DEV Community

Cover image for VPC Networking
Ashutosh Mallick
Ashutosh Mallick

Posted on

VPC Networking

What is VPC?

The AWS VPC is essentially a private virtual network inside the AWS network. While AWS is
physically a shared network, each VPC is logically isolated from other AWS customers. The AWS
network supports private and public addresses for each of its customers
AWS customers are logically separated, there is no contention for IP address space between VPCs. Each VPC will
have its own routing table that is responsible for directing traffic.
Below image shows the logical isolation of AWS customers.
Image description
** What is Subnetting?**
To understand what Subnetting is, first we have to understand what
exactly is the Network and Subnet

What is Network?
A network is a group of two or more connected computing devices. Usually all devices in the network are connected to a central hub — for instance, a router. A network can also include subnetworks, or smaller subdivisions of the network

What is Subnet ?
A subnet, or subnetwork, is a network inside a network. Subnets make networks more efficient. Through subnetting, network traffic can travel a shorter distance without passing through unnecessary routers to reach its destination.

What is Subnetting ?
Subnetting/Subnetworking is how very large networks, such as those
provided by ISPs, are able to manage thousands of IP addresses and
connected devices.
In simple words: Dividing bigger networks into smaller networks called Subnetting.

CIDR stands for (Classless Inter-Domain Routing) -- also known as supernetting. It's a method of assigning Internet Protocol (IP) addresses that improves the efficiency of address distribution and replaces the previous system based on Class A, Class B and Class C networks.

For each VPC we setup, we have to assign a CIDR value say(
Image description
CIDR range depends upon the no. of servers going to be deployed.
Here, the variable values of CIDR vary from 0 to 255.
But first four values i.e, from "" to "" are reserved and "" is also reserved.

For each subnet we create, we restrict public and private resources to different subnets. Each subnet is assigned to different IP.
Image description

Here '/24' means first 3 bits of IP will be kept constant.
For Subnet-1 Ip address ranges from to
For Subnet-2 Ip address ranges from to
For Subnet-3 Ip address ranges from to

Basically, we deploy our different services into different subnets. Such as we keep web-servers in a single subnet, Database servers in a different private subnet.

Image description

Create a VPC "Silicon-Vpc" (say).
Give an IPV4 CIDR to it (

Create two Subnets inside it, Web-subnet and DB-subnet.
Assign CIDR values to the subnet as "" and "" respectively.

Now select "Web-subnet" and edit subnet settings. Enable the auto-assign public IP in order to allow public access to all the web-servers inside the subnet.
Image description
Image description
Image description
Image description
Image description

We can see that for each subnet we can allocate 251 servers (According to the CIDR values available).

Now let's launch instance say linux servers. Set VPC as "Silicon-vpc" and subnet as "Web-subnet".
Create a new key pair and launch.
Similarly launch another instance into DB-subnet.
Image description
Image description

Image description
Connect web-server using SSH. We can see that we won't be able to connect.
It is because we have not attached the internet gateway to give the web-server internet access.

What is Internet Gateway?
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

An internet gateway serves two purposes:
1) to provide a target in your VPC route tables for internet-routable traffic.
2) to perform network address translation(NAT) for instances that have been assigned public IPv4 addresses.
Image description
Now we'll deploy an IGW.
Create an IGW " Silicon-IGW". Attach a vpc to it.

IGW Creation:

Image description
Image description
Image description

Now we still won't be able to connect as Route table is undefined.
So we have to create and define the route table.

What is VPC Route Table?
Your VPC has an implicit router, and you use route tables to control where network traffic is directed. Each subnet in your VPC must be associated with a routing table, which controls the routing for the subnet (subnet route table).

You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.

A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route

Public Subnet: If a subnet is associated with a route table that has a route to an internet gateway, it's known as a public subnet.

Private Subnet: If a subnet is associated with a route table that does not have a route to an internet gateway, it's known as a private subnet.

In the public subnet's route table, we can specify a route for the internet gateway to all destinations not explicitly known to the route table ( for IPv4 or ::/0 for IPv6).

Alternatively, we can scope the route to a narrower range of IP addresses; for example, the public IPv4 addresses of your company’s public endpoints outside of AWS, or the Elastic
IP addresses of other Amazon EC2 instances outside your VPC.

Route Table Creation:
Image description
Image description
Image description
Image description
Image description

Now, we'll be able to connect to the web-server via ssh.

Image description
But we can't access the DB-server as it doesn't have public IP.
Similarly, we can't connect DB-server from Web-server console as we don't have access to "Db-server-key.pem' file.

So let's make a pem file using vi editor and save contents of Db-server-key.pem file to vi editor.
Image description

Now, we've to give read-write permission to the server.

Type: "chmod 600 DB-server-key.pem"

Now we'll be able to access the Db-server via Web-server.
Image description
We can verify that Web-server has access to internet by using command "ping".
Image description

But DB-server can't access the internet.
Image description

If we want to give internet access to DB-server we have to configure it in such a manner that no one else from the internet can access it except us.

To have such kind of setup we deploy "NAT-Gateway".
"Nat-gatweway has both private and public IP associated with it.
We need to deploy it in Public subnet. Hence, the subnet having IGW access is called public subnet.

If DB-Subnet wants to have internet access then it has to connect to the public ip of NAT gateway.

Top comments (0)