In this tutorial based guide we will go over what VPC is, why it exists, and when and why should you consider using it in your cloud architecture.
Original Post
Virtual Private cloud
AWS VPC (Amazon Virtual Private Cloud) is one of the key networking service provided by AWS. VPC allows you to create an isolated section of the AWS cloud where you can launch resources in a defined virtual network.
VPC creates a separation between your resources and other Amazon resources. You can control if outside traffic should flow into your VPC using an Internet Gateway.
VPC mainly provide security for your infrastructure. They provide a layer of network isolation, allowing you to control access to your resources and protect them from unauthorized access.
Also you can customize your network using VPC, by controlling the network traffic paths, optimize data transfers to reduce cost and organize resources for better management.
In this post we will create a VPC using AWS console, go over routing tables, internet gateway and finally recreate the network structure using AWS CDK.
Use Case 1: A 3-tier Architecture
Let's take the following example: We are tasked to create a Saas (Software as a Service) application that has a web interface giving users the capability to select a list of countries, cities, days of week and a button to generate weather video sequence similar to what you see in news broadcasts.
At minimum, such a system would require to have the following components:
- REST API to handle video render requests
- storage to hold videos
- video rendering engine
- frontend application that users can input the country, city and days and request for a video
The block diagram would look something like this:
Using VPC, we can organize and secure our component by placing them into different areas of the network. So for our example, the user facing services (REST API, frontend), would need to go into the public subnet where users would need to access it, and the rest inside private networks.
- REST API (public subnet)
- frontend application (public subnet)
- render engine, storage, database (private subnet)
Here is a typical VPC structure,with a public and a private subnet and other components which we can ignore for now. The public subnet has access to the internet via an internet gateway and the private subnet doesn't. However, the devices or IP's located in both the private and public can access each other.
organizing our components into network segments would look like this:
Important
This example is not entirely accurate, it's meant to convey the idea.
Use Case 2: Remote Company
The second example we'll explore is a scenario where a company hosts its infrastructure on AWS. In this case, remote workers need to access company resources such as Jira, Jenkins, Confluence, Database and other internal tools. To achieve this securely, they would need to VPN into a VPC. Once connected, they gain access to all the company resources within that VPC.
Implementing VPN Access
To enable this setup, you would need to create an AWS Client VPN endpoint and configure VPN access to your VPC. This allows remote workers to securely connect to the company's network.
This VPN method can also be used to access internal resources like databases when you need to perform specific queries or maintenance requiring direct access. However, it's important to note that this approach should be used cautiously, as it can pose security risks if not properly managed. For small teams and applications, though, it can be a convenient and practical solution.
There are several ways to establish connectivity with your VPC:
- AWS Direct Connect: Ideal for connecting an on-premises data center or large database to an AWS VPC. This provides a dedicated, private connection.
- Site-to-Site VPN: Useful when you need a constant connection between your company's network and a VPC. This creates an encrypted tunnel between your on-premises network and AWS.
- AWS Client VPN: This is the solution for remote workers who need to VPN into the VPC and access company resources from various locations.
We won't delve deeper into this use case, as it's primarily an IT infrastructure solution for companies rather than a typical setup for software hosting or Software as a Service (SaaS) applications. However, understanding these options is valuable for comprehensive cloud architecture knowledge.
Creating a VPC
Using console
Open the AWS Console and go to the VPC page.
Click VPCs or the Your VPCs button from the left side, to view the VPC. The other buttons are all related to VPC, it's broken down into categories for organization sake. So when you create a VPC, you can also create subnets which will list those in the Subnet section as well.
Click on the first VPC line from the list if you have many.
Note: If you are just starting off, you should only see one VPC which is the default VPC created along when you first create your AWS account.
Warning: Switch your region, and you should see separate VPC's exist for each of your regions. If you don't want to mess up any existing stack or resources, select another region from the top, typically a region that you won't normally be using.
Click on Create VPC from the top. You should see the Create VPC page showing up.
