DEV Community

Cover image for AWS VPC: Understanding how it works internally??

Posted on

AWS VPC: Understanding how it works internally??

Many beginners find VPC a difficult topic to learn, but it is not so. I'll try to explain it in an easy way.

What is VPC?

VPC stands for Virtual Private Cloud. As its name implies it is a virtual isolated area of the AWS cloud where we can launch AWS resources in a self-defined virtual network

Why use VPC?

  • Provides a secure, isolated private cloud hosted within a public cloud.
  • More flexibility for services that don’t need to connect to the Internet.
  • Improved security by enabling private connectivity between two or more VPC networks, isolating traffic from the public Internet.

Working of VPC

Working with VPC starts with choosing a VPC region let it be Mumbai, Europe, Ohio or so on. The size of the VPC can be defined by the IP address range. E.g. it can be from ==> 255*255 or 65536 Ip addresses which can then be assigned to applications, instances or so on. So, this much Ip addresses can be allocated using VPC. Then the concept of dividing/splitting these Ip address range for multiple projects is known as Subnet. Subnet range can be calculated using this tool:

Most part of VPC consists of public subnets which is the common subnet across the VPC & the remaining network is divided into sub networks or sub-projects also known as private subnets. Multiple Ec2 instances can be deployed in these individual subnets.

When some user tries to access an application in the private subnets from the internet, the request has to pass through the Internet Gateway. Then it enters into the public subnet where it goes to load Balancer(attached to it) - Elastic Load Balancer(ELB) in case of AWS, which helps to distribute the traffic/load coming from internet depending upon the target groups. This Load Balancer takes the request to the private subnet and the application. This request can find its way to the subnet using Route tables. These Route tables define the path of how the request should go to the application. And once the request reaches the desired subnet or the instance within it then it can be verified at the subnet if it is the right user/request is trying to access by and this is done using security groups. These security groups can define only which ports or Ip addresses can have access to it. If you want to define the same security group to multiple applications/ ec2 instances or repeat the security group configuration NACLs come into use. They are the automations of security group where you don't have to define the rules again & again.

And when the roles are reversed i.e. the application in the private subnet wants to download/ access something from the internet, E.g. it can be some package from, NAT Gateway comes into existence. NAT stands for Network Address Translation. They enable instances in a private subnet to connect to services outside our VPC and prevent any external services from establishing a connection with those instances at the same time and thus making it secure. This is done by masking the Ip addresses to hide their real existence & this masking of Ip addresses is known as NAT Gateways. So what it does is replace the private Ip address with the public Ip address either of the load balancer(snat) or the router.

Also, a concept called Egress only internet gateways can be used that allows outside communication over IPv6 from instances in our VPC to the internet & prevents the internet from initiating an IPv6 connection with our instances. It is used with IPv6 traffic only.

So, this is how the AWS VPC works internally!!!

Similarly few smaller topics to understand are:

  1. Elastic IPs - An Elastic IP (EIP) address is more of a static IPv4 address that is designed for dynamic cloud computing. The main purpose of these IPs is to mask the failure of software or instance from our AWS account which is acheived by remapping the address to another instance.

  2. VPC Endpoints - A VPC endpoint enables connections between a VPC & supported service, without requiring that we use an internet gateway, NAT device, VPN connection. Therefore, our VPC is not exposed to the public internet.

  3. Peering connections - A VPC peering connection is a networking connection between two VPCs that enables us to route traffic between them privately. Instances in either VPC can communicate with each other as if they are within the same network.

  4. DHCP - The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains the configuration parameters.

  5. Managed Prefix list - A prefix list is a set of IPv4 or IPv6 address ranges. WE can share our managed prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources.


Keep yourself updated with the official documentation here.

P.S.- I have tried to cover these below topics in this blog and the remaining will be covered in the next one!!
Image description

Top comments (0)