In our DevOps journey, understanding AWS Networking is crucial. Today, we’ll dive into Amazon VPC (Virtual Private Cloud) and its core components: subnets, route tables, security groups, and more. These tools form the backbone of AWS infrastructure, ensuring secure and efficient communication across your environment.
1. What is a Virtual Private Cloud (VPC)?
An AWS VPC is a logically isolated network where you can launch AWS resources like EC2, RDS, and Lambda. Think of it as your own private data center inside AWS, with Complete control over IP addressing, routing and access.
Example:
Imagine a company hosting a multi-tier web app. They deploy:
. Web servers in a public subnet ( accessible from the internet ).
. Application servers in a private subnet ( accessible only internally ).
. Database server in another private subnet ( isolated for security ).
2. Subnets: Public vs. Private
Subnets divide your VPC into smaller networks, each with its own IP range.
. Public Subnet: Has a route to the internet via an Internet Gateway (IGW). Used for web servers and load balancers.
. Private Subnet: no direct access to the internet, usually for app servers and databases.
Example:
An e-commerce website deploys:
. Web Tier: EC2 instances in a public subnets for customer access.
. App Tier: Backend servers in a private subnet for order processing.
. DB Tier: RDS in a private subnet for secure storage.
- Security Tip: Public subnets need Elastic IPs and NAT Gateways for outbound internet access.
3. Route Tables: Directing Traffic
Route tables determine how traffic moves between subnets and the internet. Each subnet is linked to one route table.
Example:
. Public Subnet: Route to the Internet Gateway (0.0.0.0/0) for internet access.
. Private Subnet: Route through a NAT Gateway for outgoing traffic.
A WordPress site hosted on an EC2 instance in a public subnet needs internet access for plugin updates.
The route table includes:
. 0.0.0.0/0 -> Internet Gateway for outgoing traffic.
. inbound traffic is allowed only on ports 80 and 443.
4. VPC Peering: Cross-VPC Communication
VPC Peering connects two VPCs for private communication without internet exposure.
Example:
A company has:
. Production VPC: Hosting their website.
. Analytics VPC: Running data processing.
They use VPC Peering to security transfer logs from production to analytics.
Limitation: Peering is 1 to 1. For multiple VPCs, consider AWS Transit Gateway.
5. Security Groups vs. NACLs: Protecting your network
.Security Groups: Work at the instance level. Allow traffic only when explicitly permitted.
.NACLs Work at the subnet level. Can allow or deny traffic.
Example:
For a public-facing EC2 instance, you might set:
. Security Group: Allow HTTP(80) and HTTPS(443) inbound.
. NACL: Block traffic from known malicious IPs.
6. Site-to-Site VPN: Connecting On-Premises to AWS
An AWS Site-to-Site VPN securely connects your on-premises network to your AWS VPC.
Example:
A healthcare company runs on-prem database but hosts their web app in AWS.
They use Site-to-Site VPN to securely sync patient data between AWS and their local data center.
7. AWS Direct Connect: High-Speed Connectivity
For high-speed, low-latency connections, company use AWS Direct Connect bypassing the public internet.
Example:
A financial firm running real-time trading platforms connects its on-premisses systems directly to AWS.
Leave a Reply