Virtual Private Cloud (VPC) Networking

More AWS Guides

Scenario

So when first come to AWS I overwhalming because there have 200+ services, so which services I first use first. Networking is the most challenging but most crucial part. Anyone can create an EC2 instance. Anyone can create an RDS database. But connecting everything properly is where real cloud engineering begins

If your networking foundations are strong subnets, routing, NAT, security groups, NACLs, DNS you can troubleshoot almost any cloud issue. And trust me, networking problems are the reason behind most outages.

By the end of this article, you'll:
✅ Understand the what is VPC, NACLs, security group and how to manage access in the AWS.
✅ Know the flow of the network traffic go and in the AWS resources and how to control them.
✅ Network is the fundemental that help we deep dvie into more AWS services

Quick Theory

Amazon Virtual Private Cloud(VPC):

A VPC is a logically isolated portion of the AWS cloud within a region
Subnets are created within AZs
You can launch EC2 instances into your VPC subnets
The VPC router takes care of the routing within the VPC or outside the VPC and to different network. So in the AWS you can't see the router but you can see the route table instead.
The route table is used to configure the VPC router
An Internet Gateway is attached to a VPC and used to connect to the internet. There are two flow:
1. Sending data out to the internet( egress traffic)
2. And in from the internet( ingress traffic)

Note: So we must configure the route table with the route to the Internet Gateway that tell it to send all traffic that doesn't fit one of the network in the route table before it to the internet gateway

You can create multiple VPCs in the region, each VPC has a CIDR block. That's a overall block of addresses from which you can create addresses you can assign to your subnets. So it's a kind of like a master block of addresses

Amazon VPC Components

Amazon VPC Core Knowledge

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account
Similar to having your own data center inside AWS
It is logically isolated from other virtual networks in AWS Cloud
Provides complete control over the virtual networking enviroment including selection IP of ranges, creation of subnets, and configuration of roue tables and gateway
You can launch your AWS resources, such as Amazon EC2 instances, into your VPC
When you create a VPC, you must specify a range of IPv4 addresses for the VPC in form of a Classless Inter-Domain Routing (CIDR) block; for examples, 10.0.0.0/16
A VPC spans all the Availability Zones in the region
You have full control over who has access to the AWS resources inside your VPC
By default you can create up to 5 VPCs per region
A default VPC is created in each region with subnet in each AZ --> Always public subnets

NOTE: The diagram below show the Flow of my VPC which I devided into public subnet and private subnet. The public subnet for services that can directly connect to the Internet via the Internet Gateway. In the other hand, the private subnet is for internal use like: database, web, file server. So when that internal services want to access the outside network, it will need the NAT gateway. The cost of the NAT gateway is $0.045 per hour. Public IPv4 addresses and internet data transfer out incur extra charges

First you create the Elastic IP address( EIP)

Then use it for the NAT gateway and apply for your private subnet

Check your route table of private route

Add one route in your route table to your NAT Gateway for the traffic know the way to go Internet

After all the set up completed:

Security Group and Network ACLs

NACLs:

NACLs apply at the subnet level
NACLs apply only to traffic entering/exiting the subnet Security group:
Security Groups apply at the instances level
Security Groups can be applied to instances in any subnet

Stateful vs Stateless Firewalls
NACLs - Stateless
Security Group - Stateful
A stateful firewall allows the return traffic automatically
A stateless firewall checks for an allow rule for both connections