AWS Basics
Table of contents
- What is Amazon Virtual Private Cloud?
- Isolation
- VPC (Virtual Private Cloud)
- Regions
- Subnets
- Availability Zones (AZs)
- VPCs are Scoped to a Region
- Subnets are Scoped to an Availability Zone
- Subnets
- IP Addressing
- Route Tables
- Internet Gateway
- NAT Gateway/Instance
- Security Groups and Network ACLs
- VPC Peering
- VPN and Direct Connect
- AWS Reserves Five IP Addresses in Each Subnet for the Following Purposes:
- Route Table
- Security
- Internet Gateway vs Network Address Translation
- Summary
What is Amazon Virtual Private Cloud?
Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Here are some key features and concepts related to VPC:
Isolation
VPCs provide logical isolation from other virtual networks in the AWS cloud. This means that resources in one VPC cannot directly interact with resources in another VPC unless you explicitly allow it. VPCs are under regions, and subnets are under availability zones.
VPC (Virtual Private Cloud)
A VPC is a virtual network dedicated to your AWS account. It is isolated from other virtual networks in the AWS cloud. Each VPC spans all the Availability Zones (AZs) within a region. In other words, a VPC is created within a specific AWS region, and it encompasses that entire region.
Regions
AWS regions are geographical locations around the world where AWS has data centers. Each region is a separate geographic area and contains multiple Availability Zones.
Subnets
A subnet is a range of IP addresses within a VPC. Subnets allow you to segment your VPC and place resources in different sections of your network. Each subnet must reside entirely within one Availability Zone and cannot span multiple AZs.
Availability Zones (AZs)
Availability Zones are isolated locations within an AWS region. They consist of one or more discrete data centers, each with redundant power, networking, and connectivity, housed in separate facilities. Each region has multiple AZs to ensure high availability and fault tolerance.
VPCs are Scoped to a Region
When you create a VPC, it spans the entire region and can include resources in any of the AZs within that region.
Subnets are Scoped to an Availability Zone
When you create a subnet, you must specify which AZ it will reside in, and the subnet will only exist within that specific AZ.
Subnets
Within a VPC, you can create one or more subnets, which are segments of the VPC's IP address range. Subnets can be designated as public, private, or VPN-only based on the connectivity needs of the resources they contain.
IP Addressing
You define the IP address range for the VPC and subnets using CIDR (Classless Inter-Domain Routing). AWS automatically reserves the first four and the last IP addresses in each subnet for networking purposes.
Route Tables
Route tables control the routing of traffic within the VPC. You can customize route tables to direct traffic between subnets, to the internet, or to a VPN connection.
Internet Gateway
An Internet Gateway (IGW) allows communication between resources in your VPC and the internet. Subnets that are associated with a route table that directs traffic to an IGW are considered public subnets.
NAT Gateway/Instance
A Network Address Translation (NAT) gateway or NAT instance enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.
Security Groups and Network ACLs
Security groups act as virtual firewalls for instances to control inbound and outbound traffic. Network Access Control Lists (ACLs) are optional layers of security for your VPC that act as stateless firewalls on a subnet level.
VPC Peering
VPC peering allows you to connect one VPC to another via a direct network route using private IP addresses, making the two VPCs behave as if they were on the same network.
VPN and Direct Connect
AWS VPC supports VPN connections and AWS Direct Connect, allowing you to connect your on-premises network securely to your VPC.
By using VPC, you have complete control over your virtual networking environment, including selection of your IP address range, creation of subnets, and configuration of route tables and network gateways. This makes it easier to create a secure and scalable cloud environment.
AWS Reserves Five IP Addresses in Each Subnet for the Following Purposes:
Network Address (first IP address in the subnet range): This address is used to represent the subnet itself.
VPC Router (second IP address in the subnet range): This address is reserved for the default VPC router.
Reserved for Future Use (third IP address in the subnet range): AWS reserves this IP address for potential future use.
DNS Server (fourth IP address in the subnet range): This address is reserved for the Amazon-provided DNS server.
Broadcast Address (last IP address in the subnet range): Though not used in a VPC context, this address is traditionally reserved for the broadcast address.
These reserved IP addresses ensure proper functioning and management of the subnet and the services running within the VPC.
Route Table
Imagine your VPC as a city, subnets as different neighborhoods, and route tables as sets of directions for getting around:
Public Subnet: Uses a route table that includes a route saying, "To reach the internet, go to the Internet Gateway."
Internet Gateway (IGW): Connects VPC to the Internet. An IGW is the bridge that connects your VPC to the Internet. Without an IGW, your VPC cannot send or receive traffic from the internet.
Private Subnet: Uses a route table that includes a route saying, "To reach the internet, go through the NAT Gateway in the public subnet." The private subnet in AWS can only talk to VPC in AWS.
In summary, a route table in AWS helps your network traffic find its way by providing a set of instructions on where to send data for various destinations.
Security
To secure your AWS resources, you can use two levels of security:
EC2 Security Groups: These act like virtual firewalls for your EC2 instances, controlling inbound and outbound traffic at the instance level. You can allow or deny specific IP addresses and ports.
Network Access Control Lists (NACLs): NACLs are like firewalls for subnets, managing traffic at the subnet level. They provide an additional layer of security by allowing or denying traffic to and from entire subnets.
Internet Gateway vs Network Address Translation
An Internet Gateway (IGW) and a Network Address Translation (NAT) device (either a NAT Gateway or NAT Instance) in AWS serve different purposes and have distinct characteristics. Here’s a comparison:
Internet Gateway (IGW)
Purpose: Provides a direct connection between your VPC and the internet. Allows instances with public IP addresses to access the internet and be accessed from the internet.
Functionality: Supports both inbound and outbound traffic. Requires instances to have public IP addresses to communicate with the internet.
Routing: You add a route in the route table directing internet-bound traffic (0.0.0.0/0) to the IGW.
Use Case: Typically used for instances that need to be publicly accessible, such as web servers.
Cost: There is no additional cost for using an IGW.
NAT Gateway/Instance
Purpose: Allows instances in a private subnet to initiate outbound connections to the internet while preventing the internet from initiating connections to those instances. Ensures instances in private subnets remain private (not directly accessible from the internet).
Functionality: Only supports outbound traffic initiated from within the VPC. Translates private IP addresses to public IP addresses for outbound traffic and vice versa for inbound responses.
Routing: You add a route in the route table directing internet-bound traffic from private subnets to the NAT device.
Use Case: Used for instances that need to access the internet for updates, patches, or accessing external services without being exposed to incoming traffic from the internet. Commonly used for backend servers, databases, and instances that do not need to receive inbound connections from the internet.
Types and Cost:
NAT Gateway: Managed service, highly available, and scales automatically. It incurs an additional cost based on usage.
NAT Instance: Manually configured EC2 instance acting as a NAT. Requires management (e.g., scaling, failover) and incurs EC2 instance costs.
Summary
Internet Gateway: Direct connection to the internet, supports inbound and outbound traffic, requires public IPs, no additional cost, used for publicly accessible instances.
NAT Gateway/Instance: Allows outbound internet access from private subnets, blocks inbound traffic, translates private IPs to public IPs, incurs additional cost, used for instances that should remain private but need internet access.