Amazon Virtual Private Cloud

As i began to show some points of interest and considerations in amazon web services, the first step is managing your network , surely most of the time you are aware of this topic as this is already configured by your infrastructure team or maybe your organization will keep it's life on default VPC , but it worth to have a sight on it and will help you diagnostic your bottlenecks in production easily.

I'm not at all a fan of UI consoles as they are most of the time sophisticated and some times less or more than your needs, so i ll keep the hand on CLI often.

VPCs :

As it stands for Virtual Private Cloud , it seems likely to your on-promise data center (not exactly but actually).

A vpc is a virtual network in which there are the Virtual resources to simulate a real physical network. if you had hands on a Cisco environment you can understand these concept most likely, in a vpc there are some sub networks , routers and etc... but are we always needed to have all these ? No , we respect our needs , we don't eat without having hunger.

Lets start creating our VPC:

PS c:\> aws ec2 create-vpc --cidr-block 172.30.0.0/22

By this command we keep available 1091 ips excluding 5 reserved, now you needs to add your Sub networks a public as the private one, but before you need to have access privileges to ec2:* or ec2:describe* (i will talk about in IAM service).

Considering the permissions you need to have your vpc identifier that is recoverable by the following command :

aws ec2 describe-vpcs 

you will have a list of all your vpc , the sole state that you can remember at this time about your vpc is the cidr block , so let's filter it by

aws ec2 describe-vpcs  --filters Name=cidr,Values=172.30.0.0/22

by looking at the result you can catch the vpc identifier

{
    "Vpcs": [
        {
            "CidrBlock": "172.30.0.0/22",
            "DhcpOptionsId": "dopt-033de76a",
            "State": "available",
            "VpcId": "vpc-0eaa4f9224554c070",
            "OwnerId": "626540152810",
            "InstanceTenancy": "default",
            "CidrBlockAssociationSet": [
                {
                    "AssociationId": "vpc-cidr-assoc-0c87ae592b5760c8b",
                    "CidrBlock": "172.30.0.0/22",
                    "CidrBlockState": {
                        "State": "associated"
                    }
                }
            ],
            "IsDefault": false
        }
    ]
}

Now using VpcId you can create your Subnets. the private and public subnets can be distinguished just by the route table as the public points the in/out bound traffic by an internet gateway.

aws ec2 create-subnet --vpc-id vpc-0eaa4f9224554c070 --cidr-block 172.30.0.0/24

this statement will create the subnet in the first availability zone , considering a vpc with three availability zones, each availability zone has it's proper subnets for example by re running the above command you will receive an error concerning the Cidr conflict.(try it), as your network is considered to be interconnected by IP addresses so theses private ip ranges shall be kept unique in whole VPC.

by executing following command you add the subnet in your desired availability zone.

aws ec2 create-subnet --vpc-id vpc-0eaa4f9224554c070 --cidr-block 172.30.2.0/24 --availability-zone eu-west-3b

Now you have 1 subnet per availability zone and they are private inside the VPC, for example now an Ec2 instance with the 172.30.0.251 can reach the 172.30.2.93. these private subnets are the best choice for your DB servers ,Storage and internal services but your web site is considered to be accessed over the internet or enter organizational server somewhere outside your network so what happens if we need to keep all in one private subnet? it is simply possible but there are no advantage over having another subnet as public but some cons over it as the NAT always travel via IGW and it's good choice for the outbound traffic management and separating these two concepts will make administration easy.

The public subnet will be created by theses three commands

aws ec2 create-subnet --vpc-id vpc-0eaa4f9224554c070 --cidr-block 172.30.1.0/24 --availability-zone eu-west-3a

aws ec2 create-internet-gateway

aws ec2 attach-internet-gateway --vpc-id vpc-0eaa4f9224554c070 --internet-gateway-id igw-0e44c31a9a68d468f

Note : the IGW is not part of your VPC and it controls it's in/out bound traffic, but know if you try to ping an instance in your vpc by it's public address you will have a time out, as there is no subnet configured to act with IGW , so let's do it by configuring the route table.

by default every subnet you create is as private and strictly closed, Now lets create our public route table by running these commands

aws ec2 describe-subnets --filters Name=availability-zone,Values=*3a,Name=vpc-id,Values=vpc-0eaa4f9224554c070

by identifying the subnet cidr your run this commands to track your subnet by IGW

aws ec2 create-route-table --vpc-id vpc-0eaa4f9224554c070

aws ec2 create-route --route-table-id rtb-0fa21075899a15380 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-0e44c31a9a68d468f

aws ec2 associate-route-table --subnet-id subnet-03a9e58223c0b6997 --route-table-id rtb-0fa21075899a15380

Now your public subnet is connected to internet , you can do this by having a bastion landing, NAT Instance or a NAT Gateway based on your needs for example your Database server will be used by an administrator via SSH or RDP in this scenario you can use Bastion Host, in another scenario your SQL database server needs to be updated by patched automatically, to achieve this goal you can use Nat Gateway or Nat Instance. Nat Gateway is fully managed by amazon and is guarantied for most of the points as availability and bandwidth , Nat instance is like your server and needs some points of survey and config.

Note : if you try to configure your VPC by AWS console you must configure the NAT or an ElasticIp , but as you see based on the need the CLI is more flexible. You can do this by API as well.