VPC

Virtual Private Cloud

Contents

• CIDR , Private IP and Public IP
• VPC Overview
• Subnet
• Internet Gateways and Route Table
• Process To create a VPC in AWS
• Bastion Hosts

CIDR

CIDR, which stands for Classless Inter-Domain Routing, is a system used to allocate and manage IP addresses on the Internet. It is a method of IP address assignment and routing that allows for more efficient utilization of available address space.

Traditionally, IP addresses were divided into classes (Class A, Class B, and Class C) based on their network size. However, this class-based system was inefficient because it allocated large blocks of addresses to organizations, resulting in a significant waste of IP addresses.

CIDR was introduced to address this issue. It is a flexible addressing scheme that allows for the allocation of IP addresses in variable-sized blocks. With CIDR, an IP address consists of two parts: the network prefix and the host identifier. The network prefix determines the network portion of the IP address, while the host identifier specifies the particular device within that network.

CIDR notation represents the network prefix by appending a slash (/) followed by a number to the IP address. The number represents the number of network bits in the prefix.

CIDR allows for more efficient allocation of IP addresses because it enables subnetting and supernetting. Subnetting involves dividing a larger network into smaller subnetworks, allowing organizations to allocate addresses based on their specific needs. Supernetting, on the other hand, combines multiple smaller networks into a larger network, reducing the routing table entries and simplifying routing protocols.

CIDR has become the prevalent method for IP address allocation and routing on the Internet. It has significantly contributed to the conservation of IP address space and the efficient routing of network traffic.

Example:

Consider an IP address 10.0.0.0/16, which indicates a network with a 16-bit network prefix. Subtracting the prefix length from the total number of bits (32 - 16 = 16) gives us the number of bits available for the host identifier. Since 2^16 equals 65,536, the subnet 10.0.0.0/16 will consist of 65,536 IP addresses.

Now, let's consider the subnet 10.0.0.0/30, where the network prefix is 30 bits. Subtracting 30 from 32 (32 - 30 = 2) gives us the number of bits available for the host identifier. Since 2^2 equals 4, the subnet 10.0.0.0/30 will consist of 4 IP addresses.

Note: It's important to mention that AWS VPC allows a maximum of 65,536 IP addresses to be assigned to a single subnet.

In AWS VPC, 5 IP addresses are reserved for addressing purposes and future use within a subnet. These reserved IP addresses are not available for assignment to individual instances or resources within the subnet. They are set aside for specific network requirements and potential expansion needs.

Here is the table for Reference.

Private IP and Public IP

Private IP and public IP are two types of IP addresses used in computer networks, including the Internet.

Private IP: A private IP address is an IP address that is assigned to devices within a private network, such as a local area network (LAN) or a home network. Private IP addresses are not routable on the public Internet, meaning they cannot be directly accessed or communicated with from outside the private network. They are used for internal communication within the network and are not unique globally. Private IP address ranges are defined in RFC 1918 and include the following commonly used ranges:

• 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)
• 10.16.0.0 to 10.31.255.255 (172.16.0.0/12)
• 10.0.0.0 to 10.0.255.255 (192.168.0.0/16)

Public IP: A public IP address is an IP address that is globally unique and routable on the Internet. It is assigned to devices or resources that require direct communication with external networks or the Internet. Public IP addresses allow these devices to send and receive data to and from the Internet. Public IP addresses can be obtained from Internet service providers (ISPs) or cloud service providers. They are essential for hosting websites, running servers, or accessing resources from outside the private network.

Note: private IP addresses are used for internal network communication, while public IP addresses are necessary for external communication with the Internet.

VPC Overview

Virtual Private Cloud (VPC) provides networking functionality to Compute Engine virtual machine (VM) instances, Kubernetes Engine clusters, and the App Engine flexible environment. VPC provides networking for your cloud-based resources and services that is global, scalable, and flexible.

You can think of a VPC network the same way you'd think of a physical network, except that it is virtualized within Cloud. A VPC network is a global resource that consists of a list of regional virtual subnetworks (subnets) in data centers, all connected by a global wide area network. VPC networks are logically isolated from each other in Cloud.

The following diagram shows an example VPC. The VPC has one subnet in each of the Availability Zones in the Region, EC2 instances in each subnet, and an internet gateway to allow communication between the resources in your VPC and the internet.

Subnets

A subnet is a range of IP addresses in your VPC. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your VPC.

IP addressing

You can assign IP addresses, both IPv4 and IPv6, to your VPCs and subnets. You can also bring your public IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers.

Routing

Use route tables to determine where network traffic from your subnet or gateway is directed.

Internet Gateway

It is used to connect VM’s or Database to Internet so it can talk to each other.

Availability Zone

Each region consist of three AZ’s in AWS which is typically a Datacenter placed far to one another in a same region.

Internet Gateways and Route Table

Internet Gateways and Route Table

In AWS VPC, an internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It therefore imposes no availability risks or bandwidth constraints on your network traffic.

An internet gateway serves two purposes: to provide a target in your VPC route tables for internet-routable traffic, and to perform network address translation (NAT) for instances that have been assigned public IP addresses. This enables instances in your VPC to communicate with the internet, and vice versa.

To use an internet gateway, you must attach it to your VPC. This will create a default route from your VPC to the internet gateway. Once the internet gateway is attached, you can create additional routes to specify which traffic should be routed through the internet gateway.

A route table is a set of rules that are used to determine where network traffic from your subnet or gateway is directed. Each subnet in your VPC must be associated with a route table, which controls the traffic routing for that subnet. By default, all subnets in a VPC use the main route table, but you can create additional route tables if necessary.

In order for traffic to flow between subnets in your VPC or between your VPC and the internet, you must configure the appropriate routes in your route tables. If you want instances in your VPC to communicate with the internet, you must create a default route in the route table that directs traffic to the internet gateway.

The following diagram shows the routing for a VPC with an internet gateway, a virtual private gateway, a public subnet, and a VPN-only subnet.

In summary, internet gateways and route tables are essential components of a VPC that allow instances to communicate with the internet and with other instances in the VPC.

Process To create a VPC in AWS

• Select a region here I chose my VPC to be in Mumbai.
• Go to VPC Section in that region
• Create a VPC

• Define a IP CIDR range ex 10.0.0.0/16
• Create a subnet in the VPC.

• Create public and private subnet make sure IP address CIDR does’t overlap.

• For Ex: 1)10.0.0.0/24 2)10.0.1.0/24 → for public IP
• For Ex: 1)10.0.0.0/20 2)10.1.0.0/20 → for private IP

Total Range is 65536

Public Subnet A - 256 Range

10.0.0.0 - 10.0.0.255

Public Subnet B - 256 Range

10.0.1.0 - 10.0.1.255

Private Subnet A - 4096 Range

10.0.16.0 - 10.0.31.255

Private Subnet B - 4096 Range

10.0.32.0 - 10.0.47.255

• Create a bastion server(VM) in public subnet
• Create a private instance(VM) in private subnet

• Configure Route Table and Internet Gateway.

• Create a Internet gateway and attach it to VPC.
• In Route table create public route and private route, Because to give explicit access to internet to public subnet.

• Now subnet association needs to done to respective route table.

• Edit routes in public route and give allow 0.0.0.0/0 using InternetGateway. With this anyone can access the bastion server or any server placed in public subnet.

• SSH to your Bastion server and again SSH to your private instance using private IP.
• Now you can access Your Private Instance (VM) from Bastion server from the help of SSH

Reference of the architecture being created.

Above I have used the word Bastion server so what is it?

Bastion Host

With the help of Bastion server we can access VM or Database which is in Private Subnet.

Reserved IPs

For AWS to configure your VPC appropriately, AWS reserves five IP addresses in each subnet. These IP addresses are used for routing, Domain Name System (DNS), and network management.

For example, consider a VPC with the IP range 10.0.0.0/22. The VPC includes 1,024 total IP addresses. This is then divided into four equal-sized subnets, each with a /24 IP range with 256 IP addresses. Out of each of those IP ranges, there are only 251 IP addresses that can be used because AWS reserves five.

The five reserved IP addresses can impact how you design your network. A common starting place for those who are new to the cloud is to create a VPC with an IP range of /16 and create subnets with an IP range of /24. This provides a large amount of IP addresses to work with at both the VPC and subnet levels.

Conclusion

VPC offer businesses secure, scalable, and cost-effective network environments in the cloud, enabling customization, flexibility, and enhanced security for optimized operations and digital transformation.