VPC Components

---

---

VPC is the virtual datacenter that you can build on AWS cloud which is the interconnection of multiple components amazon VPC consists of the following components.

• Subnets
• Route tables
• Dynamic Host Configuration Protocol (DHCP) option sets
• Security groups
• Network Access Control Lists (ACLs)
• Internet Gateways (IGWs)
• Elastic IP (EIP) addresses
• Elastic Network Interfaces (ENIs)
• VPC Endpoints
• VPC Peering
• Transit Gateway
• Network Address Translation (NATs) instances and NAT gateway
• Virtual Private Gateway (VPG),
• Customer Gateways (CGWs)

Subnets:

Subnet is the network segment of VPC cidr IP range to deploy ec2 instances and other resources that can be deployed into a subnet.

• When you are using a cidr range for a subnet and show that the subnet is adhere within the vpc IP range
• A subnet cannot span multiple availability zones and one subnet can be associated with only one availability zone.
• When we have chosen the cidr range for subnet the first four IP addresses are reserved for the internal operations and remaining IPs can be used to configure to the resources going to deploy into that subnet.

       The subnet can be created as a public or private scope. 

• public subnet is associated with the public route table which has a route entry to route traffic to the internet gateway.
• Private subnet is associated with the private route table which has an entry to route the traffic within the vpc.
• AWS ensures that there would be a default vpc in each region and default public subnets that are associated to the default vpc

Route Table:

In AWS route table is the logical construction within the vpc that contains set of routing policies.

• The route that is configured in the routing table decides how and where the network traffic has to be directed.
• You can edit the route table to configure the route entries to determine where and how network traffic must be directed within the subnet.
• Route table plays major role to determine which subnet will be public-facing and which subnet will be private facing.
• When you are creating a route table there will be a default route entry routing the traffic within the vpc cidr range to ensure that all the resources within the vpc can be communicated each other using private IPs through local gateway.
• You can have route entry configured to route the traffic to the local gateway, internet gateway, Nat Gateway etc.
• Each VPC has implicit router called local gateway created by default.
• Your VPC automatically comes with a main route table that you can modify.
• Each subnet must be associated with a route table, which controls the routing for the subnet. If you do not explicitly associate a subnet with a particular route table, the subnet uses the main route table.
• You can replace the main route table with a custom table that you have created so that each new subnet is automatically associated with it.

Internet Gateway:

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available Amazon VPC component that allows communication between instances in your Amazon VPC and the Internet.

• An IGW provides a target in your Amazon VPC route tables for Internet-routable traffic, and it performs network address translation for instances that have been assigned public IP addresses.
• Amazon EC2 instances within an Amazon VPC are only aware of their private IP addresses. When traffic is sent from the instance to the Internet, the IGW translates the reply address to the instance’s public IP address (or EIP address) and maintains the one-to-one map of the instance private IP address and public IP address.
• When an instance receives traffic from the Internet, the IGW translates the destination address (public IP address) to the instance’s private IP address and forwards the traffic to the Amazon VPC.
• Internet Gateway must be associated with vpc, so that all the resources that are created in the vpc can use the internet gateway to the internet.
• You must configure route entry to route the traffic to the Internet Gateway as below to enable the outbound and inbound access to the internet.
  • Create a subnet route table rule to send all non-local traffic (0.0.0.0/0) to the IGW.
• VPC resources that would need access to the internet gateway must be associated with default public IP or elastic IP.

Security Group:

Security Group is a virtual stateful firewall that controls inbound and outbound network traffic to AWS resources and Amazon EC2 instances.

• All Amazon EC2 instances must be associated with a security group. If a security group is not specified at launch, then the instance will be launched into the default security group in that Amazon VPC.
• The default security group allows communication between all resources within the security group, allows all outbound traffic, and denies all other traffic.
• You can create up to 500 security groups for each Amazon VPC.
• You can add up to 50 inbound and 50 outbound rules to each security group. If you need to apply more than 100 rules to an instance, you can associate up to five security groups with each network interface.
• You can specify allow rules, but not deny rules. This is an important difference between security groups and ACLs.
• You can specify separate rules for inbound and outbound traffic.
• By default, no inbound traffic is allowed until you add inbound rules to the security group.
• By default, new security groups have an outbound rule that allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only.
• Security groups are stateful - This means that responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules and vice versa. This is an important difference between security groups and network ACLs.
• Instances associated with the same security group cannot talk to each other unless you add rules allowing it (with the exception being the default security group).
• You can change the security groups with which an instance is associated after launch, and the changes will take effect immediately.

Network Access Control List (ACL):

A Network Access Control List (NACL) is another layer of security that acts as a stateless firewall on a subnet level.

• A network ACL is a numbered list of rules that AWS evaluates in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL.
• Amazon VPCs are created with a modifiable default network ACL associated with every subnet that allows all inbound and outbound traffic.
• When you create a custom network ACL, its initial configuration will deny all inbound and outbound traffic until you create rules that allow otherwise.
• You may set up network ACLs with rules like your security groups to add a layer of security to your Amazon VPC, or you may choose to use the default network ACL that does not filter traffic traversing the subnet boundary.

Security Group  Vs.  Network ACL:

       Security Group

• Operates at the instance level (first layer of defense)
• Supports allow rules only.
• Stateful: Return traffic is automatically allowed, regardless of any rules.
• AWS evaluates all rules before deciding whether to allow traffic.
• Applied selectively to individual instances.

       Network ACL

• Operates at the subnet level (second layer of defense)
• Supports allow rules and deny rules.
• Stateless: Return traffic must be explicitly allowed by rules.
• AWS processes rules in number order when deciding whether to allow traffic.
• Automatically applied to all instances in the associated subnets; this is a backup layer of defense, so you do not have to rely on someone specifying the security group.

NAT Instances Vs. NAT Gateways:

AWS provides NAT instances and NAT gateways to allow instances deployed in private subnets to gain Internet access. The NAT gateway provides better availability and higher bandwidth, and requires less administrative effort than NAT instances.

By default, any instance that you launch into a private subnet in an Amazon VPC is not able to communicate with the Internet through the IGW. This is problematic if the instances within private subnets need direct access to the Internet from the Amazon VPC to apply security updates, download patches, or update application software.

NAT Instance

A Network Address Translation (NAT) instance is an Amazon Linux Amazon Machine Image (AMI) that is designed to accept traffic from instances within a private subnet, translate the source IP address to the public IP address of the NAT instance, and forward the traffic to the IGW.

In addition, the NAT instance maintains the state of the forwarded traffic to return response traffic from the Internet to the proper instance in the private subnet. These instances have the string in their names, which is searchable in the Amazon EC2 console.

To allow instances within a private subnet to access Internet resources through the IGW via a NAT instance, you must configure following:

• Create a security group for the NAT with outbound rules that specify the needed Internet resources by port, protocol, and IP address.
• Launch an Amazon Linux NAT AMI as an instance in a public subnet and associate it with the NAT security group.
• Disable the Source/Destination Check attribute of the NAT Instance.
• Configure the route table associated with a private subnet to direct Internet-bound traffic to the NAT instance.
• Allocate an EIP and associate it with the NAT instance.

This configuration allows instances in private subnets to send outbound Internet communication, but it prevents the instances from receiving inbound traffic initiated by someone on the Internet.

NAT Gateway

A NAT Gateway is an Amazon managed resource that is designed to operate just like a NAT instance, but it is simpler to manage and highly available within an Availability Zone.

To allow instances within a private subnet to access Internet resources through the IGW via a NAT gateway, you must configure the following:

• Configure the route table associated with the private subnet to direct Internet-bound traffic to the NAT gateway.
• Allocate an EIP and associate it with the NAT gateway.

Like a NAT instance, this managed service allows outbound Internet communication and prevents the instances from receiving inbound traffic initiated by someone on the Internet.

---

Previous Next