Open in app

Sign in

Write

Sign in

Building a Secure AWS VPC with Terraform: Subnets, Internet Gateways, and More— Part-I

Irfan Danish
Geek Culture
Published in
6 min readApr 28, 2023

Building a secure and robust infrastructure in the cloud is one of the most critical tasks for any organization. AWS offers various services to help you achieve this goal, and the most fundamental building block of AWS networking is the Virtual Private Cloud (VPC). In this article we will cover VPC and some of its key components. In our last article we have discussed how to Setup Terraform Developement Environment for AWS and in this two part article first we learn some concepts about VPC and in the second part we will use Terraform to provision our own VPC with public and private subnets as shown in the above diagram.

What is AWS VPC?

Amazon Virtual Private Cloud (VPC) is a fundamental building block of the AWS cloud infrastructure, which allows you to provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch Amazon Elastic Compute Cloud (EC2) instances, Amazon Relational Database Service (RDS) instances, and other AWS resources in a virtual network that you define.

AWS VPC is required to provide a secure and isolated environment for your applications to run on the cloud. It allows you to create a private network in the cloud where you can launch resources such as EC2 instances, RDS databases, and Elastic Load Balancers, etc. VPC enables you to define and control the network topology, the IP address range, and the network gateways, making it easy to configure and manage the network infrastructure. With VPC, you can create multiple subnets, each with its own security group, which provides a layer of security to your resources. You can also use Network Access Control Lists (NACLs) to add an additional layer of security to your network.

VPC provides the ability to create a private network in the cloud, which provides a more secure and isolated environment for your applications. VPC also enables you to connect your on-premises network to the cloud using VPN or Direct Connect. With VPC, you can also create subnets, which provide a way to divide your network into smaller, more manageable parts.

VPC consists of a lot of different components and concepts, below we will briefly take a look at some of them.

1. CIDR:

CIDR stands for Classless Inter-Domain Routing (CIDR) is a way of specifying IP addresses and their associated routing prefix. CIDR notation allows us to represent an IP address range using a single IP address and a slash followed by the number of bits in the network prefix. For example, 10.0.0.0/16 represents the entire range of IP addresses from 10.0.0.0 to 10.0.255.255 and the CIDR block 10.0.1.0/24 represents the range from 10.0.1.0 to 10.0.0.255. The number after slash tells you how many IP address you will get for that CIDR block. To calculate the number of addresses in a CIDR block we have to subtract the number after the slash from 32 and then raise it to the power of 2 which gives the total number of IP addresses in a CIDR Block. An example calculation is shown below for 10.0.0.0/24:

n = 32–24 = 8

Total IP addresses = 2⁸ — 5 = 251

Similarly 10.0.0.0/16 will have (2¹⁶ — 5 ) means 65,531 addresses and so on. In each CIDR block first 4 IP addresses and last IP address cannot be used and are reserved.

2. Subnet:

A subnet is a range of IP addresses in your VPC that you can allocate to your resources. Subnets are created within a VPC and are associated with a particular Availability Zone (AZ). By default, each subnet can have up to 256 IP addresses. Subnets are used to segregate resources in a VPC and apply network security policies.

3. Route Table:

A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table, and the rules in the route table are used to determine how traffic is routed within the VPC. The default route table in a VPC allows all resources in the VPC to communicate with each other. When we create a VPC a default route table is associate to the VPC, but we can also create route table for each of our subnet.

4. Internet Gateway:

An Internet Gateway (IGW) is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. An IGW enables your instances to communicate with the internet, and vice versa. The IGW is attached to your VPC, and it provides a target for all internet-bound traffic in the VPC.

5. Public vs Private Subnet:

In a VPC, you can create subnets that are either public or private. Public subnets are associated with a route table that has a route to the internet via an IGW. Instances in a public subnet can have a public IP address and can be accessed from the internet. Private subnets, on the other hand, are associated with a route table that does not have a route to the internet. Instances in a private subnet can access the internet through a NAT Gateway.

6. NAT Gateway:

A Network Address Translation (NAT) Gateway is a highly available AWS-managed service that allows instances in a private subnet to access the internet. NAT Gateway enables instances in a private subnet to connect to the internet without exposing their private IP addresses to the internet. The NAT Gateway maps the private IP addresses of instances to public IP addresses. The NAT Gateways are usually deployed in one of the public subnets so that they can directly access the internet.

7. NACL:

A Network Access Control List (NACL) is a stateless firewall that controls traffic to and from subnets in a VPC. NACLs are associated with a VPC and are used to filter traffic based on rules that you define. You can use NACLs to allow or deny traffic based on protocol, port, and source/destination IP addresses.

8. Security Groups:

A Security Group is a virtual firewall that controls inbound and outbound traffic for instances in a VPC. Security Groups are associated with a VPC and are used to allow or deny traffic based on rules that you define. You can use Security Groups to specify which ports are open for incoming traffic, which IPs are allowed to access your instances, and more.

Above we have briefly described what is a VPC and its key componnets. In conclusion, AWS VPC is a critical component of AWS cloud infrastructure that provides a secure and isolated environment for your applications to run on the cloud. It gives you complete control over your network infrastructure, including network topology, IP address ranges, and network gateways. With VPC, you can create a private network in the cloud that is highly secure and flexible, enabling you to launch resources like EC2 instances, RDS databases, and ELBs, etc.

In our next article Building a Secure AWS VPC with Terraform: Subnets, Internet Gateways, and More — Part-II, we will provision our own VPC with Public and Private Subnets and create route tables for each of the subnet and also we will provision a NAT Gateway for our private subnets.

Final Note

If you enjoyed this article and found it useful, be sure to follow me on Medium and GitHub for more content like this. On Medium, you can find more articles on Cloud Computing, DevOps, Machine Learning and other related topics. On GitHub, you can find my open-source projects and code samples. By following me on these platforms, you can stay up-to-date with my latest work and learn more about best practices for managing infrastructure with Terraform and other cloud tools. Thanks for reading!

Vpc
AWS
Terraform
Virtual Private Cloud
Subnet

--

--

Irfan Danish
Geek Culture

Written by Irfan Danish

68 Followers
Writer for

MLOps Engineer & Researcher with a Passion for DevOps, Machine Learning, Computer Vision, NLP, Cloud & Data-Intensive Applications https://bmc.link/irfandanish

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams