Sachin Kapale

Sachin Kapale

3 comments on All About AWS VPC

All About AWS VPC

After making my hands dirty on AWS from last 6 years, I thought now I am ready to write on AWS VPC & it should share my learning with everyone. I generally don’t write something on hands on but this write up is little different as compared to all my previous article.

Today we will talk about VPC & all the related associated components to VPC.

What is a VPC (Virtual Private Cloud) ?

This is private virtual network with AWS resources associated with your AWS account & similar to your data center network but with capabilities to scale AWS infrastructure.

You can also say VPC as your own virtual logical data center in AWS.

AWS VPC consists of below things,

    1. Subnets
    2. Internet Gateway
    3. Routing Table
    4. NAT Gateways & NAT Instances
    5. VPC Endpoint

Subnets are the range of IPs in a VPC. Subnets can not span across availability zone, while VPCs can.

  • 10.0.0.0 – 10.255.255.255 (10/8 prefix)
  • 172.16.0.0 – 172.31.255.255 (172.16/12 prefix)
  • 192.168.0.0 – 192.168.255.255 (192.168/16 prefix)

Subnets can be public as well as private. When subnets are created we need to make sure they are without any overlapping IP addresses. You also need to be aware of CIDR block allocations. You can take numerous websites help for calculating number of IP address allocations in each CIDR block.

http://www.subnet-calculator.com/cidr.php

As you can see in below screenshot I have created one VPC in my account with CIDR block 10.0.0.0/16, which gives addresses close to 65,536.

VPC Creation
VPC Creation

I have broken down this VPC into two subnets with each CIDR block allocation as shown in below screenshot & each has maximum IP addresses available are 256. In AWS for our actual use AWS gives 251 IP addresses because Amazon keeps  5  IP addresses for their internal use.

Avilable IPv4
Subnet CIDR Block assignment

 

By Default subnets are marked as private.When any VPC is created Main routing table ,Network ACL & Security group is created with default values. We can make it public by enabling auto assign public IP addresses to the resources, so that these can be accessed from outside. In below screenshot you can see I have made one of the subnet as public subnet.

 

Auto Assign Public IP
Enable auto-assign public IPv4
Marked as public Subnet
Making Subnet Public

 

Internet Gateway

We have created subnet public but we haven’t given an access to external world & we can give that by adding internet gateway.

Internet gateway can be created and attached to only one VPC at a time. In multiple availability zone you should create multiple internet gateways. This is avoid any impact to your internet facing applications or resources. You are disconnected from internet if your internet gateway stops working. Amazon promises to be highly available.

In our exercise I have created one gateway & attached it to our VPC as shown in below diagram.

Gateway Attached
Gateway Creation & Association

 

Routing Table

When we create VPC with two subnets we get Main routing table which has entries related to both subnets, it also has entries related to how subnets can talk to each other. Now we have internet gateway but we need to give our subnet a way to internet gateway, this we can give by adding below entries into routing table as shown in below diagram, but one thing to take care is we don’t want to expose both the subnets to external world, so we will not add entries to internet gateway in main routing table. We create another routing table & associate public subnet with a routing table with internet gateway entries. As shown in below diagrams,

Routing Table entries & association
Subnet Association with Routing Table
Routing Table Entries only
Adding entries to Internet Gateway

Now we have successfully created a a VPC with two subnets with one of them is public & other one is private. By default the two subnets can not talk to each other till we make changes at the security group level & apply those security groups to the resources like EC2.

Let us extend this exercise further where we want private subnet resources like EC2 to have access to internet for downloading patches from internet & at the same time we want to make sure our entire subnet is not public.

NAT(Network Address Translation) Gateway or NAT(Network Address Translation) Instances

As the name suggests NAT Instance is nothing but EC2 instance which provide access to resource in private subnet to internet gateway & NAT gateway is the offering of AWS, which is again highly available.

NAT Instance

These are EC2 instance which acts as a gateway in between incoming & outgoing traffic.These need to be created under public subnet.  The entries related to NAT instance must be added into routing table & these entries must be added in main routing table,so that private subnet have route to internet gateway. As you can see in below diagram I have created an EC2 instance from an available NAT AMI  & following diagram I have disabled Source & Destination check to act this instance in the capacity of Gateway.

NAT Instance
NAT EC2 Instance from an AMI

 

Disable Source Destination Check
Disable Source/Destination Check

 

NAT Gateway

NAT gateway is AWS offering & it is much efficient with high availability in an availability zone.  It is not associated with any security group like NAT instance. Enterprises prefer NAT gateway as there is no maintenance issues. All you need to do is add an entry in main routing table. We also need not to worry about security group configuration. NAT Gateway needs to be created in public subnet. As shown in below diagram.

NAT Gateway Creation
NAT Gateway

 

Network ACL(Access Control List)

It is an additional level of security for VPC & it acts as firewall for controlling in or out traffic.It comes by default with VPC & by default it allows all the incoming as well as outgoing traffic. You can create custom NACLs & they are by default created with all the traffic denied. It takes precedence over security group. The number ordering takes precedence in execution of NACL rules, in below diagram, if I add DENY rule with 99 number, it will be executed first . Any number of subnets can be associated with one NACL but one Subnet is associated with only one NACL.  As you can see in below diagram default VPC, I can modify it to limit some traffic & if I want to make that effective I need to add an entry with Rule# less than 100.

NACL Rules
NACL Rules

NACL rules are different from security groups & Outbound Rules entries need to be managed separately than Inbound Rule. In case of security group if you are adding an inbound rule by default outbound rule is enabled.

VPC Gateways

Suppose you want to use some of the AWS services from your VPC through a private reliable network & you don’t want your traffic to be leaving the AWS network. VPC Gateway is the way to access it. Generally direct connect & NAT gateway are the alternatives. Directconnect is a again private link setup in between your network & AWS network.

There are two types of VPC gateways

Interface Endpoints: There are lot of services can be accessed from interface endpoints. It’s huge list & can be accessed from AWS documentation.

Gateway Endpoints: Support S3 & Dyanamo DB.

As you can see S3 endpoint creation is below & it adds those entries into routing table. You should add those entries in main routing table where all the subnets have access to it.

VPC Endpoint Creation

We should be able to execute all the s3 commands without going outside AWS network & privately.

So I hope you have enjoyed all the concepts related to VPC & this will certainly help you in future for understanding VPC and related components. It is one time activity mostly but understanding about it is very much important. I am keeping direct connect, transit gateway & bastion hosts for another article till then stay tuned.

Posted by:

Sachin Kapale

Senior technology leader offering 20 years of experience concentrating on Business Transformation, including the past five years on architecting, and migrating applications for AWS Global Cloud Infrastructure. Performed cloud infrastructure optimization to reduce costs by 15%. Demonstrated ability to lead the architectural design of small or large enterprise multi-platform environments in both on-premises data centers and the Cloud. Experience in leveraging cost-effective, cutting-edge solutions. Savvy strategist who positions teams and roadmaps to successfully execute initiatives, anticipating and translating business needs into robust solutions and tools and driving adoption. Known for building a culture of commitment, accountability, and shared success across teams of up to 400 geographically dispersed members. He has certifications in TOGAF,AWS,Azure, Oracle,JAVA,Websphere, UDB, HP area. He currently plays multiple roles in Architectural space. He works with senior management to establish strategic plans and objectives, document technical strategies to facilitate operational business needs , Assess systems requirements and design against best practices, technology advances, industry standards, and business needs. Provides direction on implementing feasible, cost-effective solutions to the overall system architecture and design to meet these needs Also Sachin works closely with Health Services Operations management and staff, Operations Systems’ technical engineers, and process engineers to provide guidance and ensure adequate design for meeting Health Services’ business objectives and strategy & Serve as the key technical point of contact in developing the technical solutions in response to Request for Proposals, Change Requests, and business needs. Sachin also review federal, state, and company policies to determine applicability to systems functionality, design, and operation.He also develop strategies to fulfill requirements and assess effectiveness of implementation. He also collaborate and coordinate with appropriate internal and external groups to ensure the confidentiality and security of all corporate information His expertise is in designing micro services based architecture on cloud based as well as containerized environments. Working as success serving as key point of contact for design of complex information technology solutions. He has technical papers presentations on Web 2.0. He can perform comfortably in a fast-paced, deadline oriented environment Perform quantitative and qualitative analyses of existing business processes based on in-depth industry knowledge of organizational and client objectives His current passion is Cloud based architecture, Artificial Intelligence ,machine learning in healthcare call center business and in back office area.

3 responses to “All About AWS VPC”

  1. 10 Things To Do In AWS Account Before You Use It – Sachin Kapale Avatar
    10 Things To Do In AWS Account Before You Use It – Sachin Kapale

    […] All About AWS VPC […]

    Like

    Reply
  2. Celeste Kroninger Avatar
    Celeste Kroninger

    It’s difficult to find experienced people in this particular subject, but you sound like you know what you’re talking about! Thanks

    Like

    Reply
  3. Hairstyles Avatar
    Hairstyles

    There may be noticeably a bundle to learn about this. I assume you made sure nice points in options also.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

Website Powered by WordPress.com.

%d bloggers like this: