AWS Virtual Private Cloud (part1)
Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. It is your private network in AWS Public Cloud which allows you to customize your VPC’s network configuration. You have complete control over your virtual networking environment, including a selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure secure and easy access to resources and applications.
By default, AWS provides VPC in every account but this VPC is not recommended for deploying customer environment.
So, what are the components of AWS VPC? What are the mandatory services inside it? What all to be used to make sure your environment is highly secure?
Let’s dive inside VPC now by briefing each component as seen in the above picture. We are moving from outside to inside.
- Internet Gateway: An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. IGW is a target for internet-bound traffic from your VPC Route Table, IGW performs network address translation (NAT) for instances that have been assigned public IPv4 addresses.
- Route Table: A Route Table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. We see two types of Route Tables one is Main Route Table that automatically comes when you create VPC another is Custom Route Table that you create for your VPC. Main Route Table controls the routing for all subnets that are not explicitly associated with any other route table.
- Network ACL: Network Access Control List is a secondary layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Default NACL allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. You can create a custom network ACL and associate it with a subnet. By default, each custom network ACL denies all inbound and outbound traffic until you add rules.
- Subnet: AWS VPC Subnet is a division of your entire VPC. When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example,
10.0.0.0/16. This is the primary CIDR block for your VPC. After creating a VPC, you can add one or more subnets in each Availability Zone. In the below diagram VPC of 10.0.0.0/16 is divided into multiple subnets across different Availability Zones.
Subnets are of two types Public and Private. In Public Subnet instances are allowed to send traffic directly to the internet via route table. In Private Subnet traffic originated from the instances are not allowed directly to the internet instead it will be routed through NAT Gateway.
5. Security Group: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC can be assigned to a different set of security groups.
Below is the path of how traffic moves from inside to outside VPC.
EC2 instance >> Security Group >> NACL >> RouteTable >> Internet Gateway.
Vice versa is for traffic moving from outside to inside VPC.
In our next blog let us briefly look into few other VPC components such as Security group limits, Stateful vs Stateless, NAT Gateway, Squid proxy, VPN connections, VPC peering, etc.
Make your hands dirty by creating your own VPC in AWS following the below video.
Refer to the AWS VPC Official document below.
Follow my page to keep updated with new AWS Services and releases.
@ yogendrahj.medium.com
LEARN and BE CURIOUS!!!!!
Happy Learning,
Yogendra
