Introduction to Amazon’s Virtual Private Cloud
Amazon Web Services (AWS) is one of the leading cloud platforms and offers many different services geared toward Enterprise customers. Here is a quick recap of what I’ve learned using Amazon’s Virtual Private Cloud (VPC)!
What is it?
Amazon VPC is a tool used by Enterprise customers to set up their virtual networks from which they can base their other AWS services, such as Amazon Relational Database Service (RDS) instances. It comprises subnets, internet gateways, network access control lists (ACLs), and security groups.
Why was VPC created?
When deploying a service, it can be vulnerable to the outside world, a.k.a the rest of the internet. VPCs protect these services by regulating what kind of traffic can come in and out of the virtual network.
Subnets
Subnets are groups of IP addresses that host an application’s resources. There are two types: public and private.
Public subnets are directly connected to the internet and host more public-facing services. Linking them to a route table allows their information to travel to an internet gateway.
Private subnets can only be accessed through the public subnet and have no direct link to an internet gateway, as shown in the figure above. Resources, such as databases, would be stored here for extra security.
Note that the subnets are in different availability zones! It is good practice to have them in different availability zones so that the application does not completely fail in the rare case of an availability zone failure.
Internet Gateways
Internet gateways, as noted above, are links that allow traffic from public subnets to enter the internet. Route tables hold the rules on how information travels from IP addresses within the VPC and between the VPC and the internet.
Network Access Control Lists
Network access control lists (ACLs) operate on the subnet level and act like a firewall that controls what traffic can travel between the internet and the subnet. They can be attached to multiple subnets and cover all instances in each subnet. Note that separate allow and deny rules must be specified when creating network ACLs.
When deciding to let traffic through, network ACLs will go through rules iteratively, based on number order, allowing traffic based on the first applicable rule. Thus, there needs to be more care when creating rules for network ACLs to ensure traffic is not accidentally allowed through when a later rule could block it.
Security Groups
Security groups are somewhat similar to network ACLs but operate on the instance level within a subnet during the configuration stage of the individual instance. Also, they only accept allow rules, not deny rules.
Another interesting difference is how security groups take rules into consideration. While network ACLs go through rules one at a time, security groups examine all rules together before allowing traffic through.
