AWS Virtual Private Cloud

Hi Everyone, in this article, we're going to understand what an AWS VPC is and the core elements that constitute an AWS VPC.

Introduction:

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

In other words, VPC is a Master subnet in the Amazon Cloud which can then be split into smaller subnets.

VPC Elements:

A VPC can constitute of the below elements

1) Subnets: a range of IP addresses in your VPC

2) Route tables: a set of rules, called routes, that are used to determine where network traffic is directed.

3) Internet Gateways: VPC component that allows communication between instances in your VPC and the internet

4) Elastic IPs: is a public IPv4 address, which is reachable from the internet and can be assigned to your instance

5) Endpoints: enables you to privately connect your VPC to supported AWS services

6) NAT(Network Address Translation): enable instances in a private subnet to connect to the internet or other AWS services, but prevent the internet from initiating a connection with those instances

7) VPC Peering: is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 addresses or IPv6 addresses.

8) Network ACLs: is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC

9) Security Groups: acts as a virtual firewall for your instance to control inbound and outbound traffic

10) VPN: AWS Virtual Private Network solutions establish secure connections between your on-premises networks, remote offices, client devices, and the AWS global network

11) Elastic Network Interfaces (ENI): like a Network card attached to an instance

12) DHCP (Dynamic Host Configuration Protocol): set configuration params related to IP address protocol for machines

13) ClassicLink: Allows you to link EC2-Classic instances to a VPC in your account, within the same Region. Only associate the VPC security groups with a EC2-Classic instance, this enables communication between your EC2-Classic instance and instances in your VPC using private IPv4 addresses.

ClassicLink is available to all users with accounts that support the EC2-Classic platform, and can be used with any EC2-Classic instance.

The below diagram shows how each of these element fit into the AWS VPC structure and their functions.

Difference between NAT & Internet Gateway:

Attaching a IGW to a VPC allows instances with public IPs to access the internet, while NAT(s) Gateway allow instances with no public IPs to access the internet.

Important Terms:

Bastion Server:  A bastion host acts as a jump host, or a reverse proxy, and a jump host will generally be an instance running in a public subnet within your VPC, and has ingress rules for SSH or RDP protocols. And it will then allow you to jump to another instance within your VPC.

This means we can connect to the bastion host using one of these secure protocols, and then if we're authenticated correctly, and assuming the bastion host has the correct routes enabled, we will then be able to connect to other resources within the VPC from that bastion host. So a bastion host allows secure connections into your VPC.

ENI: A virtual network interface attached to an instance. Additional ENIs can be attached. Allows dual-homing i.e. a single EC2 instance can now be attached to two ENIs, each one on a distinct subnet. 1 ENI is connected to public subnet while 2nd is connected to private subnet.

Each ENI lives within a particular subnet of the VPC (and hence within a particular Availability Zone) and has the following attributes:

•a primary private IPv4 address

•one or more secondary private IPv4 addresses

•one Elastic IP address per private IPv4 address

•one public IPv4 address, which can be auto-assigned to the network interface for eth0 when you launch an instance

•one or more IPv6 addresses

•one or more security groups

•a MAC address

•a source/destination check flag

•a description

DHCP: The Dynamic Host Configuration Host (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. The options field of a DHCP message contains configuration parameters, including the domain name, domain name server and the netbios-node-type.

VPC Peering: VPC peering uses the existing AWS infrastructure and does not have to use the internet for access between the two regions. This gives you the best throughput, security, and infrastructure redundancy since its using the AWS internal infrastructure. Using the AWS backbone is inherently more secure as it is not internet accessible.

Hope this article helped you understand the concept of AWS VPC and the different constituents of it. Thanks for reading!