Understanding AWS Virtual Private Cloud and its Importance
AWS is divided into two separate spaces.
- Public Space
- Private Space
Services like S3 and IAM are part of Public spaces where the services span without any regional restriction. Private Space requires resources to be created in a confined isolated network portion. Hence VPC provides this isolated space for Private resources. The sole purpose of this isolation is to provide adequate control over resources.
Virtual Private Cloud allows users to logically isolate their AWS Resources in a digital ecosystem in terms of communication. VPC acts as a network portion where you can control the ingress or egress communication or traffic that can interact with your AWS resources.
- The span of the VPCs is confined in a single region it is initially created in.
- There is a limit of a total of 5 VPCs per region.
- Each VPC has a CIDR Block which is an overall block of private IP addresses you can associate with your resources.
- Subnets are created by slicing a chunk of this CIDR.
Elements of VPC
For this blog, I will be using Analogies to explain how these elements interact with each other. You can imagine a VPC as a city.
In terms of analogy, you can think of it as tiny virtual warehouses where you can keep your AWS resources.
Subnets as the name indicates is a way to segregate different resources. The overall CIDR block of the VPC is sliced off into multiple mini networks.
Points to Ponder
- In terms of networking the CIDR is divided into smaller ranges of private IPs.
- Yet in terms of physical location, a subnet is created and bound to a specific Availability Zone.
VPC Router (Route Table)
In terms of analogy, VPC Router acts as roads between the warehouses (subnets) and the resources placed inside these warehouses (subnets). Now there are roads (routes) that can route traffic among warehouses and even allow the traffic to go outside the city (VPC).
VPN Router routes the traffic between the following elements of VPC:
- Subnets(Internal Traffic)
- Internet Gateways (External Traffic)
- Virtual Private Gateways
- NAT Gateways
We never actually interact with this element directly. But we can instruct it to follow some guidelines. These guidelines help the VPC to route traffic among resources. These guidelines are recorded in a Route Table.
The analogy of Internet Gateway is a Highway that connects you with the world outside the city (VPC).
An Internet Gateway is a link that allows communication to and from the internet.
Let’s say you want to route traffic between two different cities. Then you will build a road to connect these two cities.
Two different VPC (either in the same region or in different regions) can allow its resources to communicate via a private channel. For this purpose, VPC peering is used. VPC peering requires VPCs to have unique CIDR blocks. Hence, it is a best practice is to use unique CIDR blocks for all of your VPCs because you might have to peer them later.
I mentioned the two spaces (Public and Private) among which AWS Services are divided. If you need to connect a resource in Private space to a resource in Public space you need VPC Endpoint.
- Security Group primarily acts as Instance level Firewall.
- Just like any firewall rule statements are provided to allow traffic from a specific IP address on a specific port. These rule statements are referred to as Security Groups.
- Traffic from all Private and Public IPs is implicitly denied on all ports unless explicitly allowed in Security Group rules.
- Security Group rules can just allow traffic.
- A Security Group is attached to the Elastic Network Interface of an Instance.
Network Access Control List (NACL)
- Network Access Control List (NACL) primarily acts as a Subnet level Firewall.
- NACL also consists of rules but each rule has a rule number and smaller the number greater would be the precedence it holds on the other.
- Everything is implicitly denied (by a default rule with the highest rule number) in a NACL unless explicitly denied.
- NACL has both Allow and Deny rule options.
- You can have at most 20 rules in a NACL.