AWS VPC Deep Dive — From the Ground Up
In this blog, I would be explaining in detail the most fundamental building block in AWS that is VPC and I believe that without a thorough understanding of VPC and its components it becomes quite challenging to design optimized solutions and communication patterns.
Well, Let’s get started.
What is a VPC?
It is a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways.
When you log in to your AWS console, in the VPC service you can find that there is a default VPC that is already created.
I have captured some screenshots to learn more about default VPC
Default VPC has 172.31.0.0/16 Network Address Block which is the maximum permissible CIDR block in AWS and it supports 65536 IP addresses.
But AWS reserves 5 IP addresses (First 4 and Last IP) from your VPC’s CIDR range
172.31.0.0 — Network Address
172.31.0.1 — Reserved for the VPC Router
172.31.0.2 — IP Address of the DNS server
172.31.0.3 — Reserved for future use
172.31.255.255 — This is the network broadcast address but it is not supported in a VPC, therefore AWS reserves it.
Default VPC has DNS hostnames enabled by default
It has an Internet Gateway connected by default.
By default, you can see 6 subnets created with a subnet mask of 255.255.240.0/20, which essentially means that you can create 10 more subnets in this VPC
All default subnets are associated with the main route table which has routes out to the internet added in the main route table.
By default, security groups allow all outbound traffic and allow inbound traffic from network interfaces (and their associated instances) that are assigned to the same security group.
This means that you can not SSH into an instance that has a default security group associated with it.
The default network ACL is configured to allow all traffic to flow in and out of the subnets with which it is associated.
That was all about the default VPC and its properties.
Now let’s create our own VPC, spin up two instances in that VPC (one public and one private) and establish a communication pattern.
public EC2 instance will reside in a public subnet
private EC2 instance will reside in a private subnet
When I create my own VPC (myVPC), it is seen that the DNS hostnames option is disabled. However, it can be enabled.
My new VPC does not have an Internet Gateway attached to it by default as there is no route out to the internet in the main route table.
What is a public subnet?
A public subnet is a subnet that’s associated with a route table that has a route out to an internet gateway.
The instances in the public subnet can send outbound traffic directly to the internet, whereas the instances in the private subnet can’t.
What is a private subnet?
The instances in the private subnet can not be accessed from the internet
The instances in the private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet.
Attaching IGW with myVPC
Now I need to add a route out to the internet for the public subnet for which I need to create an Internet Gateway and attach it with myVPC.
But before that, I will create two route tables — myVPC-private-RT and myVPC-public-RT (main route table is renamed to this) and associate subnets with these route tables
public subnet is associated with myVPC-public-RT
private subnet is associated with myVPC-private-RT
Now I need to create public and private security groups
public SG
The public security group will allow SSH from my IP and ping from anywhere.
private SG
The private security group will allow SSH from the public instance and ping from anywhere (deliberately added — will this work ?)
Launching a public instance in a public subnet
SSHing into the public instance from my IP
Launching a private instance in a private subnet
The private instance is launched in private subnet and with private security group wherein I have deliberately put an inbound rule of ICMP protocol from anywhere and I have even allocated a public IP to this instance.
Will I be able to ping this private instance?
Well, I am not able to access this instance from the internet because it is launched in a subnet(private) that does not have a route out to the internet. Even though this instance has a public IP and a security group that has an inbound rule of ICMP from anywhere.
However, I am able to ping this instance from the public instance on its private IP address because instances in a VPC can communicate with each other even if they reside in different subnets in different AZs.
This scenario is recommended if you want to run a public-facing web application while maintaining back-end servers that aren’t publicly accessible.
A common example is a multi-tier website, with the web servers in a public subnet and the database servers in a private subnet.
However, web servers need to communicate with the database servers and database servers need to communicate with the internet for installing updated and packages
How to install updates in the private instance?
In order to install updates in the private instance, I need to SSH into it from a public instance, which is called a bastion host, and need to send all the traffic to NAT Gateway/Instance running in a public subnet.
The Bastion hosts are used in cloud environments as a server to provide access to a private network from an external network such as the Interne
NAT Gateway is a highly available AWS managed service that makes it easy to connect to the Internet from instances within a private subnet in an Amazon Virtual Private Cloud (Amazon VPC).
Let’s see how we can SSH into the private instance
- Add private key to the ssh-agent
ssh-add testKP.pem
2. Enable forwarding of the authentication agent connection using -A argument
ssh -A -i “testKP.pem” ec2-user@44.201.151.98
3. From public instance SSH into the private instance
ssh ec2-user@10.0.0.229
However, if I try to install updates in this private instance, it will not work because it does not have any route out to the internet to download updates.
Using NAT Gateway
After creating NAT Gateway in the public subnet, the NAT gateway route is added in the private subnet’s route table.
Now let’s do sudo yum update in the private instance again and this time it is able to download updates from the internet through NAT Gateway which acts as an egress gateway for private instances to the internet. But it won't make private instances accessible from the internet.
This is how we can lay the foundation of deploying a multi-tier application in AWS.
Of course there is a lot to learn when you really want to deploy your application in a scalable and resilient manner but a good understanding of VPC does help you get going confidently.
Happy Learning !!!