Knowledge is Power!

VPC: Virtual Private Cloud ๐Ÿผ

Ashwini Gaddagi

Ashwini Gaddagi

โ€” 4 min read

Makes it possible to create own network within AWS's network (ipv4/v6) i.e. virtualize network on top of the physical layer by defining the desirable range of IPs

Components
Subnets
๐Ÿง CIDR specifies a range of IP addresses.
๐Ÿง Once the range is decided, further split it into a chunk of networks called subnetting. For clear understanding read the post on CIDR
There should not be a conflicting CIDR range.
๐Ÿง Remember no IP is public or private, its routable that decides public and private subnets when associated

Route table and Router
๐Ÿง Routable holds information on which IP's can communicate via what (Internet gateway/ NAT gateway, Virtual private gateway...) or with whom (internal subnets). Because of the information entered in the table, it helps the network packets to reach it's destination.
๐Ÿง What Router does is - It takes all the route tables defined in respective VPC and routes the traffic either locally i.e. subnets or outside the VPC based on the routes defined in Route Tables. Hence - Route table holds information about how the routing happens and router routes based on the information in route table.
๐Ÿง With every VPC there is one Router dedicated to it, also one default Route table with local route is created along with VPC.
๐Ÿง When route table has route defined concerning to only local subnets, its a private route table but if it has routes that define talking to the outside (internet) it becomes a public route table.

Elastic IP
๐Ÿง It is a static public IP.
When EC2 is created by default dynamically an IP address is assigned. But this IP is not permanent whenever EC2 is restarted IP changes. One can assign a permanent IP until, which we call it as Elastic IP.

ENI: Elastic Network Interface
๐Ÿง Its just like virtual Network Interface card (NIC)
๐Ÿง How is useful?
Let's say my website is running in an EC2 instance on some X-IP and the backend for whatsoever stuff to workaround I have fed this IP. For some reason, this EC2 gets shut down or get corrupted. I take some time to fixate and debug what's wrong, but in this time period, I will lose my clients, or I would rather like to start new EC2 and for that, I have to feed that new IP in all of my backend which is frustrating.
๐Ÿง Instead, I create an ENI with Y-IP attach to my EC2. Again if this time EC2 fails/corrupted, I will simply detach ENI create new EC2 attach ENI having Y IP without any tedious work.

Internet Gateway -IGW
๐Ÿง IGW allows VPC to reach the public internet.
๐Ÿง There is only one Internet Gateway per VPC. Devices that have public IP i.e. residing in public subnets will be able to connect directly to the internet.

NAT gateway
๐Ÿง NAT gateway sits in public subnets within VPC and is given Public IP address. With the help of NAT private subnets will be able to access public internet, but why?
Ex:
๐Ÿง There is DB server in private subnet and it may need internet access for requirements such as updating patches or any latest updation...
To know these requirements it would need to get connected to some repo online. NAT is sitting over public subnet connected to IGW who can talk to outside world.
๐Ÿง Hence request is sent from DB sitting in private subnet to NAT then to IGW and outside world to the requested destination. No new request will be addressed nor anyone can directly communicate to NAT from the internet world.
๐Ÿง NAT works only when the system has requested/initiated the conversation. None from outside can initiate a conversation to private subnets. In tech terms, NAT gateway is used for outbound access to internet not inbound...i.e. private
๐Ÿง It works only for ipv4
๐Ÿง NAT is managed service

VPC endpoints
๐Ÿง Some AWS resources aren't within the VPC. So if some instance sitting inside the public subnets needs to talk to S3 how will it do?
๐Ÿง Remember S3 isn't within VPC. If the instance wants to talk, it has to pass through Internet gateway sitting on VPC edge and connect to S3, but this is happening on a public network, we have no control over the network so technically speaking our trust dwindles if we are passing/accessing the data over a public network. This is pretty risky to get breached by an intruder.
๐Ÿง An alternative is VPC endpoints.
๐Ÿง An endpoint is created which nothing but a beginning point of private link sitting on VPC's edge. Instance connects to this endpoint (VPCe) and then connect to S3. Now the connection between VPCe to S3 is over a private network... within AWS' network.

VPC Peering
๐Ÿง Connects VPC to VPC across regions without having to go via internet.
It can be within the same AWS account or cross-account having same region/inter-region.
๐Ÿง Allows complete control over network, even allows private instance to communicate across regions.
Possible to connect multiple VPC together .
๐Ÿง What exactly VPC peering does? Suppose there are three VPC is been created, these VPC can be in the same account or in a different AWS account. For some reason subnets in this VPC have to communicate with other subnets in other VPC. How to achieve this while maintaining security?
๐Ÿง What VPC peering does is - It allows to create a peering request with another VPC either in same account or in different account of AWS and then route between these VPCs by adding routes to the route tables.
An important fact is subnets in each of these VPC shouldn't overlap.

Virtual Private Gateway
๐Ÿง It sits on edge of VPC allowing VPN connectivity to come in and out of the VPC.

Bastoon host
๐Ÿง What if we want to ssh into private server sitting inside private subnets.? It will be against the rules.
To do this there will be an instance sitting in public subnets...ssh into that instance then ssh into private system sitting under private subnets.

Security groups
๐Ÿง Applied at instance level such as EC2 and Load balance.
๐Ÿง Protects individual resources assigned to.
๐Ÿง The default is to allow all outbound and deny all inbound.
๐Ÿง Apply role-based on a security group level
๐Ÿง When outbound rule is defined on some port by default inbound rule is alloted too.
๐Ÿง Every virtual private cloud has a default security group, and each instance you launch will be associated with this default security group.
You cannot, however, delete a default security group from your VPC
flow logs

Read more