top of page

AWS Network

Shashi Shankar

Mar 22, 2023

AWS Virtual Private Compute (VPC) Cloud

Overview of VPC

A Virtual Private Cloud (VPC) is a virtual networking layer dedicated to a user's AWS account, facilitating the hosting of Linux and Windows servers and running applications within the AWS cloud environment. Users have the capability to launch and administer AWS resources within their VPCs, which are region-centric and span across all Availability Zones (AZs) in the region. Each VPC resembles a virtual network and requires a range of IPv4 addresses (typically in the format x.x.x.x/16) to be assigned, with the block size ranging from x.x.x.x/16 to x.x.x.x/28 netmasks. The number of IP addresses in the netmasks can be calculated using the formula 2 ** (32 - net mask number). Exceptions to AZs include Local Zones, which are zones in locations like San Francisco aimed at supporting applications requiring millisecond response times. Users are allowed to create up to 5 VPCs per region, with the option to assign secondary IPv4 CIDR blocks to VPCs, automatically adding routes for these secondary CIDR blocks by AWS. When assigning CIDR blocks, it's recommended to choose from the private IPv4 address range. AWS Network Components within a VPC include Subnets, Router Tables, Network ACLs, Security Groups, Internet Gateway, NAT Gateway, Virtual Private and Customer Gateway for VPN connectivity, Direct Connect, Private Link, Endpoints, and VPC Peering.


VPC Airport Analogy

In the analogy of air travel to AWS VPC, the display boards in terminals represent the main route table, which guides passengers (data packets) to their respective destinations. Terminals themselves correspond to availability zones, each serving as a distinct location within the airport. Gates, akin to security tables, regulate access to specific areas within the terminals. Display boards in common areas resemble custom route tables, offering alternative paths for certain types of passengers. Phone booths, serving as NAT gateways, provide communication channels for passengers to connect to the outside world. The airport's WiFi network mirrors the internet gateway, granting access to online resources. Lounges, restaurants, and shops represent various AWS services available within the VPC, each serving different needs. Runways and air traffic controllers symbolize the core services orchestrating the flow of data traffic. TSA authentication stands for the initial authentication process, ensuring passengers are authorized to enter the airport (VPC). Boarding passes, mobile passes, and airline staff serve as authorization mechanisms for accessing specific gates (resources) within the airport. Ground and airport staff provide common services like Lambda functions and DynamoDB tables, ensuring smooth operations. Airlines monitors, equivalent to Direct Connect, offer direct, dedicated connections between the airport (VPC) and external services. The flow of passengers through Route 64 represents air traffic controllers managing data traffic within the VPC, while access to restricted areas reflects the secure handling of sensitive data within the network.


Default VPC and Subnet


VPC

  • It is automatically created when you create

  • your account

  • VPC with CIDR size /16

  • Subnet of size /20 in each AZ

  • Internet gateway

  • Default Security Group

  • Default Network ACLDefault DHCP option set for VPC

    You can make the following changes to your default VPC• Add subnets• Modify main Route Table• Add Route Tables• Associate additional Security Groups• Update default Security Group• Add VPN• Add more IPv4 CIDR• Access VPC using Direct Connect


Subnet

It is automatically created within your default VPC when you create your accountIt is a public subnet (you can connect to Internet)It can be converted to private subnet by removing the route 0.0.0.0/0 to Internet gateway Instances launched in default subnet get both private and public IPv4 addresses Instances launched in private subnet DO NOT get a public IPv4

Viewing Default VPC

Console -> VPC -> Your VPCs -> Default VPC (Yes) -> Note down ID of default VPC -> Subnets -> Type ID of default VPC -> return default subnet -> Check from default subnet box as Yes

Launching EC2 instance in Default VPC

Console -> Launch instance -> select an AMI -> Select Instance Type -> accept the default settings) -> Review and Launch -> review settings -> launch in default subnet -> (you can choose your own subnet if you have created your own) -> Launch -> select key pair (create a new key pair - give a name and download )

Deleting Default Subnet and Default VPC

You can delete default VPC and default subnetIf you do not have another VPC created, then, you must create another VPC and subnet to network.


CIDR Range


10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0-192.168.255.255(192.168/16

YourVPC can be smaller, for example prefix)

10.0.0.0/16.

172.31.0.0/16.

192.168.0.0/20.


Subnet Overview

A subnet represents a defined range of CIDR addresses within the larger CIDR range of a VPC, serving as a segmented network within the VPC infrastructure. Instances or servers in AWS are launched within these subnets, enabling the creation of smaller, manageable networks. Subnets are confined to specific Availability Zones (AZs) and cannot span across them, aiding in the prevention of single points of failure by distributing resources across multiple AZs. Each subnet includes a firewall, known as the Network Access Layer, which controls inbound and outbound traffic at the subnet level. Additionally, subnets contain route tables that dictate how traffic flows within the subnet. Instances within subnets can also have their own firewall configurations, referred to as Security Groups, providing an additional layer of security at the instance level. The network diagram illustrates a VPC with three subnets allocated across separate AZs. Subnets designated for communication with the internet are termed public subnets, facilitating traffic exchange between instances within the subnet and the internet gateway (IG). Instances requiring communication with the IG must possess a public IPv4 address. To avoid conflicts, CIDR blocks assigned to different subnets should not overlap.


