VPC: Virtual Private Cloud 🐼
Makes it possible to create own network within AWS's network (ipv4/v6) i.e. virtualize network on top of the physical layer by defining the desirable range of IPs
Components
Subnets
🧁 CIDR specifies a range of IP addresses.
🧁 Once the range is decided, further split it into a chunk of networks called subnetting. For clear understanding read the post on CIDR
There should not be a conflicting CIDR range.
🧁 Remember no IP is public or private, its routable that decides public and private subnets when associated
Route table and Router
🧁 Routable holds information on which IP's can communicate via what (Internet gateway/ NAT gateway, Virtual private gateway...) or with whom (internal subnets). Because of the information entered in the table, it helps the network packets to reach it's destination.
🧁 What Router does is - It takes all the route tables defined in respective VPC and routes the traffic either locally i.e. subnets or outside the VPC based on the routes defined in Route Tables. Hence - Route table holds information about how the routing happens and router routes based on the information in route table.
🧁 With every VPC there is one Router dedicated to it, also one default Route table with local route is created along with VPC.
🧁 When route table has route defined concerning to only local subnets, its a private route table but if it has routes that define talking to the outside (internet) it becomes a public route table.
Elastic IP
🧁 It is a static public IP.
When EC2 is created by default dynamically an IP address is assigned. But this IP is not permanent whenever EC2 is restarted IP changes. One can assign a permanent IP until, which we call it as Elastic IP.
ENI: Elastic Network Interface
🧁 Its just like virtual Network Interface card (NIC)
🧁 How is useful?
Let's say my website is running in an EC2 instance on some X-IP and the backend for whatsoever stuff to workaround I have fed this IP. For some reason, this EC2 gets shut down or get corrupted. I take some time to fixate and debug what's wrong, but in this time period, I will lose my clients, or I would rather like to start new EC2 and for that, I have to feed that new IP in all of my backend which is frustrating.
🧁 Instead, I create an ENI with Y-IP attach to my EC2. Again if this time EC2 fails/corrupted, I will simply detach ENI create new EC2 attach ENI having Y IP without any tedious work.
Internet Gateway -IGW
🧁 IGW allows VPC to reach the public internet.
🧁 There is only one Internet Gateway per VPC. Devices that have public IP i.e. residing in public subnets will be able to connect directly to the internet.
NAT gateway
🧁 NAT gateway sits in public subnets within VPC and is given Public IP address. With the help of NAT private subnets will be able to access public internet, but why?
Ex:
🧁 There is DB server in private subnet and it may need internet access for requirements such as updating patches or any latest updation...
To know these requirements it would need to get connected to some repo online. NAT is sitting over public subnet connected to IGW who can talk to outside world.
🧁 Hence request is sent from DB sitting in private subnet to NAT then to IGW and outside world to the requested destination. No new request will be addressed nor anyone can directly communicate to NAT from the internet world.
🧁 NAT works only when the system has requested/initiated the conversation. None from outside can initiate a conversation to private subnets. In tech terms, NAT gateway is used for outbound access to internet not inbound...i.e. private
🧁 It works only for ipv4
🧁 NAT is managed service
VPC endpoints
🧁 Some AWS resources aren't within the VPC. So if some instance sitting inside the public subnets needs to talk to S3 how will it do?
🧁 Remember S3 isn't within VPC. If the instance wants to talk, it has to pass through Internet gateway sitting on VPC edge and connect to S3, but this is happening on a public network, we have no control over the network so technically speaking our trust dwindles if we are passing/accessing the data over a public network. This is pretty risky to get breached by an intruder.
🧁 An alternative is VPC endpoints.
🧁 An endpoint is created which nothing but a beginning point of private link sitting on VPC's edge. Instance connects to this endpoint (VPCe) and then connect to S3. Now the connection between VPCe to S3 is over a private network... within AWS' network.
VPC Peering
🧁 Connects VPC to VPC across regions without having to go via internet.
It can be within the same AWS account or cross-account having same region/inter-region.
🧁 Allows complete control over network, even allows private instance to communicate across regions.
Possible to connect multiple VPC together .
🧁 What exactly VPC peering does? Suppose there are three VPC is been created, these VPC can be in the same account or in a different AWS account. For some reason subnets in this VPC have to communicate with other subnets in other VPC. How to achieve this while maintaining security?
🧁 What VPC peering does is - It allows to create a peering request with another VPC either in same account or in different account of AWS and then route between these VPCs by adding routes to the route tables.
An important fact is subnets in each of these VPC shouldn't overlap.
Virtual Private Gateway
🧁 It sits on edge of VPC allowing VPN connectivity to come in and out of the VPC.
Bastoon host
🧁 What if we want to ssh into private server sitting inside private subnets.? It will be against the rules.
To do this there will be an instance sitting in public subnets...ssh into that instance then ssh into private system sitting under private subnets.
Security groups
🧁 Applied at instance level such as EC2 and Load balance.
🧁 Protects individual resources assigned to.
🧁 The default is to allow all outbound and deny all inbound.
🧁 Apply role-based on a security group level
🧁 When outbound rule is defined on some port by default inbound rule is alloted too.
🧁 Every virtual private cloud has a default security group, and each instance you launch will be associated with this default security group.
You cannot, however, delete a default security group from your VPC
flow logs