Just like when we have an on premise model for our infrastructure, we also need a network for our cloud infrastructure either public or private. Yes, we can build secure and isolated private network. If you have a plan to use AWS resources, let's say you want to host your servers using EC2 instances. Then, you can create your own network for them or on AWS it's called as Virtual Private Cloud (VPC) instead of using the default one.
Amazon Virtual Private Cloud is a networking service as provided by AWS to create , manage , isolate the environments and services over the cloud. In layman term its a virtual data-center over the cloud which gives you all the super powers to setup /create own subnets, IP range , configuration of route tables , network gateways and network firewall(access rules / via security groups and network ACL’s).
Things to remember:
- Each subnet exists within 1 availability zone.
- Security groups are stateful, ACL’s are stateless
- Transitive peering is not allowed, meaning you cant hop from one VPC to another, via another VPC. You must have direct access.
- VPC’s can be peered within the same account and across AWS accounts
Below is sample and a very basic AWS VPC architecture with a public subnet and a private subnet. If you are planning to run a public-facing web application with back-end servers that are not publicly accessible – for example a multi-tier website – this template would be ideal to communicate your application design. Click the image to make the necessary changes online.
❓ Why should I use Amazon VPC?
Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs, hardware, or physical datacenters required. You can define your own network space, and control how your network and the Amazon EC2 resources inside your network are exposed to the Internet. You can also leverage the enhanced security options in Amazon VPC to provide more granular access to and from the Amazon EC2 instances in your virtual network.
Components of Amazon VPC
- Route table
- Internet Gateway
- NAT Gateway
- Virtual private gateway
- Peering Connection
- VPC Endpoints
- Egress-only Internet Gateway
A subnet is a range of IP addresses in your VPC. You can launch AWS resources, such as EC2 instances,into a specific subnet. When you create a subnet, you specify the IPv4 CIDR block for the subnet, which is a subset of the VPC CIDR block. Each subnet must reside entirely within one Availability Zone and cannot span zones. By launching instances in separate Availability Zones, you can protect your applications from the failure of a single zone.
Example, A website hosted on an EC2 instance hosted in a Public Subnet (routes to the internet) connected to a Database instance in a Private Subnet (no direct access to the internet). This grouping of partitions in your AZ is extremely useful and you can also determine the subnet size by using CIDR block notation (e.g. /28 = 16 IP Addresses).
It essentially facilitates traffic in and out of a softwaredefined network. This traffic needs to know where to go, and this is achieved via route tables. A route table in VPC has rules or routes defined for the flow of traffic. Every VPC has a default route table that is known as the main route table. You can modify this main route table and you can create additional route tables.
Each subnet in VPC is associated with only one route table, however, one route table can be attached to multiple subnets. You use route tables to decide what data stays inside of VPC and what data should go outside of VPC, and that is where it plays a very important part in deciding data flow for a VPC.
An Internet Gateway is how your VPC accesses the internet. Internet gateway allows communication between resources such as EC2 and RDS instances in your VPC and the Internet. It is highly available, redundant, and horizontally scalable; that is, you do not need to attach more than one internet gateway to your VPC in order to support an increase in traffic.
If a VPC does not have an Internet Gateway, then the resources in the VPC cannot be accessed from the Internet. It allows resources within your VPC to access the internet, and vice versa.
You will often have resources in your VPC that will reside in private subnets that are not accessible from the internet. However, these resources will need to access the internet occasionally for patch update, software upgrade, and so on. A NAT device is used exactly for this purpose, allowing resources in private subnet to connect with either the internet or other AWS services securely. NAT devices support only IPv4 traffic.
AWS recommends a NAT gateway over a NAT instance as it is a managed service that requires little or no administration, is highly available, and highly scalable.
Things to remember:
- Scale automatically up to 10Gbps
- Automatically assigned a public IP
- Security Groups cannot be associated with a NAT Gateway.
Virtual Private Gateway
A Virtual Private Gateway (VGW) is nothing but a VPN connector on the AWS side of the Site-to-Site VPN connection. It is a managed gateway endpoint for your VPC responsible for hybrid IT connectivity using VPN.
In a nutshell, A Virtual Private Gateway is a way for you to land in your cloud when creating a VPN tunnel. You can create up to ten VPN tunnels to the exterior, Non-VPC networking locations per Virtual Private Gateway interfaced and each of these tunnels will be connected using the IPSec protocol.
A VPC peering connection is a networking connection between two VPCs that enables routing using each VPC’s private IP addresses as if they were in the same network. This is the AWS recommended method for connecting VPCs.VPC peering connections can be created between your own VPCs or with a VPC in another AWS account. VPC peering also supports inter-region peering. Traffic using inter-region VPC Peering always stays on the global AWS backbone and never traverses the public internet, thereby reducing threat vectors, such as common exploits and DDoS attacks.
A VPC endpoints is a secure way to communicate with other AWS services without using the internet, Direct Connect, VPN Connection, or a NAT device. This communication happens within the Amazon network internally so your traffic never goes out of Amazon network. At present, endpoints are supported only for Simple Storage Service (S3). These endpoints are virtual devices supporting IPv4-only traffic.
- VPC endpoints support IPv4 traffic only.
- Endpoints are supported within the same Region only.
- Endpoints cannot transfer an endpoint from one VPC to another, or from one service to another.
Egress-only Internet Gateway
NAT devices are not supported for IPv6 traffic, use an Egress-only Internet gateway instead. IPv6 addresses are globally unique, and are therefore public by default. If you want your instance to be able to access the internet, but you want to prevent resources on the internet from initiating communication with your instance, you can use an egress-only internet gateway. To do this, create an egress-only internet gateway in your VPC, and then add a route to your route table that points all IPv6 traffic (::/0) or a specific range of IPv6 address to the egress-only internet gateway.
THANKS READING 😉
Looking forward to joining in Scaler as a Content Writing.