AWS Virtual Private Cloud -VPC

Before going to AWS VPC (virtual private Cloud), we need to understand the basic terms of Networking, which is being used in all Cloud environments I have tried to cover all aspects of AWS VPC which help you understand the AWS VPC fundamental.

A.   Basic Networking:

                        Below are the networking basics which you should know to understand                             the AWS VPC.

1.       IPV4 Address:

IPV4 address is the logical address of your server, using this address one server can talk to another server. The IP address has two parts.

1.       Network ID

2.       Host ID

IP Address = Network ID + HOST ID

IPV4 is 32 bits long and have four octets. Every octet has a value between 0 to 255 and separated with “.” dot.

e.g.  192.168.39.40

IP Address range classified in multiple classes (A, B, C, D, E, F). Each class has a different IP range and reserved for different purpose.

Some specific ranges are reserved for “private Cloud/private IP”, Public other            purpose.

2.       Classless Inter Domain Routing (CIDR)

        CIDR is a way to define the IP range for continuous IP.

                        Representation: A.B.C.D /N

N is the number of bits, which is reserved for the network. Above CIDR represents 2 power (32-N) IP.

                        e.g.   10.10.10.0/31

                                 Number of IP = 2 power (32-31) = 2

                                 This CIDR contains 2 IP. i.e. 10.10.10.0 and 10.10.10.1

3.       Public IP vs Private IP

A public IP address is an IP address that can be accessed over the Internet. The Public IP address is globally unique IP address assigned to a computing device.

The Private IP address is an IP address that can be accessed within the private Network             only.

4.       Subnet and Subnetting

To divide Big network IP range to small of network is called subnetting. This Small network ranges are called subnets.

5.       IPv4 vs IPv6 IP Address        

IPv4 & IPv6 are both IP addresses that are binary numbers. IPv4 is 32-bit binary number while IPv6 is 128-bit binary number address. IPv4 address is separated by “.” Dot. while IPv6 address are separated by “:” colons.

6.       NIC (Network Interface Card)

As IP address is the logical address of your server, using this address one server can talk to others servers. The IP address is assigned on specific device in the server called NIC. The server can have multiple NIC.

B.   AWS Virtual Private Cloud(VPC):

VPC is virtual network or virtual Data Center in AWS. Each VPC is logically isolated to another VPC in AWS. You can manage this VPC using AWS console, AWS API and AWS SDK depend upon yours ask.

As Name implies, this is virtual network and every network has one or more sub-network for different purpose e.g. HR, IT etc. As AWS VPC is a Network and Subnet inside the VPC is your Subnet-network. So if you want to create a network for your organization, you will create VPC and create Subnet under the VPC for subnetworks.

If you want isolated networks for the multiple division of your organization, you will create multiple VPC and create Subnet under these VPC according the requirement.

So in Order to learn VPC you need to remember two words: Network and Subnetwork.

VPC is created under the AWS region  and Subnet created under the Availability Zone.one region can have multiple  VPC and one VPC can have multiple Subnet.

             Below are the high level components, services and properties of VPC, which we              are going to discuss in this blog.

     1.       IPV4 CIDR (Classless Inter-Domain Routing)
2.       Subnet
3.       Implied Router
4.       Internet Gateway(IGW)
5.       Network Access Control List (NACL)
6.       Security Group(SG)
7.       Private and Public Subnet
8.       Public and Elastic IP
9.       NAT Instance
10.   NAT Gateway
11.   VPC Peering
12.   VPC Endpoint
13.   VPC Flow Logs
14.   Transit Gateway
15.   Virtual Private Gateway
16.   AWS Direct Connect

1.       IPV4 CIDR Block:

You need to provide an IPV4 IP address range to create the VPC, it will be in CIDR form. As per the RFC1918 standard there is specific range are reserved for private network, so you have to use same IP range while defining the CIDR block of VPC.

Below are the ranges which can be used as VPC’s CIDR.

•      10.0.0.0 - 10.255.255.255 (10/8 prefix)
•       172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
•       192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

Below is the point need to remember while creating the VPC.

a. Once VPC is created you cannot change its CIDR range, but you can expand by adding new a IP address range. However, there is some limitation for the same.

e.g. you have to exclude some specific IP ranges,

 IP should not overlap with existing VPC CIDR

b.  By Default, you can create 5 VPC per region but this is soft limit. It can increase up to 100 VPC per region by asking support from AWS.

c.   By Default, you can add maximum 5 IPV4 CIDR block per VPC but it is soft limit. It can be increase up to 50 IPV4 CIDR block per VPC.

d.   Maximum VPC size of /16 (65,536 IPs) and Minimum VPC size of /28 (256 IPs)

In AWS we have two type of VPC.

1.Custom VPC: VPC which is created by yourself is called Custom VPC.

2. Default VPC: VPC which is created by AWS by default in each region is default VPC. You can modify the components of your default VPC as needed

2.       Subnet:

Once you have created the VPC that means you have created the network with a specific IP range. Now you want to use these IP address, so you have to create Subnetwork, In AWS Subnet is your logical subnetwork. When you create the Virtual server in AWS, you will assign subnet to virtual server and AWS pick an IP from that Subnet only. 

a. Subnet is created under VPC. VPC is region specific and Subnet is Availability Zone specific.

b.  Subnet CIDR is a subset of VPC CIDR. Subnets cannot be larger than the VPC in which they are created.

c.   You can create maximum 200 subnet in VPC. We will discuss Subnet in a later section.

d.   AWS reserve five IP addresses in each subnet, you cannot assign these IP to the server.
     
       First IP of Subnet: Reserve for base network
       Second IP of Subnet: Reserve for VPC Router
       Third IP of Subnet:  Reserve for DNS
       Fourth IP of Subnet: Reserve for future use
    Last IP of Subnet: Reserve for Broadcast address. AWS does not support broadcast in VPC

                           

3.       Implied Router

In Simple terms, Implied help to connect the different Subnet to each other whether in the same Availability Zone or different Availability Zone in a VPC, it also helps to connect VPC to IGW (Internet Gateway). IGW helps VPC to connect from the internet.

a.       Every VPC has one Implied Router only.

b.   Implied router has route Table, from where you can define the rule for communication.

c.    There is one route table is created by default when VPC is created. This   Route Table is called Main(Default) route table.

d.       You can create route Table in VPC, it is called Custom Route Table.

e.     You can make other route table as Main(Default) but there is only one Main route table in VPC at given time. You can edit the route table but cannot delete.

f.        You can have up to 200 route table in VPC.

g.       You can have up to 50 entries in the route table.

h.       Each subnet must have associated with one route table at a given time. If you don’t specify the association, then Subnet will be associated with Main(default) route Table.

i.      You can change the association of Subnet with route table any time.

j.     Every Route Table (Default/Custom) comes with one rule that every Subnet can talk to each other in VPC.

• 
  

4.       Internet Gateway

It is the Gateway through which your VPC connect to the internet and other AWS services.

IGW is AWS managed service.  So it is scaled, redundant and highly available service.

a.      It performs NAT between Public and private IP address.

b. It supports both IPV4 and IPV6 address.

c. VPC and IGW have one to one mapping, means one VPC contains one IGW only. 

• 
  

5.       Security Group

Security group is virtual firewall and it applies on the virtual server NIC.

• a   You can apply maximum 5 security group on any NIC.
  b. Security group can have only allowed/permit rule. you cannot create deny Rule in security group.
  c.  You can define two type of security rules in Security group.
                                      Inbound: Traffic comes into NIC
                                    Outbound: Traffic goes out to NIC
  f.    Security group is stateful, Means return traffic of allowed inbound rule is by default allowed.

         

6.        Network Access Control List (NACL)

NACL is also virtual firewall but It apply on Subnet level.

a.   You can define inbound and Outbound rule in NACL. Each rule can either allow or deny traffic.

b.     Unlike Security Group, NACL is stateless. Means return traffic of inbound rule is by default deny. You have to specify the rule for return traffic for proper communication.

c.    One NACL can associate with multiple subnet but One subnet can associate with one NACL at a given time.

d.   When we create Rule in NACL, we have to provide the numbered/Sequence to this rule. AWS evaluates the rules in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out.

e.  As NACL is applied on Subnet level, so it automatically applies on all instance which belongs to the subnet.

• 
  

  

7.       Private and Public Subnet

Private Subnet Instance either does not have internet access or access the internet via NAT Instance/NAT gateway.

We will discuss NAT Instance/NAT Gateway later in this Blog.

In Simple Term “Private Subnet” does not directly connect with Internet Gateway, mean there is no entry in Route Table with Internet Gateway for this Subnet.

A public subnet routes internet Traffic through an Internet Gateway. Instances in a public subnet require public IP.

8.       Public and Elastic IP

Elastic IP is also a public IP but there are some differences.

Public IP address are dynamic, i.e EC2 instance which have public IP and if you Stop/Start Instance AWS assigned new Public IP address to this Instance.

In simple Term Elastic IP is Static Public IP in AWS. Elastic IP get allocated to your account and stay same. It is up to you to attach them to instance or Not.

9.       NAT Instance

NAT Instance is used to enable the Internet on private Subnet Instance. NAT Instance is EC2 Instance which is created on Public Subnet with Public or Elastic IP.

There is one property “Source Destination check” in EC2 instance by default this is true but it should be false if you are making EC2 instance as NAT instance for proper internet communication in private subnet.

10.   NAT Gateway

NAT Gateway also used to enable the internet on private Subnet but NAT Gateway is AWS Managed service.

As This is AWS managed service, So AWS is responsible for security and Patching.

It required Elastic IP, you cannot use a Public IP.

You cannot assign Security Group to NAT Gateway.

11.   VPC Peering

VPC peering is a networking connection between two VPC to route traffic between them using private IP address.

You can create VPC peering between same AWS account VPC and VPC in another AWS account with in the same region or different region.

Different region VPC peering called Inter Region VPC peering.

VPC Peering is AWS managed service. There is no single point of failure in communication or a Bandwidth bottleneck

Below are some limitations.

•     You cannot create VPC peering which have Overlapping IP range
•        Maximum 50 active VPC peering possible at a given time in AWS account.
•          VPC peering does not support transitive Peering Relationship.

VPC-1 and VPC-3 has peering connection, so VPC-1 and VPC-3 can connect to each other. VPC-2 and VPC-3 has peering connection, So VPC-2 and VPC-3 can connect to each other But VPC-1 and VPC-2 cannot connect to each other.

12.   Transit Gateway

As VPC peering is not transitive. if you want to connect all VPC to each other, it required full mesh between VPC.

So if you have N number of VPC and want to connect all VPC to each other, then N(N-1)/2 peering connections are required.

So to overcome this problem, we can use the Transit VPC feature. A Transit Gateway is a network transit hub that you can use to interconnect your VPC and on-prem network.

Transit VPC does not support Multiregional, you can connect VPN & VPC   in the same region.

It supports multi accounts.

                                                                                                                  

13.   VPC Flow Logs

If you want to capture IN and OUT traffic from Network interface in VPC, then VPC flow logs features is your answer.

VPC logs data can be published to Cloud watch logs and AWS S3(Simple Storage Service).

14.   VPC Endpoint

With the help of VPC Endpoints, your EC2 instance can leverage high performance and more secure connection to connect the AWS services without using Internet. Like S3, MongodB etc.

In other means, you can access the other AWS services using the AWS internal network and your traffic will not go out from AWS.

With help of this, Private subnet can access the AWS service. Not all service is supported in VPC endpoints.

15.   Virtual private Gateway

if you want to connect your Data Center with AWS VPC using their private IP then you need some secure solution and AWS provide virtual private Gateway to achieve this.

Virtual private Gateway establish connection from an on-premises network to Amazon VPC using internet.

You can connect an existing data Center to Amazon VPC using Hardware or Software VPN connection, which will make AWS VPC an extension of datacenter.

16.   Direct Connect(DX)

AWS Direct Connect establish a dedicated connection from an on-premises network to Amazon VPC.

As it is direct connection (not internet based). It provides higher speed, less latency but it is costly solution compare to Virtual private Gateway.

Cheers!
Sandeep 
https://www.linkedin.com/in/sandeep-sharma-40a40b22/