What is AWS VPC
Amazon VPC is your own private network inside Amazon’s cloud infrastructure. It is an alternative to maintaining your own data centre and is cheaper since it creates resources on demand. It is also more secure since Amazon takes care of the infrastructure security for you.
What is a Subnet
We will not go into much detail about subnets from a networking point of view, but for this tutorial, you should know that subnet is a part of your VPC that can contain resources that share a common subnet mask and that contain instances and resources that can normally only be accessed within that subnet except if you use an internet gateway to make them public.
What is an Internet Gateway?
An Internet Gateway allows you to make a subnet public by providing a route to the internet. All instances within the subnet can access the internet only through this gateway. Also, resources from the internet can access the instances in your subnet using this gateway.
What is a NAT Gateway
You can allow instances from your private subnet to connect to the internet using a NAT gateway. The instances in the private subnet do not have an IP address, so the NAT gateway translates the private IP to a public IP before routing the traffic out to the internet. NAT stands for Network Address Translation and it does just that – translates private IPs to public IP.
What is a CIDR block
CIDR or Classless Inter-Domain Routing is used to allocate IP address within a network. We will use CIDR blocks to mark a range of IP addresses for each subnet within a VPC. The VPC itself would have a CIDR block that lists all the IP addresses available with it.
What is a Route table
A route table contains rules for routing traffic within a subnet and from the subnet to outside world. Amongst other things, we use routing tables to add internet gateways and NAT gateways to the subnet.
Problem Statement for AWS VPC Tutorial
Here’s the network that we are planning to build today. It has the following components:
- A VPC spanning a region
- Two public and two private subnets in two Availability Zones (AZ). (one AZ contains one public and one private network)
- Internet Gateways for each public subnet in each AZ
One NAT Gateway for each private subnet.
In the Next part, we will look at how to create the CIDR block for creating the subnets. We will also see how to create the VPC and the Subnets. In the third part we will see how to create internet gateways, NAT gateways and route tables.
Why a NAT Gateway?
Before we explain why we need a NAT Gateway, here’s a network diagram of what we are trying to accomplish.
The two private networks need to talk to the internet for things like updating the operating system or installing software. Since the instances in the private network do not have a public IP, they need a NAT (Network Address Translation) Gateway that can convert the private IP to public IP for routing traffic to the internet and back. AWS provides two kinds of NAT resources – NAT instances and NAT gateways. The gateways are completely managed by AWS and so they are preferred over NAT instances.
What are Elastic IP addresses
We will build a NAT gateway, however, the gateway needs an IP address. AWS provides Elastic IP addresses, that you can create on demand. These IP addresses can be attached to instances and resources and detached when not required.
Steps to create AWS Elastic IP Address
Click on Elastic IPs in the VPC console of AWS.
If you haven’t created an IP address before you should see an empty table. Click on ‘Allocate New Address’ to add a new IP address. AWS will start creating the IP address for you.
Create two Elastic IPs for the two Gateways in each AZ.
Steps to create the NAT gateway
Once the IP address is created, click on NAT Gateway to open up the NAT gateway homepage. Click on ‘Create NAT Gateway’ to create a new NAT Gateway. In The field that says ‘Elastic IP Allocation ID’ select the new IP that you just created and then hit ‘Create NAT Gateway’. This will create the NAT Gateway.
Create a Route Table for NAT
The next step is to create the route table that will direct all traffic in the private subnet through the NAT Gateway. Click on the ‘Route Table’ section and click on ‘Create Route Table’. In the Routes section, add a route that maps all traffic (0.0.0.0/0) to the NAT gateway that we just created.
The Route table would need to be created for both the NAT Gateways.
Recap of the AWS VPC Tutorial
Our first VPC setup is done. To recap, we created a VPC with four subnets. Two of the subnets were made public by attaching an internet gateway to it and the other two subnets were private. However, the private subnets were allowed to connect to the internet using a NAT gateway. The instances in the public subnet will have public IP addresses. We can configure the subnet to assign a public IP address to all instances that are created in the subnet, OR, during instance creation we can specify the instance to have an auto-assigned public IP.
