AWS Networking Made Simple
“Well begun is half done”. Somebody did not say it for no reason. Starting something new is always challenging due to unknowns. Learning AWS is no different.
When you start learning AWS, the first thing you need to learn is networking concepts. Once you get an AWS account, you need to first create your network space or use defaults created by AWS. You need to understand what is VPC, Subnet, Security group, NACL etc. I am writing this article to make it simple for developers to understand AWS networking by drawing a parallel to something all know well i.e. housing complex. I hope this will benefit people who are starting on their journey to AWS and they have a good beginning.
Background
I have been helping teams to migrate their applications to AWS. It includes reviewing current architecture of the applications, coming up with target architecture in AWS, suggesting right AWS services and also training the team members on AWS. What I realized is, even very experienced programmers struggle with networking since this is not you deal with when you write an application for traditional infrastructure. I have spent 16 years in the IT industry as an application developer but hardly had to deal with networking except raising occasional firewall requests when deploying applications beyond the firewall.
AWS Infrastructure
First thing you do when you login to your AWS account is select a region. So, let’s start from there.
Region: Let’s think of AWS region as an apartment complex. A builder provides many complexes in different geographic locations. You select one based on your need. Typically you select based on proximity to your office or your family / friends. You also consider proximity to services you need like school, shopping complex etc. Similarly, when you select AWS region, you need to do it based on proximity to your application users. It might also be based on the services you need like Stock exchange connectivity etc. Finally prices for all AWS regions are different and that could be one deciding factor too.
Availability Zone (AZ): An apartment complex consists of various towers. Typically each tower has its own security, electricity meter, backup power, water source, etc. Also each tower is in nearby proximity so if something happens to one tower, residents of other tower can come for help. Each AWS AZ is like a tower. They have separate sources for power, network etc so if any issue happens to one AZ it does not affect other AZ. These AZs are not far apart (around 100 kms) and if application instance in one AZ goes down, it comes up in other AZ to balance it out and provides same performance, of course if you have configured it correctly.
I have depicted above concepts in following diagram.
Once you have selected the apartment complex (AWS region), you can go ahead and rent a flat so that you can start living in it. Now it’s time to move to understand networking concepts.
AWS Networking Concepts
Virtual Private Cloud (VPC): This is like flat you have taken on rent. It’s a small space in the huge apartment complex that is free for your use. While renting your flat you need to decide how large your flat would be e.g. 1500, 2000 or 2500 sq. ft. This would depend on your current and future requirement because you do not want the hassle of moving to another flat soon. Once you have rented the flat, you can’t just expand it so better decide your flat (VPC) size correctly. You define VPC size using CIDR block. Good thing is Amazon does not charge you for creating the VPC.
CIDR Block/IP Range: This is the measurement unit for VPC and subnet. This is similar to square feet or square meter for flats or rooms.
Subnet: Once you have taken flat, you need to divide it based on your usage. A flat consists of different rooms like bedrooms , living room, kitchen etc. Similarly you need to divide VPC space into smaller subnets and use it for different purposes and put security accordingly.
Public Subnet: This is your living room. This is a place where you receive your guests (internet traffic). So, if you have a web application you need to host web tier or external facing load balancer on this subnet.
Private Subnet: This is your bedroom for privacy and should not have direct access to the world. Its door open only internally to other internal spaces. If it needs something it always goes through the living room i.e. public subnet. This is good for deploying internal app tier or databases since they need protection from the world.
Internet Gateway/Virtual Gateway: This is your main door. This is through which your application traffic goes out or comes in to your VPC (flat).
VPC Flow logs: This is the visitor’s register kept with security. Any traffic that flows in and out of VPC is recorded in this log.
Network Access Control List (NACL): This is your internal house rules. For example, you have assigned master bedroom for yourself while another room for kids. You define kids to play in their room and not your room. That rule is NACL.
I have again depicted all above concepts in following diagram.
Good thing is AWS does not charge you for anything yet under their pay-as-you-go pricing model since you have not started using their resources yet.
EC2 Instance and EBS
Now since you have selected the flat and happy with internal layout and security, you can start doing interior designing before you start living in. AWS provides numerous services which you can deploy in your VPC (flat). I will cover only the following two in this case.
EC2 Instance: This is your bed (app tier in private subnet) or sofa (web tier in public subnet). AWS charges you for the time your EC2 instance is running.
Elastic Block Store: A bed comes with optional side storage for convenience. Side storage can be detached from bed if needed and can be attached with other bed. Whatever you have stored in side storage is preserved even if you detach from bed. Similarly EC2 can be attached with EBS. It can be attached with any EC2 but one at a time. AWS charges you for EBS.
Again I have captured these in the following picture.
Finally your flat is ready to move in. Did you realize what is the application in this analogy? Yes, you are. You can now move in to your flat i.e. deploy your application to your EC2 in VPC.
I hope now you understand AWS better and also had fun learning it. That is all on networking. Please let me know if you want me to cover any other topic.
