Skip to main content
HashnodeUntitled Publication

Command Palette

Search for a command to run...

Understanding AWS VPC Fundamentals: A Beginner's Guide

Updated
7 min read
Understanding AWS VPC Fundamentals: A Beginner's Guide
S
Sonalika singh

Hello everyone! I'm Sonalika Singh, a dedicated second-year engineering student with a keen interest in DevOps.

My journey into DevOps began with a fascination for automation and a desire to bridge the gap between development and operations. I've immersed myself in learning about various DevOps methodologies, CI/CD pipelines, IaC, containerization, and orchestration tools like Docker and Kubernetes.

I'm particularly drawn to the versatility and efficiency of cloud computing platforms like AWS Cloud Platform. Moreover, I'm enthusiastic about version control systems like Git and collaboration platforms like GitHub, where I actively contribute and collaborate with like-minded individuals to solve real-world challenges.

As I continue to deepen my understanding of DevOps principles and tools, I'm excited about the prospect of applying this knowledge to drive innovation and optimize processes within organizations

Let's connect and explore how we can collaborate to achieve our goals and make a meaningful impact in the world of DevOps!

Follow me on LinkedIn : https://www.linkedin.com/in/sonalika-55264a22a/

Introduction :

Amazon Virtual Private Cloud (VPC) is one of the foundational components of AWS networking. If you're starting your journey into AWS advanced networking, understanding VPCs is crucial. This guide will cover the basics of Amazon VPC, its scope, building blocks, addressing schemes, and much more. By the end, you'll also walk through a hands-on exercise to create your own VPC with both public and private subnets, along with tips to avoid common issue.

What is Amazon VPC :

Amazon VPC is like creating your own private area in the AWS cloud, where you can safely put your resources, such as servers (EC2 instances), and control who can access them. It's a way to set up a secure and customized network that only you and your specified users can enter and use.

Scope of VPC: Account, Region, and Availability Zone (AZ) :

  • AWS Account: A VPC is created inside your AWS account. You can have more than one VPC within the same AWS account.

  • Region: AWS operates data centers all over the world, and these are grouped into Regions. When you create a VPC, you must choose a specific Region for it. The VPC will exist only in that Region. You can create VPCs in different Regions under the same AWS account.

  • Availability Zone (AZ): Within a region, a VPC can span multiple AZs, which are isolated data centers. This helps you design high-availability systems by distributing resources across AZs.

VPC Building Blocks

Here are the essential components that make up a VPC:

  1. Subnets : A subnet is like a smaller section within your VPC where you can place your resources like EC2 instances (virtual servers), databases, etc.

    • Public Subnet:

      • Imagine this as a section of your private network that is open to the public, like a public park entrance.

      • Resources in a public subnet can be accessed from the internet.

    • Private Subnet:

      • This is like a hidden area within your private network, away from public access, like a private garden.

      • Resources in a private subnet are not directly accessible from the internet.

  2. Route Tables: Act like traffic maps in your VPC. They contain rules that tell the network where to send data.

    • These tables ensure that data sent from one part of your network can reach another part or even go out to the internet.

    • Each subnet is associated with a route table, which dictates how traffic is routed within the subnet and to other subnets or outside the VPC.

  3. Internet Gateway (IGW) : An Internet Gateway is like a big door that connects your VPC to the internet.

    • This door is specifically associated with public subnets. When you attach an Internet Gateway to your VPC, it allows resources in the public subnet to send and receive traffic from the internet.

  4. NAT Gateway/NAT Instance :

    • NAT Gateway:

      • It allows resources in your private subnet to access the internet (for example, to download software updates) while preventing the internet from accessing those resources directly.

      • Think of it as a gate that only allows traffic to go out but not come in unless explicitly allowed.

    • NAT Instance:

      • Similar to a NAT Gateway, but it is an EC2 instance (a virtual server) that you manage. It requires more setup and maintenance compared to a NAT Gateway.

  5. Elastic IP Addresses (EIPs) : An Elastic IP Address is like a permanent street address for your resources.

    • EIPs are static IP addresses, meaning they don’t change. You can assign them to AWS resources like EC2 instances to make them reachable from the internet.

    • For example, if you want your web server to always be accessible via the same IP address, you would assign an Elastic IP to it

VPC Addressing: CIDR Blocks

  • CIDR (Classless Inter-Domain Routing): A notation for defining IP address ranges. When you create a VPC, you must specify a range of IP addresses using CIDR. For example, a VPC with a CIDR block of 10.0.0.0/16 can have IP addresses ranging from 10.0.0.0 to 10.0.255.255.

  • IPv4 vs. IPv6:

    • IPv4: Most common and widely used.

    • IPv6: Newer and offers a larger address space, used when you need many more IP addresses.

IP Addresses: Private vs. Public vs. Elastic

  • Private IP: Used for communication between instances within the same VPC. Not routable on the internet (can’t be used to communicate with anything outside your VPC (like the internet). It’s strictly for internal use).

  • Public IP: Assigned to instances in public subnets. Allows them to be reached from the internet. Routable on internet (accessed by users or services over the internet).

  • Elastic IP (EIP): A public IP that you can associate with an instance. It remains the same even if you stop and start the instance, unlike a regular public IP.

    useful when you need a fixed IP address that won’t change over time, providing consistency for external users or systems connecting to your resource.

VPC Security: Security Groups and Network ACLs (NACLs)

  • Inbound Traffic: This is the traffic coming into your instance. You can set rules in the Security Group to allow or deny specific types of traffic.

  • Outbound Traffic: This is the traffic going out from your instance to the internet or other instances.

Security Groups: Act as a virtual firewall for your instances to control inbound and outbound traffic. They are stateful, meaning that if you allow an inbound request, the response is automatically allowed.

Network ACLs (NACLs): Another layer of security that acts at the subnet level. NACLs are stateless, meaning both inbound and outbound rules must be explicitly set.

Hands-On: Creating a VPC with Public and Private Subnets

Let's create a custom VPC with both public and private subnets.

Step 1: Create the VPC

Open the AWS Management Console.

  1. Go to the VPC dashboard.

  2. Click on “Create VPC.”

  3. Name your VPC (e.g., "test-VPC").

  4. Set the IPv4 CIDR block (e.g., 10.0.0.0/24).

  5. Choose IPv6 CIDR block (optional).

  6. Set Tenancy to "default."

  7. Click “Create VPC.”

Step 2: Create Subnets

  1. Go to the “Subnets” section and click “Create Subnet.”

  2. Choose your VPC.

  3. For the public subnet:

    • Name it (e.g., "test-public-subnet").

    • Select an AZ (e.g., us-east-2a).

    • Set IPv4 CIDR block (e.g., 10.0.1.0/24).

    • Click “Create Subnet.”

  4. Repeat for the private subnet with a different CIDR block (e.g., 10.0.2.0/24).

Step 3: Create an Internet Gateway

  1. Go to the “Internet Gateways” section.

  2. Click “Create Internet Gateway” and name it.

  3. Attach it to your VPC.

Step 4: Configure Route Tables

  1. Go to the “Route Tables” section and create a new route table for your VPC.

  2. Associate the route table with the public subnet.

  3. Edit the routes:

    • Add a route with destination 0.0.0.0/0 and target the Internet Gateway.

  4. Create another route table for the private subnet without any route to the IGW.

Step 5: Configure Security Groups

  1. Go to “Security Groups” and create a new security group for your VPC.

  2. Define inbound rules (e.g., allow SSH from your IP, HTTP from anywhere).

  3. Define outbound rules (e.g., allow all traffic).

Step 6: Create a NAT Gateway (Optional for Private Subnet)

  1. Go to the “NAT Gateways” section.

  2. Create a new NAT Gateway in the public subnet.

  3. Associate it with an Elastic IP.

  4. Edit the route table for the private subnet to route internet-bound traffic to the NAT Gateway.

Issues :

  1. Misconfigured Route Tables:

    • Make sure public subnets are associated with a route table that directs internet traffic to an Internet Gateway.

    • Ensure private subnets route traffic to a NAT Gateway if instances need internet access.

  2. Security Group Rules:

    • Forgetting to allow inbound traffic for necessary ports (e.g., port 80 for HTTP).

  3. Overlapping CIDR Blocks:

    • Make sure your subnets' CIDR blocks do not overlap, which can cause routing issues.

  4. NAT Gateway in Wrong Subnet:

    • NAT Gateway must be in a public subnet to function correctly.

Conclusion

Understanding Amazon VPC is key to building secure and scalable infrastructure in AWS. By mastering the fundamentals—such as subnets, routing, and security—you can design robust networks tailored to your specific needs. As you progress, you’ll be better equipped to tackle advanced networking concepts in AWS. Start experimenting with VPCs, and soon you'll be navigating AWS networking like a pro!

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

Untitled Publication

6 posts