loading...
Cover image for Why a VPC is like the London Underground

Why a VPC is like the London Underground

helenanders26 profile image Helen Anderson Updated on ・5 min read

Networking is hard.

If you have not come from a traditional IT background, the VPC part of the AWS Certification training is tricky. There is talk of CIDR blocks, subnets and spaghetti mess diagrams.

Sort of like the London Underground. Which got me thinking. When I moved to London, the Underground system seemed really overwhelming. But it didn't take too long to figure out. By the end of my four years, I could tell you which door to get on the train so you could avoid the crowds and get out quickly at the other end.

It turns out there are a lot of similarities between the two. If I could figure out The Tube map with all its zones, stations, platforms and jargon, surely I could figure out VPCs.


Mind the Gap

Introduction
VPC - London Underground Network
Availability Zone - Fare Zone
Subnet - Station
Route Table - Timetable
Network Access Control Lists - Signals
VPC Peering - Travelling on other services


Introduction

Here is the example network diagram from the AWS documentation. This post hopes to break down all the components in this diagram and draw some parallels from the London Underground network.

Not the spaghetti mess I once thought it was

VPC - London Underground network

To put it simply, a VPC is a network within your AWS account that holds your AWS services. Think of it as your own data centre. You decide how big it needs to be by assigning a range of IP addresses. This is called a CIDR block (Classless Inter-Domain Routing) and it allows us to track and restrict the sort of traffic and users access our instances.

Key things to know:

  • By default, a VPC is isolated from other VPCs unless we 'peer' them together.
  • There is a limit of five VPCs per region but this can be increased.
  • VPCs span all Availability Zones within a Region.

Availability Zone - Fare Zone

Once you have created a VPC you can start adding Subnets in each Availability Zone. Think of this like a Station within a Fare Zone. Each Station or Subnet is isolated from the failures of others around it.

Key things to know:

  • A VPC spans all Availability Zones in a region.
  • Launching instances in separate Availability Zones protects applications from failing in a single location.

Subnet - Station

A Subnet is like a Station. It can be public or private. Just like on the London Underground network where there are public stations with public access. There are abandoned stations, TFL staff training stations and post stations. The kind of private stations the public can’t access on a normal day.

Key things to know:

  • There can be up to 200 Subnets per VPC. If you would like to increase this you will need to request this through AWS Support. There are currently 270 stations on the London Underground Network, although they probably didn’t have to submit a ticket to get this increased.
  • You define which Subnets you want to be exposed to the internet by attaching public IP addresses.

Route Table - Timetable

Each Subnet has a Route Table attached. This creates a set of rules to allow traffic to flow within a set of guidelines. This means that traffic stays inside the Subnet until a route is created to allow it to travel to the next stop on the network.

Key things to know:

  • A Route Table tells the traffic which way it needs to go to get to the destination.
  • The Internet Gateway allows devices on a Public Subnet to connect to the internet.
  • In contrast, a Network Address Translation Gateway (NAT Gateway) facilitates the connection between Private Subnets and the internet. Similar to how Engineering Stock travel after hours from private stations through public stations.

Network Access Control Lists - Signals

Network Access Control Lists (NACL) allow us to limit traffic to safeguard against mistakes and accidents. Using NACLs, like the signals on the London underground, means we can control traffic flow using a set of rules.

Key things to know:

  • There are rules for inbound and outbound traffic, so rules must be set up for each direction.
  • They are stateless, which means that responses to incoming traffic are dependent on outbound traffic. The same way if there is a train in the tunnel ahead, you may have to wait for it to clear.
  • You can create a custom NACL but need to add rules as it will deny all traffic by default.

VPC Peering - Travelling on different services

A VPC peering connection allows traffic to be routed between two VPCs as if they were within the same network.

Key things to know:

  • Transitive peering is not allowed, which means you must have direct access to allow traffic through.
  • VPCs can be peered with other accounts. The same way you can access National Rail Services from within the London Underground Zones.

This isn't a perfect analogy but by giving the concepts some context I'm one step closer to getting my head around how a VPC works. It's also given me an excuse to revisit all the fun facts of the London Underground which is always good.

How do you put all the components together when explaining VPC concepts to beginners? Are there any other Tube enthusiasts out there in Devland?


Useful Links:


This post originally appeared on helenanderson.co.nz

Posted on by:

helenanders26 profile

Helen Anderson

@helenanders26

Making applications go faster at Raygun, AWS Data Hero, and tag moderator on Dev.to.

Discussion

pic
Editor guide
 

Well done. Love the images 👌.

But, I wonder... why you didn't name it "AWS Series: Why a VPC is like the stale spaghetti that's been sitting in my fridge for 2 weeks"

We'll never know...

Jokes aside, well done! For someone who doesn't know anything about VPC this analogy + the "key things" lists really help to make an easy connection and grasp things 👌

 

Thanks James!

Love the suggestion. Before I dove headfirst into this topic I would have to agree with you. The documentation is incredibly comprehensive but assumes you are already familiar with loads of terminology and how networking works in a traditional setting. Pretty mind bending stuff for a complete beginner :)