The first and last IP address within a CIDR block for a subnet are reserved for AWS usage. CIDR block sizes are limited to a range between /28 and /16 netmasks, with existing CIDR block sizes unable to be altered. Each customer is assigned a quota for the number of CIDR blocks they can utilize. Guidelines for CIDR usage in VPC peering connections dictate that active peering connections allow for the addition of CIDR blocks to a VPC, provided they do not overlap with the CIDR block of the other VPC involved in the connection. In cases where a peering connection is in a pending status, the requester of the connection cannot add CIDR blocks, while the owner of the accepting VPC peering connection can. Additionally, if Direct Connect is utilized for multiple VPCs, the VPCs cannot possess overlapping CIDR blocks to prevent conflicts.


Subnet Routing

  • Each subnet has a Route Table

  • The subnet Route Table includes Route for outbound traffic leaving the subnet

  • Traffic from subnet to another network using VPN uses virtual private gateway and not internet, so Elastic or public IPv4 address is not needed


Subnet - Network ACL

  • AWS provide two features for securing VPC resources - instance level Security Group and subnet level Network ACL (Access Control List)

  • Each subnet must be assigned to a Network ACL

  • Every subnet, by default, is associated with a default network ACL. The assigned Network ACL can be changed


Internet Gateway

  • An Internet Gateway enables communication between VPC and Internet

  • There is only one IG per VPC•The subnet associated in IG is a public subnet

  • Scalable, redundant and highly available•How to enable internet access:

  • Create an Internet Gateway in public subnet

  • Add rout in Route Table that directs internet bound traffic to Internet Gateway

    • 0.0.0.0/0 for IPv4 or ::/0 for IPv6

  • Ensure instance interacting with Internet have global uniq Public IP address

    • AWS provides limited public IP address that can change or

    • AWS provides static Elastic IP address that is assigned to your account

  • Egress only Internet Gateway - applicable only to IPv6 subnets


NAT (Network Address Translator) Device

  • Used for instances in Private Subnet to connect to internet but prevents the Internet to initiate connections to the private instances

  • All inbound traffic from internet to AWS instances go through NAT device which acts like a traffic cop. It receives the message and translates directs the message to correct was instance. This prevents the instance directly communicating with internet for inbound traffic.

  • A NAT device replaces private instance IP with NAT device IP during communication between private instance and internet (hence, the name Network Address Translator)

  • Two type of Nat devices - NAT Gateway and NAT Instance

  • NAT Gatweway

    • Recommended

    • AWS managed

    • Charged for hours usage

    • Not supported for IPV6

    • Located in public subnet


NAT (Network Address Translator) Instance

  • Instances in public subnet•Not supported for IPV6

  • Traffic from instances in private subnet are sent to NAT instance, which is located in public subnet. The NAT instance then sends the traffic to Internet Gateway

  • The traffic is signed to Elastic IP for NAT instance.

  • Nat Instance translates incoming traffic to private instance that initiated the Internet traffic and forward the messages to the initiating instance

  • NAT instance communicates with the the Internet

  • Amazon provides Linux AMIs for creating NAT instance


Security Group

  • Acts as firewall for an instance

  • Controls inbound and outbound traffic for the instance

  • Up to five Security Groups can be assigned to an instanceIf a security group is not assigned, then, default security group is assigned automaticallyThere are separate inbound and outbound rules

  • You can specify allow rules, but not deny rules

  • Protocols and port numbers are part of each rule

  • Security Groups are stateful - means if you send and outbound traffic, the corresponding inbound traffic is automatically allowed, regardless of inbound rule

  • A new Security Group has no inbound rule

  • You need to assign inbound rules to allow traffic

  • By default an outbound rule is automatically added to Security Group that allows all outbound traffic

  • There are quotas for number of security group per VPC, number of rules in each Security Group and number of Security Groups for each network interface

  • Security Group assigned to an instance can be changed

  • While creating, Security Group name and description must be providedSecurity group name cannot begin with “sg-“


Security Group Rules:

  • New Security Group rules can be added and old ones can be removed

  • Access can be granted to specific CIDR range, another Security Group in the VPC or peer VPC

  • For inbound the source can be another Security Group, an IPv4 or IPv6 CIDR block or single CIDR or prefix list ID

  • An optional descriptor for the security group can be mentioned

  • Security Group rule can be added using CLI, console or API call

  • Security Group lets filter out traffic for destination port

  • Default Security Group - Cannot be deleted but can be modified


VPC Peering

  • Networking connection between two VPCs to enable private traffic between the two VPCs

  • Instances in the two VPCs can communicate with each other without going over Internet

  • VPC owning accounts need not be the same

  • AWS provides infrastructure for peering connection

  • There is no single point of failure

  • There is no bandwidth, limitation


Elastic IP Address

  • Provides static public IP address which is needed for connecting to Internet IPv4 address

  • Can be associated to any instance or network interface

  • Allocated to an account

  • Does not disappear with the termination or failure of an instance

  • Can be assigned to another instance

  • Limited number of Elastic IP available per account - 5 per account

  • Customer is charged when Elastic IP is not in use

  • IPv6 not supported


VPC Endpoint (Private Link)

  • Enables connecting VPC to AWS Services without using Internet

  • Safe and secured

  • No Internet Gateway, NAT, Direct Connect or VPN is needed

  • Instances in VPC do not require public IP

  • Traffic does not leave AWS network

  • Endpoints can be created through Console, CLI, API or SDK Endpoints are powered by AWS PrivateLink

  • VPC Endpoints are virtual devicesHorizontally scalable, redundant and highly available

  • Types of Endpoints

    • Interface Endpoints

    • Gateway Load Balancer Endpoints

    • Gateway Endpoints

    • S3 and Dynamo DB


techiesubnet.com

bottom of page