.
See you soon..Cheers!!!
Top comments (0)