Network Access Control Lists (ACL)
By default, a VPC will come with a Network ACL and it will allow all inbound and outbound traffic. However, if you create a default Network ACL, it will block all inbound and outbound traffic, and you will have to manually allow traffic yourself.
Each subnet within a VPC must be connected to a Network ACL, however, each subnet can only be connected to 1 VPC at a time. The ACL, however, can be connected to multiple different subnets.
Things to remember:
Each subnet within a VPC must be connected to a Network ACL, however, each subnet can only be connected to 1 VPC at a time. The ACL, however, can be connected to multiple different subnets.
Things to remember:
- The Network ACL contains an ordered list of rules to allow traffic
- The convention is to start from 100 rules and go up in increments of 100.
- The rules will be considered in order to make sure if you want to allow all ssh access apart from a certain IP address, that you add your block rule before your allow all rule.
- There are separate rules for inbound and outbound traffic, so you must set up rules for each.
- They are stateless meaning responses to inbound traffic are dependent on outbound traffic rules and this applies the other way around.
- Block IP address using Network ACL’s and not Security groups
Resiliency
For resiliency, it is advisable to always have 2 public and 2 private subnets and ensure they are both in different availability zones. The same applies to Elastic Load Balancers.
NAT Instances are a little more difficult to make highly available so it's advised to use NAT Gateways instead, as all of this is taken care of and requires no manual effort.
You can always monitor traffic within your VPC by turning on VPC flow logs.
NAT Instances are a little more difficult to make highly available so it's advised to use NAT Gateways instead, as all of this is taken care of and requires no manual effort.
You can always monitor traffic within your VPC by turning on VPC flow logs.
VPC connectivity options
One of the major features of AWS VPC is the connectivity options it provides for securely connecting various networks with their AWS networks. In this section, you will learn about various connectivity options for AWS VPC, such as connecting remote customer networks with VPC, connecting multiple VPCs into a shared virtual network, and so on. We will look at three connectivity options in detail:
- Connecting the user network to AWS VPC
- Connecting AWS VPC with another AWS VPC
- Connecting the internal user with AWS VPC
Connecting user network to AWS VPC
You can extend and integrate your resources in your remote networks, such as compute power, security, monitoring, and so on, by leveraging your resources in AWS VPC. By doing this, your users can access all resources in AWS VPC seamlessly like any other resource in internal networks. This type of connectivity requires you to have non-overlapping IP ranges for your networks on the cloud and on-premises, so ensure that you have a unique CIDR block for your AWS VPC. AWS recommends that you use a unique, single, non-overlapping, and contiguous CIDR block for every VPC. You can connect your network with AWS VPC securely in the following ways:
- Hardware VPN: You can configure AWS-compatible customer VPN gateways to access AWS VPC over an industry standard, encrypted IPsec hardware VPN connection. You are billed for each VPN connection hour; that is, for every hour your VPC connection is up and running. Along with it, you are charged for data transfer as well.
This option is easier to configure and install and uses an existing internet connection. It is also highly available as AWS provides two VPN tunnels in an active and standby mode by default. AWS provides virtual private gateway with two endpoints for automatic failover. You need to configure customer gateway side of this VPN connection; this customer gateway could be software or hardware in your remote network.
On the flip side, hardware VPN connections have data transfer speed limitations. Since they use an internet to establish connectivity, the performance of this connection, including network latency and availability, is dependent on the internet condition.
- Direct connect: You can connect your AWS VPC to your remote network using a dedicated network connection provided by AWS authorized partners over 1-gigabit or 10-gigabit Ethernet fiber-optic cable. One end of this cable is connected to your router, the other to an AWS Direct Connect router. You get improved, predictable network performance with reduced bandwidth cost. With Direct Connect, you can bypass the internet and connect directly to your resources in AWS, including AWS VPC.
You can pair Direct Connect with a hardware VPN connection for redundant, highly available connectivity between your remote networks and AWS VPC. The following diagram shows the AWS Direct Connect service interfacing with your remote network:
- AWS VPN CloudHub: You might have multiple remote networks that need to connect securely with AWS VPC. For such scenarios, you will create multiple VPN connections, and use AWS VPN CloudHub to provide secure communication between these sites. This is a hub and spoke model that can be used either for primary connectivity or as a backup option. It uses existing internet connections and VPN connections.
You create a virtual private gateway for your VPC with multiple customer gateways for your remote networks to use AWS VPN CloudHub. These remote networks should not have overlapping IP networks. The pricing model for this option is similar to that of a hardware VPN connection.
- Software VPN: Instead of a hardware VPN connection, you can also use an EC2 instance in your VPC with a software VPN appliance running in order to connect your remote network. AWS does not provide any software VPN appliance; however, you can use software VPN appliances through a range of products provided by AWS partners and various open source communities present on AWS marketplace. It also uses the internet for connectivity; hence, reliability, availability, and network performance are dependent on the internet speed.
This option, however, supports a wide variety of VPN vendors, products, and protocols. It is completely managed by customers. It is helpful for scenarios where you are required to manage both ends of a connection, either for compliance purposes or if you are using connectivity devices that are currently not supported by AWS.
Connecting AWS VPC with other AWS VPCs
If you have multiple VPCs in multiple regions across the globe, you may want to connect these VPCs to create a larger, secure network. This connectivity option works only if your VPCs do not have overlapping IP ranges and have a unique CIDR block. Let's look at the following ways to connect AWS VPC with other AWS VPCs:
VPC peering: You can connect two VPCs in the same region using a VPC peering option in AWS VPC. Resources in these VPCs can communicate with each other using private IP addresses as if they are in the same network. You can have a VPC peering connection with a VPC in your AWS account and VPC in other AWS accounts as long as they are in the same region.
AWS uses its own existing infrastructure for this connection. It is not a gateway or a VPN connection that uses any physical device. It is not a single point of failure or a network performance bottleneck.
VPC peering is the most preferred method of connecting AWS VPCs. It is suitable for many scenarios in large and small organizations. Let's look at some of the most common scenarios.
If you need to provide full access to resources across two or more VPCs, you can do that by peering them. For example, you have multiple branch offices in various regions across the globe and each branch office has a different VPC. Your headquarter needs to access all resources for all VPCs for all your branch offices. You can accomplish this by creating a VPC in each region and peering all other VPCs with your VPC.
You might have a centralized VPC that contains information required by other VPCs in your organization, such as policies related to human resources. This is a read-only VPC and you would not want to provide full access to resources in this VPC. You can create a VPC peering connection and restrict access for this centralized VPC.
You can also have a centralized VPC that might be shared with your customers. Each customer can peer their VPC with your centralized VPC, but they cannot access resources in other customers' VPC.
Data transfer charges for a VPC peering connection are similar to charges for data transfer across availability zones. As discussed, VPC peering is limited to VPCs in the same region. A VPC peering is a one-to-one connection between two VPCs; transitive peering is not allowed for a peering connection. In the following diagram, VPC A is peered with VPC B and VPC C; however, VPC B is not peered with VPC C implicitly. It has to be peered explicitly:
AWS VPC Peering?
AWS VPC Peering is a functionality that enables two private networks to communicate with each other by building fast and reliable connections. AWS VPC peering connections can be used to route traffic from one VPC to another VPC network or to provide access to resources of one network to another.
Sourec
http://www.cloudforest.in/2016/09/pass-aws-certification-exam-in-10-days.html
http://www.cloudforest.in/2016/09/pass-aws-certification-exam-in-10-days.html
http://www.studytrails.com/amazon-aws/aws-vpc-tutorial-part-iii/
https://www.networkcomputing.com/networking/aws-security-tutorial-vpc-setup
https://sites.google.com/site/awsarticles/home/aws-architect-notes/vpc-overview-components/vpc-exam-questions