AWS Networking and the Virtual Private Cloud (VPC) ☁️

Networking 101

  • 🛣Networks are like roads and highways to get from Point A to Point B
  • This works the same way with data going through networks (go from local “roads” to “highways” to communicate with other computers)
  • If you want to send traffic to a different (non-local) computer/server, you’d have to go through the router as opposed to just communicating with local computers on the same network just using switches.

Conceptual Overview of VPCs

  • ☁️ VPC = virtual private cloud = private subsection of AWS that you control, and use AWS resources/services such as EC2 instances and databases.
  • May select your own ip address range, subnets, and config of route tables and network gateways.
  • When you create an AWS account, a default VPC is created for you.
  • Subnet = sub network, or a sub section of a network. Generally, a subnet includes all of the computers in a specific location.
  • i.e. all of the houses (computers) on the same street in a neighborhood would be a subnet.
  • Hierarchy goes: find right network, then the right router, then correct subnet, and finally the correct computer (ip address).
  • Or high level cloud hierarchy: AWS cloud -> VPC -> Subnet(s) -> AWS Resources (EC2, RDS, etc)
  • Can have multiple subnets in different AZs with different AWS resources for high availability.

Internet Gateways and Route Tables

  • Internet Gateways (IGWs) = hardware + software that provides your private network with a route to the outside world (meaning the internet) of the VPC
  • Your default VPC already has an IGW attached
  • IGWs are highly available VPC components so it doesn’t impose any availability risks or bandwidth constraints.
  • Route Table = talks to IGW to allow lets say an EC2 instance to connect to the internet (outside of your VPC)
  • RTs are like the GPS of the VPC. They contain a set of rules called Routes that are used to determine where network traffic is directed.
  • Your default VPC already has a main route table.
  • Basically a RT helps direct traffic to the right destination.
  • Networking Security = determining which devices can communicate with each other.

VPC Subnets, Security Groups, and NACLs

  • 🔐Network Access Control List (NCAL) = A firewall / security layer on the subnet level. Basically like a bouncer saying who can come in or out.
  • NACL lists have inbound and outbound lists.
  • I.e. want http traffic to come into your subnet in your VPC, need to add to the NACL
  • Security Group = A firewall / security layer on the EC2 instance/server level for example. SGs are used when you need multiple EC2 instances on the same subnet but with different security restrictions for some for example.
  • SGs are like a conference where someone checks if you are allowed into the conference (subnet) and then once in the conference, someone checks which talks/rooms (instances) you can attend in terms of access.
  • Public subnets = ability to access resources on the internet (because connected through IGW)
  • Private subnets = no IGW, therefore no access to the resources on the internet
  • NACL also needs to set both inbound and outbound rules.
  • Rules are evaluated based on rule # (ordered list), can think of this as priorities of rules.

Leave a Reply