In this chapter, we are going to have a look at another important service of AWS that is: Virtual Private Cloud(VPC). It helps us to connect all the resources in the network by providing security features as well.
In this chapter, we are going through below topics:
- CIDR notation and calculations
- Introduction to VPC
- Introduction to Subnet
- Types of subnet
- Private subnet
- Public subnet
- Types of IP addressing
- Hands on – Create a VPC with the public subnet
- Security group vs. NACL
- VPC networking components
- Hands on – Create a VPC with the private and public subnet
- NAT instance and NAT gateway
- VPC Peering
- VPC Endpoint
- Create VPC, subnets, SG, route table manually
CIDR Notation and calculations:
Networking basics:
IP address = Fundamental block of network
IPV4 = 12 digit decimal = 32 bits binary
IPV5 = Not for public use, it is used for research and high computing
IPV6 = People are not using this for general purpose
Example – 10.0.1.0 /16
- 10 – 0 0 0 0 1 0 1 0 (Range = 0 to 255 – 256 total)
- 0 – 0 0 0 0 0 0 0 0 (Range = 0 to 255 – 256 total)
- 1 – 0 0 0 0 0 0 0 1 (Range = 0 to 255 – 256 total)
- 0 – 0 0 0 0 0 0 0 0 (Range = 0 to 255 – 256 total)
The value after / is called subnet mask. It is also called freezing block which means how many blocks someone wants to block or not want to use in-network. The range is between – /16 to /24.
CIDR stands for –
Classless Inter-Domain Routing or Supper netting
It is a way to allow more flexible allocation of Internet Protocol(IP) addresses than was possible with the original systems of IP address class.
Originally IP addresses were assigned into 4 major classes from Class A to Class D
Each of these classes allocates one portion of the 32 bit IP address (8 x 4 = 32). These classes went obsolete earlier in 1992.
So now, there are no types of classes as such. However, the networking guys can learn these classes for better understanding of networking concepts.
Introduction to VPC:
- When two or more computers are interconnected for communication between each other, it is called a network
- Resources in a network need to communicate with each other based on the requirement
- Resources in a network are subdivided into logical segments called subnets
- Resources in a private subnet are accessible within the network or organization
- Resources in a public subnet are accessible from outside the organization as well
- VPC stands for Virtual Private Cloud
- It is as similar to the computer network
- VPC used to set up a network within your AWS services and infrastructure
- You can create your VPC in any region and can span to multiple AZs
- While creating VPC, you need to specify the IP address range – CIDR
- We used EC2 earlier – For computing capabilities
- Now we are going to use VPC – To provide the network for EC2
- Every account has default VPC created in each region with default subnet created in each AZ.
Introduction to Subnet:
- Network divided into multiple logical parts for controlling access to individual logical subparts of a network.
- In one AZ, you can create one or more subnets according to your needs.
- While creating a subnet, you need to specify the CIDR block range and it should be a subset of that VPC CIDR block.
There are two types of subnets:
1. Private subnet
2. Public subnet
Types of Subnet:
1. Private subnet
- Resources are restricted and isolated for public access
- It lies within VPC which means, VPC can access it using private IP
- Incoming traffic do not have direct access to a private subnet
- Outgoing traffic does not have direct access to the internet, you can achieve this using NAT.
2. Public subnet
- It is accessible within VPC and also from the internet
- It can accessible by using public IP address
- Traffic going outside to internet, it will be routed to IGW(Internet Gateway)
Types of IP addressing:
When EC2 instance launch, it creates two things:
- IP address
- DNS hostname
Private and public IP addresses are being created for internal and external access
DNS hostname is being created to access the EC2 machine by using the DNS name which internally points out to an IP address.
By default, Amazon uses IPV4 addressing for instance and VPC CIDR.
AWS reserve 5 IP addresses in every subnet:
.0 – Network address
.1 – VPC router
.2 – DNS server
.3 – Future use
.255 – Broadcast
There are two types of IP addresses:
- 1. Private IP
- 2. Public IP
- 3. Elastic IP
Private IP:
It is used for internal communication
Format : ip-10-5-200-21.ec2.internal
When instance launch, it uses DHCP(Dynamic Host Configuration Protocol) to assign a private IP address from subnet range and assign it to default ethernet interface (eth0)
You can not change the primary private address once instance launched but you can assign secondary IP address which can be changed
Private IP will be released once an instance terminates.