Select VPC and more, and you should see the following diagram on the right side:
With this option a typical VPC will be created, so lets describe what is being created for us.
Subnets
In the subnets section, it shows there are two Availability Zone (AZ) us-east-1a and us-east-1b.
Note: If your region is different, it would say something like your-region-1a, your-region-1b, your-region-1c or something similar.
An AZ is one or more discrete data centers with redundant power networking, and connectivity in an AWS Region. So it's better to deploy your instance in such a way it gets replicated in multiple AZs, in case if something goes wrong in one data center - that way your application is highly available and more robust.
You can reduce or increase the number of zones used in this setup from the left panel Number of Availability Zones (AZs) section. You can pick how many zones you want to add, or click customize AZs to specify which zones you want to create subnets in.
There are two subnets per each AZ, a private and public subnet.
The Blue icon means private and the Green one means public.
You can also control the number of public and private subnets you want per zone by changing the values for Number of public subnets and Number of private subnets.
Note: If your change the number of AZ's the value or options for the public and private subnet count changes as well. Meaning if you select 1 AZ, then the options for the public subnets will change to 0 and 1.
Route tables
The next box shows the Route tables.
Route tables conceptually are the very similar to the routing tables that are common networking routers. A routing table is set of rules, that determines how packets get redirected when traveling over an Internet Protocol (IP) stack.
So if you mouse over the first entry you will see this connection:
You will see that our two public subnets use the first routing table, and the other two private subnets each have their own route table. The blue line shows that the public route table is also connected to a igw or an internet gateway.
We will go over the details of these route table in the next section but just understand that when packets travel between subnets, they first lookup the routing table to see which interface they have to go to. If a packet is targeting an outside IP like Google DNS (8.8.8.8), the routing table would direct the packet to an internet gateway. If the packet is targeting a database that is located in the private subnet (192.168.0.100), it will redirect the packet internally to the server that is running the database.
Network Connections
The last section is the Network connections that right now there are two options:
The first item is an internet gateway which allows traffic from and to the internet to be reachable to hosts belonging to this subnet.
The second item is an VPC endpoint which allows your internal services to communicate with other AWS services like S3, DynamoDB, SQS, SNS, RDS, SageMaker and etc without the traffic leaving the Amazon network. This option is favorable to have since it reduces latency and cost.
On the bottom of the page click Create VPC to create the VPC.
After the VPC is created, rename the newly created vpc to something you would remember like test-vpc.
Testing our VPC with EC2 Instances
To test our VPC, lets launch two EC2 instance and place one in the public subnet, and the other in the private subnet on our newly created VPC. We are going to verify to make sure we cannot connect to the EC2 machine in the private subnet, but can connect to the one in the public subnet. We also want to make sure we can connect to the EC2 machine in the private subnet from the public EC2 machine.
Lets start creating our EC2 instances. Open a new tab to AWS Console, and bring up the Amazon EC2 dashboard. Create a new instance by clicking the “Launch Instance” button.
Create an instance named Public Linux Machine and select the default Amazon Linux based systems so we can SSH into each machine.
Important: Make sure to select a key pair or create a new one, and use the same for both machines.
Note: If you are not familiar with EC2 instance creation and would like to learn more, visit the official docs here for more info.
Under the Network Settings, click Edit and then choose test-vpc
for the VPC value. Then from the subnets select a public one and enable the Auto-assign public IP.
For the Security group name, set test-vpc-linux-machine-sg and open SSH and HTTP ports. See the screenshot for a better idea:
Create another one using similar configuration, except name the instance Private Linux Machine, select the same key pair for this instance.
Under the Network Settings, select the same VPC test-vpc, but instead of the public subnet, select the private subnet.
For the security groups, select Select existing security group then from the list select text-vpc-linux-machine-sg.
Click on launch instance to create the instance, then click View Instances. You should see two instance like so:
Lets try to connect to both EC2 machine using the terminal.
To be certain that you are connecting to the right machine, right click on the machine, select connect and go to the ssh tab. In the end of the view, copy the ssh command, it should look like this.
