Amazon VPC Essentials: Everything You Need to Know About Virtual Private Clouds
Introduction
Amazon Virtual Private Cloud (VPC) is a service that lets you create a secure and customizable network in the AWS cloud. With a VPC, you have full control over your virtual network, including defining the IP address range and creating smaller networks called subnets. With a VPC, you can control your network environment by defining access rules, setting up firewalls, and configuring security groups to manage who can access your resources and how they can communicate.
To connect your VPC to the internet or other networks, you can set up gateways or routers. These act as entry and exit points for traffic
VPC components : Building Blocks of Your Virtual Network
Subnet
A subnet is a smaller network within your VPC that has a specific range of IP addresses. Each subnet is located in one Availability Zone. After you create subnets, you can put AWS resources like servers and databases in your VPC, organizing and managing them more efficiently.
Ip address
Unique address for a device when connected to a network.
we can assign both IPv4 and IPv6 addresses to VPC , subnets in VPC
EC2 Instances: VM's that run applications can use these IP addresses to communicate over the internet.
NAT Gateways: Devices that enable instances in private subnets to connect to the internet can use these IP addresses for routing traffic.
Network Load Balancers: Tools that distribute incoming traffic across multiple targets (like EC2 instances) can use these IP addresses to ensure efficient traffic.
Route Tables
A route table contains a set of rules (routes) that determine where network traffic is directed. Each subnet must be associated with a route table, and these rules define how traffic should flow within your VPC and outside of it.
Public Subnets: Create a route table that sends traffic from your public subnet to the internet through an Internet Gateway.
private subnets: the route table directs traffic to a NAT Gateway, which allows instances in the private subnet to access the internet without exposing them to inbound internet traffic.
Internet Gateway
A gateway connects your VPC to another network. For example, use an internet gateway to connect your VPC to the internet.
IGW is a vpc component, which allows the resources of public subnet (LB, NAT) to access the internet
whenever user tries to access the resources in vpc, the request flows through vpc from IGW.
NAT Gateway
A NAT (Network Address Translation) Gateway allows instances in a private subnet to connect to the internet. NAT mask the ip address of the resources in a private subnet, when trying to access the internet. This is useful for instances that need to download updates or access services on the internet while remaining protected from inbound traffic.
NACL
A Network Access Control List (NACL) is a set of rules that acts as a firewall (stateless) to control incoming and outgoing traffic at the subnet level in your Virtual Private Cloud (VPC). If we want to apply same security to all the instances in a particular subnet, then NACL is used.
features of NACL
Inbound and Outbound Rules: NACLs have separate rules for inbound and outbound traffic. Each rule either allows or denies traffic based on IP addresses, protocols, and port numbers.
Numbered Rules: Rules in a NACL are numbered, and they are evaluated in ascending order. The first rule that matches the traffic is applied, so the order of rules is crucial.
Default NACL: By default, NACL denies all inbound and outbound traffic
Security Groups
A security group acts as a virtual firewall (statefull) for instances (EC2 instances or other resources) within a VPC. It controls inbound and outbound traffic at the instance level. Security groups allow you to define rules that permit or restrict traffic based on protocols, ports, and IP addresses.
security group by default allows all outbound traffic and denies all inbound traffic.
EndPoints
VPC Endpoints enable private connections between your VPC and supported AWS services without requiring internet access, NAT Gateways, or VPN connections.
VPC Flowlogs
VPC Flow Logs capture information all all incoming traffic to vpc and outbound traffic from vpc.
This data can be used for monitoring, troubleshooting, and security analysis.
VPC peering
A VPC peering connection is a link which enables communication between two VPCs.
Transit Gateways
Transit gateway, which acts as a central hub, to route traffic between your VPCs, VPN connections.
VPN Connections
If we want to connect VPC to on-premises network then VPN connections are used.