Beginner's AWS Guide: Network Fundamentals (Part 4)

#aws #programming #cloud #devops

Objective:

This section introduces key cloud networking concepts, including Virtual Private Clouds (VPCs), Subnets, Internet Gateways (IGWs), NACLs, and Security Groups. By the end, you'll have a solid understanding of how AWS networking works behind the scenes and how cloud resources communicate securely.

VPC: Virtual Private Cloud 🏢

A Virtual Private Cloud (VPC) is like having our own private room in the AWS cloud - isolated from other AWS users. Inside this room, we can place resources like EC2 instances, databases, and more. By default, we're allowed up to 5 VPCs per region, but this limit can be increased.

💡 Each resource inside a VPC needs a private IP address so it can be uniquely identified, to send/receive data, and to avoid IP conflicts.

When we create a VPC, we customise it by assigning:

A name (e.g. dev-vpc, prod-vpc)
An IPv4 CIDR block – this defines the number of private IP addresses available inside our VPC

Resources in our VPC must select an IP from one of the following private block address ranges to function accordingly (defined by RFC 1918):

10.0.0.0 to 10.255.255.255 (/8)
172.16.0.0 to 172.31.255.255 (/12)
192.168.0.0 to 192.168.255.255 (/16)

These private IP ranges allow for internal (non-public) communication between our resources. However, for a resource to access the internet, it must have:

A public IP
A connected Internet Gateway (IGW)
A route in the route table directing outbound traffic (e.g. 0.0.0.0/0) to the IGW

Example CIDR Breakdown

If we set our VPC's CIDR block to 10.0.0.0/18:

10.0.0.0 is the starting IP

The /18 means the first 18 bits of the 32-bit IP address are reserved for the NETWORK portion.

That leaves 14 bits (since 32 - 18 = 14) for the HOST portion — i.e. for AWS to allocate individual IP addresses to resources within the network.

We therefore get 2¹⁴ = 16,384 private IPs, ranging from 10.0.0.0 to 10.0.63.255

Please let me know if you would like more information on IP addresses in AWS. I appreciate it's a complex topic!

Subnets: Breaking VPCs into Zones

A Subnet is a smaller network inside our VPC that is tied to a specific Availability Zone (AZ). It is made by carving out portions of our VPC’s IP range and then assigning them to different AZs.

💡 So where a VPC exists within a single AWS region, a subnet exists within a single Availability Zone.

We use multiple subnets to separate and configure public-facing and internal-only resources. With route tables defining how traffic moves between subnets or out to the internet.

IGW: Internet Gateway 🌐

We have hinted at the IGW already, but to confirm, it is an AWS component that allows resources in our VPC to connect to the internet. It's not something we need to manage or worry about failing, as it is highly available and scales automatically!

For example, to enable internet access for an EC2 instance, we require just the following:

A public subnet
A public IP address
An IGW attached to our VPC
A route in our route table sending outbound traffic (0.0.0.0/0) to the IGW

💡 In AWS, there are two main ways to get a public IP address for EC2 instances and services that run on EC2 infrastructure:

(1) Automatically Assigned by AWS (Dynamic Public IP)

When we launch an EC2 instance in a public subnet, AWS can automatically assign a dynamic public IPv4 address. This public IP is ephemeral, meaning it changes whenever we stop and start the instance.

(2) Elastic IP Address (Static Public IP)

This is a static public IPv4 address that we allocate to our AWS account. We can attach/reattach it to an EC2 instance if and when required, and it is free only when we associate it with a running instance.

The diagram below highlights what a configured route table looks like behind the scenes!