Hi folks! Welcome to Day 7 of 100 Days of AWS🎯, where we will cover the complete AWS cloud from beginner to professional. Today, we will expand our horizons in the AWS cloud by Understanding the Purpose of VPC, and How CIDR Value should be declared within VPC & subnet. subnet and its types, how gateway device or service enables communication between networks. and its types. Route Table, and finally how to connect on-prem resources to the AWS VPC. Let’s get started🚀!
Day 6 Overview;
On Day 6 we Discussed extensively AWS’ Global Infrastructure, Selecting a region that matches the application workload. ensuring your application is Highly Available & Fault Tolerant by deploying in multiple Availability zones. enhancing User Experience and reducing latency time by leveraging the Edge Location and Local Zone. and the difference between the Edge Location & Local Zone. If you'd like to read more about this topic, click the link here.
Why VPC?
AWS Operates a shared Infrastructure model where multiple customers’ workloads can run on the same physical servers, Network devices, and storage devices. it is obvious to have a question that the application workload deployed in my ec2 is accessible by other customer’s ec2 since they are running on the same devices. if it happens my application’s privacy is lost. and also there is a chance of mishandling the resource.
but AWS uses virtualization technologies like Xen and AWS Nitro to provide logical separation between customer instances running on the same physical hardware. also when launching EC2 Instances, customers are placed in their own VPC (Virtual private cloud) which logically isolates the Network environment for your Resources. and ensures private networking, subnets, and security groups. for securing your resources and preventing other customers from accessing your infrastructure.
Virtual Private Cloud VPC;
VPC is a secure, isolated network segment hosted within an AWS.
it isolates the computing resources from other computing resources available in the cloud.
it gives the customer full control of the networking in cloud. such as,
Subnetting (IP address)
Routing (Route Table)
Firewalls (NACL’s and Security Group)
Gateways
By default, Every AWS account will have a VPC in all regions with an Internet connection for faster and easier creation of certain AWS resources.
A VPC is specific to a single Region. meaning that a VPC created in one region willn’t be spanned across multiple regions.
Multiple VPC;
the customers are also can create new VPC’s other than the default for their own use cases. but generally, most people / Organizations create VPC for each Stage and also for individual projects.
and by default, one VPC will not be able to communicate with another VPC.
CIDR;
VPC can also assign the IP address for the resources created within them using the CIDR (Classless Inter-Domain Routing ) block assigned to the VPC. so that IP addresses are assigned only within this range.
CIDR values can be between /16 to /28.
Once the CIDR value is assigned to the VPC then the subnets created within VPC should reside in the VPC’s CIDR block range.
Subnet;
A subnet is a range of IP addresses in your VPC. you can create AWS resources, such as EC2 instances, in specific subnets.
Each subnet must reside entirely within one availability zone and cannot span zones. by launching AWS resources in separate subnets that are in different availability zones you can protect your resources from failing in a single Availability zone making your Infra highly available.
when creating a resource you have to either manually or automatically select the subnet to be deployed and the subnet denotes the availability zone.
when you create a subnet you specify its IP address depending on the configuration in VPC. they are,
IPv4 only
Dual stack
IPv6 only
Types of subnets;
depending on the external access to the resource within them, and how you configure routing subnets are divided into two types. they are,
Public Subnet
Private Subnet
Public Subnet,
Resources in the public subnet can access the internet. and also receives the inbound traffic from the internet. the subnet has a direct route to an Internet Gateway.
An example resource created in the public subnet are EC2 web server.
Private Subnet,
Resources in the private subnet will not have a direct connection to the internet. most secure. resources are only accessible within the VPC
Resources in a private subnet require a NAT device to access the public Internet. and the subnet doesn’t have a direct route to an Internet
Gateways;
A gateway is a networking device or service that enables communication between different networks. AWS provides several types of gateway for facilitate different types of network connectivity.
Types of Gateway,
Internet Gateway,
Allows Instances with public IP to access the Internet.
route created in the route table where the subnet has a direct route to an Internet gateway attached to the VPC will make the subnet public.
NAT Gateway,
Allows instances with no public IP to access the internet.
It serves as a Network Address Translation device. enabling outbound access to the resources in the private subnet. but ensuring that inbound traffic can’t initiate the connection to those resources.
Transit Gateway,
An AWS Transit Gateway is a network service that acts as a central hub to manage and route traffic between multiple VPCs, on-premise networks and VPN connections.
It simplifies the networking architecture by consolidating the multiple VPC connections into a single point of management, reducing the complexity of peering multiple VPCs.
It follows the hub and spoke model where transit gateway acts as a hub and the VPC (or other network attachments like VPNs or Direct connect) as a Spoke.
Customer Gateway,
A Customer Gateway refers to a physical or software appliance located on the customer’s side of a VPN connection between their on-premise network and AWS.
it is a typical gateway device required for connecting customers on-premise network or Data Center to a Virtual Private Cloud (VPC) in AWS using a VPN or AWS Direct Connect.
Virtual Private Gateway,
Virtual Private Gateway is an AWS side component of a VPN or AWS Direct Connect connection.
It is a managed device in AWS that enables secure communication between an AWS VPC and an on-premise network through the customer gateway.
Route Table;
A Route Table is a set of rules, known as routes, that are used to determine where network traffic from your VPC should be directed.
Each route specifies a destination CIDR block and the next hop for traffic that matches the destination.
How to connect on-prem to the cloud;
Connecting your on-premises resource to an AWS Virtual Private Cloud is a common strategy in hybrid cloud architecture.
This connection allows seamless communication between your local infrastructure and cloud resources, facilitating a variety of use cases.
through Virtual Private Gateway,
- AWS VGW (Site-to-Site VPN) is a great option for low-cost, flexible, and quick connections to AWS, especially if you don’t need high bandwidth or low latency.
Mertis,
VGW utilizes the public Internet. so it is more affordable to set up.
VPN and VGW can be set up relatively quickly, often in a few hours, making it easy to establish a connection with minimal configuration.
VPN connections via VGW allow you to use static routing or BGP(Border Gateway Protocol) for dynamic routing, offering more flexibility depending on your need.
Since the connections are running on the internet there is no need for any physical setup.
De Merits,
Since the connection is over the public internet, the latency and bandwidth can be inconsistent which may be problematic for latency-sensitive applications or large-scale data transfer.
Despite Encryption, using the public internet introduces inherent security risks such as potential DDOS attacks or connection drops.
Because it depends on the public internet there is more chance for downtime or disruptions compared to a private connection like Direct connect.
through direct Connect,
- AWS Direct Connect is more suited for enterprise-level workloads that demand higher reliability, scalability, low latency, and higher throughput.
Merits,
Direct connection offers consistent low latency and higher throughput over VGW over VPN connections making it ideal for latency-sensitive applications.
As a private, dedicated connection it is generally more reliable and less susceptible to interruptions and instability.
Since the traffic doesn’t traverse over the public internet it offers an inherently more secure connection.
De Merits,
Direct connect involves the setup of dedicated physical Infrastructure. which means higher upfront costs for installation and setup.
Limited Availability Aws Direct Connect requires you to be near one of the Direct Connect locations which may not be available in all Regions or areas.
It can be more cost-effective for High volume Data transfer, but it can still have ongoing costs for maintaining the physical connection, such as Port fees and dedicated bandwidth costs.
Day 7 Wrap Up;
In conclusion, understanding the fundamentals of AWS networking is crucial for effectively managing and securing your cloud infrastructure. By mastering concepts such as VPCs, CIDR blocks, subnets, and gateways, you can ensure that your resources are isolated, secure, and efficiently connected. Additionally, knowing how to connect on-premises resources to AWS through options like VPN and Direct Connect can enhance your hybrid cloud strategy. As you continue your journey through AWS, these networking basics will serve as a solid foundation for more advanced topics and configurations.
Summary & Key points;
VPC isolates computing resources from other computing resources available in the cloud.
VPC is specific to a region. and they use CIDR blocks for defining the IP address.
Subnets are a range of IP addresses within VPC. they reside within a single availability zone.
Subnets can be made public/private using Internet Gateway or NAT Gateway.
A gateway is a networking device or service that enables communication between different networks.
Internet Gateway allows the subnet to communicate to the internet & vice versa. and for NAT gateways connection must be initiated from within the VPC.
AWS VGW (site-to-site VPN connection) is used for quick and flexible connection between the AWS and on-premise resources. where bandwidth and latency can be less.
Direct Connect DX is used for enterprise-level workloads and latency-sensitive applications.
Up next on Day 8;
Types of Firewalls used to protect Resources deployed in the AWS cloud.
what are Inbound and Outbound traffic and how do set rules for stateful and stateless Firewalls?
A Walkthrough over an AWS Architecture with all AWS Networking services induced.