There are few terms you must have heard like cloud, region, vpc, subnets, internet gateway, NAT.
All these terms are related to only one thing i.e having our own private space for our project in cloud.
Lets take a layman example to connect these dots.
Suppose you want to book a room in a hotel.
So we will go to a particular HOTEL, which is in a specific region and in a specific area of a country.
Similarly when we select a cloud provider like AWS, Azure or GCP they are like hotels present in a region in various availability zone(AZ).
So we can select region like central europe and zone like eu-central-1a.
Now you talk to receptionist and he/she allocates a room with a room number like 101.
In cloud world, its like you are booking a VPC(Virtual Private Cloud) in AWS could with an address range like 10.0.0.0/16.(Now it’s your own private space)
As we are inside our Hotel Room and if we want to connect to outer world, we will connect to internet through hotel’s WIFI.
Similalrly inorder to connect our VPC to internet/outerworld we need Internet Gateway.
Inside the VPC we booked, we create small small subnet in it and we decide which machine/process to be placed in which subnet.
And Subnets are like windows in our room in hotel, some are open to outerworld like window in hall from where you can call someone passing by.
But some are private like window in washroom. Outerworld is not accessible from there.
Similarly Subnet are also
Public subnet and Private subnets created inside our VPC.
We can keep our webserver in public subnet so tht anyone on internet can connect to our website directly(but thats risky).
And we can keep our DB, Codes, imp files in private subnet which should not be open to internet.
But what if you want to keep everything in locker(private), means we want to put our webserver in private subnet as well for security.
Then comes Load Balancer which we place between the “Internet” and our “subnet” , that allows users to access our webserver placed in private subnet.
But if we put our webserver in private subnet and cut it out from outerworld, there will be a time when, even our webserver need to connect to internet for some kind of installations or updations.
So we use NAT (Network address translation) which is placed inside a “public subnet” in our VPC which allows our webserver present in “private subnet” to pass its outgoing request first to NAT which will pass it to internet gateway and then to internet.
There also can be scenario where our customer say i have my VPC at my end and i dont want to move to public cloud providers like AWS or Azure.
Then we use VPC Peering Connection, which will connect customer VPC to our VPC in AWS.
We can have multiple such VPC and we have to connect these vpc to on-premises vpc as well, and if we go vpc peering on set , every vpc has to be connected to one to one vpc , because vpc peering are non-transmitive then it becomes a blockage.
Thats why, in 2018 AWS launched a new Networking Router called as “Transit Gateway". It allows to connect different VPC’s in different network as well our on-premise network VPC.
So now using a vpn or direct connection we can connect our on-premise vpc to Transit gateway, then Transit gateway will connect to our AWS VPC. This creates a complete connectivity.
Now there are other AWS services also like S3 bucket and DynamoDB if they are in same region, we don’t need to go through subnet and all, as it will cost us more money as well.
We can use VPC endpoint(gateway) for S3 and DynamoDB and for other services like Lambda, SQS, SNS we can use VPC Endpoint(interface) for direct connectivity rather then going through NAT.
In another case, what if a customer wants only you to access their app first before they open it for public on internet.
Then comes “PRIVATE LINK" which will get the customer application’s link through their NLB in their VPC, and then it will pass the link to our VPC.
Customer can expose their application’s link via their NLB and at our end we can create a VPC endpoint, which will privately connect us to the NLB of the customer.👏
Also if we dont want an IP address for our VPC, we can use Route53(DNS) so that users can connect to us using the “domain name” rather then the ip address through our ALB.
There is also Cloudfront, which will cache our website general data, big videos, images to nearest AWS AZ, so when user hit our domain name it will go to Cloudfront and then to our LB and finally to the application in our subnet. This makes faster user experience.
If you connected a bit by my post, do let me know and if we both share same intrest of devops,cloud & kubernetes then lets connect!!
Linkedin: https://www.linkedin.com/in/mohitmishra3333/
Medium: https://medium.com/@mohitmishra3333
Happy Learning to all !!
Top comments (0)