Public Linux Machine:
ssh -i "test-ec2-key.pem" ec2-user@ec2-44-192-99-181.compute-1.amazonaws.com
Private Linux Machine:
ssh -i "test-ec2-key.pem" ec2-user@ec2-34-239-251-67.compute-1.amazonaws.com
You will notice that you will not (and shouldn't) be able to connect to the second machine since it's in a private network.
Before doing that we need to copy the PEM file to the public EC2 instance.
This will copy the pem file so we can use it to SSH into the private ec2 machine.
scp -i "test-ec2-key.pem" test-ec2-key.pem ec2-user@ec2-3-230-118-6.compute-1.amazonaws.com:.
You need to find the private address of the other EC2. We can do that by selecting the EC2 from the EC2 dashboard and reading the private IP address.
Now ssh back to the public machine,
ssh -i "test-ec2-key.pem" ec2-user@ec2-44-192-99-181.compute-1.amazonaws.com
and from within the EC2 instance, ssh into the private EC2 instance using the private IP address.
ssh -i "test-ec2-key.pem" 10.0.135.0
You should be able to connect to the machine - verify you have SSH'ed into a new device by running ifconfig and viewing the IP address.
Important: Make sure to delete all resources once you are done testing out. First delete all the EC2 instances, then delete the VPC.
Using AWS CDK
By leveraging IaC, you can automate and replicate all the setup and configuration work typically done through the console. This approach significantly speeds up your website deployment process.
Lets automate all of the steps we took using AWS CDK, which is an IaC or Infrastructure as code framework. All the steps we performed manually it can be automated and also we can add logic as well so based on some condition, ie if it's a production deployment we can add a few other steps
vs if it's a test deployment we can skip a few other steps.
Prerequisites
- An AWS account
- Node.js and npm installed
- AWS cli and cdk setup and configured
- Basic knowledge in Javascript and Typescript
Setup, Code and Deploy
- Initialize a new CDK project:
mkdir temp-project && cd temp-project
mkdir infrastructure && cd infrastructure
cdk init app --language typescript
- Replace the content of the file
lib/infrastructure-stack.ts
with:
import * as cdk from "aws-cdk-lib"
import { Construct } from "constructs"
import { SubnetType, IpAddresses, Vpc } from "aws-cdk-lib/aws-ec2"
export class InfrastructureStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props)
const vpc = new Vpc(this, `${id}-vpc`, {
vpcName: `${id}-vpc`,
ipAddresses: IpAddresses.cidr("10.0.0.0/16"),
maxAzs: 2,
createInternetGateway: true,
subnetConfiguration: [
{
cidrMask: 24,
name: "Public",
subnetType: SubnetType.PUBLIC,
},
{
cidrMask: 24,
name: "Private",
subnetType: SubnetType.PRIVATE_ISOLATED,
},
],
})
}
}
now deploy the stack
cdk deploy
Once deployment open AWS console, and go to the VPC page. You will see we have our VPC created with one small difference. The two public subnet will each have their own route table, where the one we created using console created one route table.
And to destroy all the resources just run
cdk destroy
- And enter y to confirm you want to delete. And that is it! all resource will been destroyed according to the dependency tree CDK keeps track of.
Interested in learning more?
If you are interested in creating a project from scratch using AWS CDK, and serverless, you can checkout the class linked below, where we go over in details explain what each service does, and actually create a dynamic
application with user login and authentication.
Serverless Fullstack with AWS/CDK/NextJS & Typescript
Conclusion
We've explored what VPC is, its key components like subnets and route tables, and walked through practical examples of creating a VPC both manually via the AWS Console and programmatically using AWS CDK.
By leveraging VPCs, you can effectively isolate your resources, control network traffic, and organize your architecture for optimal performance and security. Whether you're building a multi-tier application or setting up a remote work environment, understanding and utilizing VPCs is crucial for creating robust and secure cloud solutions.
In the future posts, we will be utilizing VPC and ECS, to create a container based deployment.
Top comments (0)