Whilst studying for my AWS Certified Cloud Practitioner exam, one of the concepts that was a recurring theme was AWS VPC, and I tried my best to really understand the networking technology. You may ask or wonder what VPC is, I will attempt to break it down. A virtual private cloud (VPC) is a virtual network dedicated to the AWS account. It is logically isolated from other virtual networks in the AWS cloud. VPC allows the user to select IP address range, create subnets, and configure route tables, network gateways, security groups, network access control list (NACL), and internet gateway.
You can think of the AWS Cloud as an Estate which contains several houses. A VPC is an individual apartment in that Estate, and you
can place your properties in different positions in your apartment. Some properties may be placed in the living room while some in the bedroom. When expecting a visitor, ditto, traffic from the internet. This can refer to the isolated logical network in the AWS cloud where you provision your resources such as application and database servers. The concept of VPC components is thus further explained:
This can be likened to the landline in your apartment, and it is the only way for anyone that wants to visit you to reach you. If the landline is off, nobody can reach your apartment and only the people within your apartment can talk to each other. In AWS, this refers to the default route to the internet which enables your resources in the VPC to communicate with the internet. An Internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in the VPC and the Internet. It imposes no availability risks or bandwidth constraints on the network traffic. An Internet gateway serves two purposes A) To provide a target in the VPC route tables for Internet-routable traffic B) To perform network address translation (NAT) for instances that have not been assigned public IP addresses. Enabling Internet access to an Instance requires attaching Internet gateway to the VPC.
These are logical segmentation of your resources; they can be likened to the properties in your apartment. The properties placed in the living room are public subnets, all your visitors can see them such as television, sound system, PS5 etc. In AWS, Web/Application servers are deployed in the public subnets, external users can have access to them and are reachable on the internet. The properties placed in your bedroom are private subnets, they are accessible within your house, that is, only your family members have access to them. In AWS, database servers are mostly placed in the private subnets in VPC because they are only accessible within your VPC network.
Subnet spans a single Availability Zone, distinct locations engineered to be isolated from failures in other AZs and cannot span across AZs. Subnet can be configured with an Internet gateway to enable communication over the Internet, or virtual private gateway (VPN) connection to enable communication with your corporate network. Subnet can be Public or Private and it depends on whether it has Internet connectivity i.e. is able to route traffic to the Internet through the IGW. Instances within the Public Subnet should be assigned a Public IP or Elastic IP address to be able to communicate with the Internet. For Subnets not connected to the Internet, but has traffic routed through Virtual Private Gateway only is termed as VPN-only subnet. Subnets can be configured to enable assignment of the Public IP address to all the Instances launched within the Subnet by default, which can be overridden during the creation of the Instance.
Each Subnet is associated with a route table which controls the traffic. Subnet security can be configured using Security groups and NACLs. Security groups works at instance level, NACLs work at the subnet level.
By default, only people staying in the living room can meet the visitors, perhaps you are in the bedroom, and you want to meet the visitor, you can use your mobile phone to talk to them, but you would be the one to make a call request. In AWS, this allows resources deployed in the private subnets to have access to the internet and it is especially used for upgrade and software patches for database servers or to enhance the security level of the system. NAT device enables instances in a private subnet to connect to the internet or other AWS services but prevents the internet from initiating connections with the instances. NAT devices do not support IPv6 traffic, use an egress-only Internet gateway instead.
These are the security guards guarding your home, they will check the visitors, to either grant access to the building or not.
In AWS, this serves as a security measure at the subnet level for your VPC network to deny or allow inbound and outbound traffic. At default, it allows both inbound and outbound traffic.
Inbound traffic: User's request entering the VPC
Outbound traffic: User's response leaving the VPC
It is also stateless at it does not store the signature of incoming traffic and will always verify each time.
You have a bouncer at the door which checks the visitors before they can come in for your party. If they have an invite, they will be granted access to your house party. When the guest is leaving, he wouldn’t be subjected to another check. In AWS, this is a security measure at the instance level, it only allows inbound traffic, and it is stateful which means once the traffic is allowed in, automatically the traffic will be permitted out.
Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed. Each VPC has an implicit router to route network traffic. Each VPC has a Main Route table and can have multiple custom route tables created. Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it. Subnet, if not explicitly associated to a route table, is implicitly associated with the main route table. Every route table contains a local route that enables communication within a VPC which cannot be modified or deleted. Route priority is decided by matching the most specific route in the route table that matches the traffic. Route tables needs to be updated to defined routes for Internet gateways, Virtual Private gateways, VPC Peering, VPC Endpoints, NAT Device etc.
I hope I have been able to breakdown VPC. Let me know your thoughts in the comment session.
See you soon..Cheers!!!