VPC is like a container for holding multiple resources together bound by a private CIDR. Can be cross AZs.
Subnet is sub-part of VPC for isolationg reources within VPC, like EC2 instance or DB.
VPC can have one CIDR, and each of its subnet use a part of it and all should be non overlapping.
VPC has security groups as firewall (which require config only for one way traffic, reply traffic is already configured) and route tables to connect to NAT, IG, or other VPC or even intra-traffic. Security Grp rules evaluated ascending first.
Subnet has its own route table, which inherits from VPC (basic one) if not specified, it has to have at-least intra-traffic by default. Subnet also have Network Access Control List as its own firewall where you have to configure for reply traffic as well unline VPC's security group. NACL rules are evaluated from ascending. Hence always add local traffic as first.
NAT- Network Address Translation, used when connecting VPC to outside world. It converts the internal IP address to public IP address.
Elastic IP- when we reboot an instance the public IP changes, hence we use Elastic IP to configure it to a static IP address.
IG- internet gateway to allow access to Internet. Has to configure same in route tables.
VPC peering- create a connection for connecting VPC -to-VPC.
NAT instance- a ec2 instance which is in public subnet and connected to a private subnet as well as NAT gateway for allowing private subnet to access outside world. We use similar setup for bastion host, or jump host to connect to private subnet DB.
RPC 1918 specification recommends us to use 10.0.0.0 or 172.168.0.0 similar CIDR for local CIDR when attaching to VPC.
Top comments (0)