Public IP:
It can be reached over the internet
Format: ip-xxx-xxx-xxx-xxx.compute1.amazonaws.com (where xxx – public IP of instance)
Public IPs for instance assigned from EC2-VPC public ipv4 address pool
Automatically public IP assigned to an instance if it is within default VPC. This behavior can be controlled by subnet settings.
Once instance launches, it is not allowed to assign or release the public IP address
AWS automatically releases public IP if instance stopped or terminated, but if you want permanent public IP for your instance, you can go and assign the elastic IP address.
Elastic IP:
It is a public IPV4 address which can be assigned or released
Once elastic IP address assigned, it remains in the account until explicitly release
Instance with the primary network interface, can not have the public IP address and elastic IP address both at the same time
If an elastic IP address remains unassociated with any instance, then AWS will charge for it on an hourly basis. Also, the charge is applicable if elastic IP is associated with stopped instance Elastic IP is associated with instances based on region wise.
Hands-on – Create a VPC with the public subnet:
[ec2-user@ip-10-0-0-250 ~]$ sudo su
[root@ip-10-0-0-250 ec2-user]# sudo yum update -y
[root@ip-10-0-0-250 ec2-user]# yum install httpd -y
[root@ip-10-0-0-250 ec2-user]# service httpd status
httpd is stopped
[root@ip-10-0-0-250 ec2-user]# service httpd start
Starting httpd: [ OK ]
[root@ip-10-0-0-250 ec2-user]# cd /var/www/html
[root@ip-10-0-0-250 html]# lsblk
[root@ip-10-0-0-250 html]# sudo mkfs -t ext4 /dev/xvdf
[root@ip-10-0-0-250 html]# sudo file -s /dev/xvdf
[root@ip-10-0-0-250 html]# cd /var/www/html
[root@ip-10-0-0-250 html]# mount /dev/xvdf /var/www/html
[root@ip-10-0-0-250 html]# lsblk
[root@ip-10-0-0-250 html]# aws configure
[root@ip-10-0-0-250 html]# aws s3 cp s3://websitetemplatenvregion . –recursive
[root@ip-10-0-0-250 www]# cd /var/www/html
[root@ip-10-0-0-250 html]# ls -lrt
AWS VPC Security:
- As AWS states in many of its official communication, the security of the customer network is one of its highest priorities
- Keeping the security on top of the AWS charter, Amazon provides two features for taking care of network security and one feature for monitoring the network.
- Security group and NACL are for network security
- Flow logs are for network monitoring
- Security groups act as an EC2 instance level firewall, whereas NACL acts as a subnet level firewall Flow logs provide insight on network traffic
Security group:
- It is a virtual firewall that controls in and out traffic at VPC level
- One EC2 instance can have multiple security groups
- Inbound traffic is also called – Ingress traffic
- Outbound traffic is also called – Egress traffic
- While launching a new instance, if no security group attached explicitly, then the default security group will be attached to that instance
- One can add 50 inbounds and 50 outbound rules max.
- By default,
- it allows all outgoing communication
- it blocks all incoming communication
- Rules are to be defined to allow the communication
- One can add 500 SG / VPC max
- It is stateful which means any traffic allowed for inbound, automatically allowed for outbound
Network Access Control List (NACL):
- It is a virtual firewall at the subnet level
- Every VPC has default NACL
- Every private or public subnet must associate with 1 NACL
- NACL rules are evaluated based on rules numbers that are from 1 to 32766
- By default,
- Inbound rules – denied
- Outbound rules – denied
- It is stateless which means if the port is open for inbound rule then it does not eligible for outbound until you specify the rule for the same.
Flow logs:
- It is used for incoming and outgoing traffic or fault diagnostics
- It can be enabled on the network interface, subnet or VPC
- It contains information of the source and destination IP address and port
- It also creates an alarm to notify on the occurrence of certain network traffic
Security group vs. NACL:
Security Groups are:
- Stateful — easier to manage, by just setting rules for one direction.
- VPC Scoped — work in any AZ or Subnet
- Allow rules only — everything is implicitly denied
- Rules processed together as a group
- Rules processed at the ENI layer
NACLS are:
- Stateless — Inbound and Outbound rules must always be configured.
- Subnet Scoped –Must be explicitly associated to one or more subnets
- Allow and Deny rules both
- Rules processed in order — when a rule is matched, no rules further down the list are evaluated
- Rules processed at the subnet boundary
VPC networking components:
ENI:
- ENI stands for Elastic Network Interface
- It is a communication hub for EC2 instance that enable network communication on the instance
- Any EC2 instance launched inside any subnet of VPC, default network interface created and attached to it
- The primary network interface will get one IP address from a subnet IP range
- Default network interface – eth0
Route table:
- Route table decides how network traffic to route using a set of rules which is called routes
- For every VPC, there should be the main table and each subnet from VPC must be associated with it
- One route table can be associated with one or more subnets
- Every VPC has an implicit router
- Maximum 200 route tables / VPC and maximum of 50 routes per table is allowed
- You can give target value in route table – IGW / VGW / NAT device / Peering connection and VPC endpoint
Internet Gateway (IGW):
- Internet gateway makes possible EC2 instance to internet
- Private subnet to communicate with the internet, we put NAT instance in public subnet
- It is horizontally scaled in nature
- It ensures no bandwidth constraint and no availability risk
- When traffic flow from EC2 -> Internet = Private IP -> Public IP
- When traffic flow from Internet -> EC2 = Public IP -> Private IP
Egress only IGW:
- It only works with IPV6.
- For IPV4 network traffic, use NAT gateway
Hands-on – Creating VPC with the private and public subnet:
Network Address Translator – NAT:
- EC2 instance in private subnet,
- does not have public or elastic IP
- subnet route table does not have route entry to set traffic directly to IGW
- In that case, there should be something which acts as a mediator and allow EC2 machine inside private subnet to communicate with the internet
- Above thing is possible by using NAT
- It acts as a mediator between instance and IGW
- When traffic receives in public subnet of EC2 then, it replaces reply-to IPV4 address with own’s public IP
- When traffic receives from internet, it replaces reply-to IPV4 address to EC2’s private IP NAT does not support IPV6
- You can either use NAT instance or NAT gateway to be deployed in public subnet of same AZ
- NAT instance can have public IP or Elastic IP
- NAT gateway requires elastic IP
- To communicate with internet from the private subnet, there should be route entry in route table pointing internet traffic to NAT
- Multiple subnets from same AZ can use same NAT
- You need to disable source and destination check to facilitate internet request on NAT instance. If not, it will not be able to serve requests from other EC2 instances
- Creating a NAT gateway automatically creates network interface, allocate private IP and one elastic IP
- Once NAT gateway deleted, attached elastic IP also get released from NAT gateway but remains reserved in AWS account
VPC Peering:
- It is used to connect two different VPC within the same region for routing traffic between them using IPV4 or IPV6, irrespective of the same account or not
- By default, network traffic:
- Either flow within the same VPC or to and from internet
- But it does not flow to other VPC
- It is the requirement, need to establish peering In VPC peering, communication is taken place through routing
VPC Endpoint:
- Generally, no direct communication between AWS services are allowed without IGW, NAT instance or gateway, VPC connection
- VPC endpoint allows direct connection without anything from above, which means not via internet
- Before VPC endpoint, it was done using NAT instance but it was using the internet for the same
- VPC endpoint allows to route traffic within AWS infrastructure
- There is no additional charge to use it, only standard data charges for data transfer and data usage
- In route entry, destination specifies as pl-xxxxx – which define public IP range used by service
Create VPC, subnets, SG, route table manually:
That’s the end of this chapter of VPC. We had seen, how AWS provides very useful service regarding networking and its security which is very crucial for your infrastructure. Join me in the next chapter of the AWS Complete tutorial series.