Open in app

Sign in

Write

Sign in

A short chat about VPC

Pablo Alonso Landa
Strategio
Published in
6 min readDec 23, 2022

Jr Dev: Sensei, what is this image?

Jr’s Mentor: Oh, that's a VPC representation.

Jr Dev: VPC?

Jr’s Mentor: Yes, Virtual Private Cloud. It’s an AWS service that allows you to launch AWS resources into a virtual network. When you use VPC, it’s like virtualizing your own data center.

Jr Dev: Why would I want to do that?

Jr’s Mentor: In the pre-cloud era, companies owned physical data centers. Imagine what happened when one of the computers in these centers needed more computing power or storage space. You had to add the required hardware. Doing so was not a pleasant task.

Jr Dev: And what are all those components in the image?

Jr’s Mentor: They are features that help you configure a VPC. Let me show you what some of those components are:

Subnet: A subnet is something with a range of IP addresses, that can contain resources such as Amazon EC2 services and shares a common address component.

Route table: A route table contains a set of rules used to decide where the network traffic has to be managed. It specifies the destination IP address and target(Internet gateway, NAT gateway, Virtual private gateway, etc).

Network Access Control Lists: An NACL adds an additional layer of security to your VPC. It’s a kind of firewall for controlling traffic in and out of one or more subnets.

Internet Gateway: An Internet Gateway allows communication between the Internet and our VPC.

Security Groups: A security group is a set of rules that control the traffic for one or multiple instances.

Jr Dev: I have a question. Why would I want to add a security group to an instance if the subnet where it is located is already tied to an NACL?

Jr’s Mentor: Do you remember when we created the EC2 instance and added a security group that only allowed ssh connection through our IP?

Jr Dev: Yes but what about that?

Jr’s Mentor: Let’s think of a subnet, where that EC2 instance is located, has an NACL bound with an inbound rule that allows ssh access from any source. Without this security group, our EC2 instance could be ssh from any source.

Jr Dev: I got it, but it’s a little intimidating, that VPC thing.

Jr’s Mentor: Don’t be afraid. It’s a matter of practice. Want to set up a VPC and get your hands dirty?

Jr Dev: Yes, of course. I’m sure we’re going to need an AWS Free Tier account and execute all commands with a user that has administrator privileges and not the root user — Jr’s Mentor listens proudly to the words of his pupil. —

Jr’s Mentor: Let’s log in to AWS Management Console, choose a region and then go to the VPC service. On the VPC Dashboard expand Virtual private cloud, click on Your VPCs and then click again on Create VPC button. Do you follow me?

Jr Dev: Yes, I can see now the interface to create our VPC. I am going to select the VPC-only option. I will name our VPC foo-vpc. Wait, What is the IPv4 CIDR block?

Jr’s Mentor: I guessed you were going to ask me about it, if you want to know what it is and how it works this link will be useful. For now let’s select the IPv4 CIDR manual input option, put IPv4 CIDR = 10.0.0.0.0/16, leave the other fields as they are by default, and create our VPC.

Jr Dev: I can see our instance Available. That’s it, nothing else is needed?

Jr’s Mentor: We have not yet finished our instance is created, but it has no internet access and no subnet where we can create instances.

Jr Dev: So the next step would be to create an Internet Gateway?

Jr’s Mentor: Exactly, a few options under Your VPCs you will find the Internet gateways option. Enter there and once inside click on the create Internet Gateways button.

Jr Dev: That was easy, I created an Internet Gateway and named it foo-ig.

Jr’s Mentor: Even though we created an internet gateway, we still need to attach it to our foo-vpc to get access to the Internet. To do so, select foo-ig in and click on actions. Once the menu is displayed choose the Attach to VPC option. Select foo-vpc and we will attach our foo-ig to it. Now it is time to create a subnet.

Jr Dev: I think I can do it. It would be to click on Virtual private cloud, on the Subnets option, and then on Create Subnet button.

Jr Dev: Ok, I have already chosen our VPC, named the subnet as foo-subnet, and chosen us-east-1a as AZ; but I need to assign an IPv4 CIDR block again.

Jr’s Mentor: Just type 10.0.1.0/24, leave the tag as default and click on Create Subnet button.

Jr Dev: Now is when we should add security to our subnetwork, right?

Jr’s Mentor: That would be if we wanted our subnet to be private or have some kind of restriction. Our foo-subnet is going to be public. For that, we need our subnet to auto-assign public IP to the instances that are created in it. Select our foo-subnet, click on Actions, and then on Edit subnet settings. Then enable the Auto-assign IP settings option.

Jr Dev: But it is not yet public, because it has no route to foo-ig.

Jr’s Mentor: You’re right dude, you are understanding how it works. Let’s create a routing table. Go to Virtual Private Cloud, select Route Tables, and click on Create Route Table.

Jr Dev: I already created it with foo-vpc and named it foo-rt. Now I have to associate it with a subnet. As we have done before, I select it and in actions, I look for the corresponding option, isn’t it?

Jr’s Mentor: Exactly, on the Edit subnet associations page, select foo-subnet and then click on Save associations.

Jr Dev: Ok, we add the subnet but how to create the route to foo-ig?

Jr’s Mentor: It is more of the same. Select foo-rt, click on Action, and Edit routes. Click Add route and add 0.0.0.0.0/0 as the destination, to allow any source and foo-ig as the destination.

Jr Dev: Is foo-subnet public now? — asks the pupil hesitantly —

Jr’s Mentor: Yes, finally our subnet is public. Did you enjoy the process?

Jr Dev: Yes, of course. AWS fascinates me with all its services, it’s incredible.

Jr’s Mentor: Do you have any questions about what we have just done?

Jr Dev: I have a question, we created a public subnet but I still don’t understand why I would create a private one.

Jr’s Mentor: Simple. You would like a database on which only your services depend to be accessible to others?

Jr Dev: Ok, I get it. But what if I were to migrate a database from a server to one on the private subnet? How would I access that server outside the subnet?

Jr’s Mentor: That’s a very good question. In that case, a Network Address Translation Gateway would be very helpful. You can use a NAT gateway so that an instance in the private subnet can connect to services outside your VPC, but external services cannot initiate a connection with this instance.

Jr Dev: Interesting. I stand by my statement, the world of AWS is great.

Jr’s Mentor: Do you have any other questions?

Jr Dev: No sensei, I am satisfied with the lesson. Thank you!

Jr’s Mentor: Just keep studying so that one day you will be the one to help others understand these technologies; that’s the way you will pay me back.

Aws Vpc
AWS
Vpc

--

--

Strategio
Strategio

Published in Strategio

156 Followers
Last published Oct 11, 2024

We empower and invest in diverse technology talent to increase representation for all people, and to create higher performing enterprise organizations.

Pablo Alonso Landa
Pablo Alonso Landa

Written by Pablo Alonso Landa

8 Followers
7 Following

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams