AWS VPC Primer (AWS Series - Post 1)

Thu Apr 07 20229 min read

What is AWS Virtual Private Network

AWS is a public cloud, which means there are multiple entities that are using AWS resources. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

VPC is the basic building block of AWS and the most misunderstood part of AWS. Wrong configuration of VPC can cause more harm and result in wastage of hours of debugging. Sadly there are no great resources around VPC. The official documentation expects the user to have a background in Networking which makes it difficult for normal engineers to wrap their head around it.

My goal is to demystify the basics around AWS VPC, so that any engineer can reason what is happening inside the VPC.

In this post, we will familiarize with the definitions related to VPC. In subsequent posts we will setup a fully functional VPC from scratch.

Definitions

Virtual Private Cloud (VPC)

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.

Subnets

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a specified subnet. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won’t be connected to the internet.

Default VPC

When you create your account, it comes with a default VPC that has a default subnet in each Availability Zone. A default VPC has the benefits of the advanced features provided by EC2-VPC, and is ready for you to use. If you have a default VPC and don’t specify a subnet when you launch an instance, the instance is launched into your default VPC. You can launch instances into your default VPC without needing to know anything about Amazon VPC.

Non-Default VPC

You can also create your own VPC, and configure it as you need. This is known as a non-default VPC. Subnets that you create in your non-default VPC and additional subnets that you create in your default VPC are called non-default subnets.

CIDR Blocks

A little detour to understand CIDR Blocks. It is very important to have a good understanding CIDR to get your VPC configuration right.

Classless Inter-Domain Routing (CIDR) notation is a way of representing an IP address and its network mask. For more information, see Classless Inter-Domain Routing in Wikipedia.

A CIDR has two components:

  • The base IP (XX.XX.XX.XX)
  • The Subnet Mask (/26)

The base IP represents an IP contained in the range. The subnet masks defines how many bits can change in the IP.

The subnet mask can take two forms. Examples:

  • 255.255.255.0 (Less common)
  • /24 (More common)

Understanding Subnet Masks

The subnet masks basically allows part of the underlying IP to get additional next values from the base IP.

The number of bits are calculated by the formula

No. of bits = 2 ^ (32 - block)

So putting it in a simple table

  • /32 allows for 1 IP = 2^0
  • /31 allows for 2 IP = 2^1
  • /30 allows for 4 IP = 2^2
  • /29 allows for 8 IP = 2^3
  • /28 allows for 16 IP = 2^4
  • /27 allows for 32 IP = 2^5
  • /26 allows for 64 IP = 2^6
  • /25 allows for 128 IP = 2^7
  • /24 allows for 256 IP = 2^8
  • /16 allows for 65,536 IP = 2^16
  • /0 allows for all IPs = 2^32

For quick memory math

  • /32 – no IP number can change
  • /24 - last IP number can change
  • /16 – last IP two numbers can change
  • /8 – last IP three numbers can change
  • /0 – all IP numbers can change

For quick calculations, keep this website handy.

IP Addressing

IP addresses enable resources in your VPC to communicate with each other, and with resources over the internet. When you create a VPC, you assign it an IPv4 CIDR block (a range of private IPv4 addresses), an IPv6 CIDR block, or both (dual-stack).

Private IPv4 addresses are not reachable over the internet. IPv6 addresses are globally unique and can be configured to remain private or reachable over the internet.

Your VPC can operate in dual-stack mode. This means that your resources can communicate over IPv4, IPv6, or both IPv4 and IPv6. IPv4 and IPv6 addresses are independent of each other; you must add separate routes and security group rules for IPv4 and IPv6.

Private vs Public IP (IPv4) Allowed ranges

The Internet Assigned Numbers Authority (IANA) established certain blocks of IPV4 addresses for the use of private (LAN) and public (Internet) addresses.

Private IP can only allow certain values

  • 10.0.0.0 – 10.255.255.255 (10.0.0.0/8) (In Big Networks)
  • 172.16.0.0 – 172.31.255.255 (172.16.0.0/12) (Default AWS Subnets)
  • 192.168.0.0 – 192.168.255.255 (192.168.0.0/16) (Usually for home networks)

All the rest of the IP on the internet are public IP.

Private IPv4 addresses

  • Private IPv4 addresses are not reachable over the internet
  • Can be used for communication between the instances in your VPC

When a instance is launched in the VPC

  • a primary private IP address from the IPv4 address range of the subnet is assigned to the default network interface (eth0) of the instance.
  • Primary private IP address cannot be re-assigned once the instance is terminated.
  • Each instance is also given a private (internal) DNS hostname that resolves to the private IP address of the instance
  • Hostname can be of two types: resource-based or IP-based
  • Additional private IP addresses, known as secondary private IP addresses can be assigned to the instances
  • Unlike a primary private IP address, you can reassign a secondary private IP address from one network interface to another
  • Private IP address remains associated with the network interface when the instance is stopped and restarted
  • Private IP address is released when the instance is terminated
  • Private IP Range is preferred but you can use publicly routable CIDR blocks for your VPC
  • Regardless of the IP address range of your VPC, direct access to the internet from your VPC’s CIDR block is NOT allowed, including a publicly-routable CIDR block.
  • Internet access is allowed ONLY through a gateway; for example, an internet gateway, virtual private gateway, a AWS Site-to-Site VPN connection, or AWS Direct Connect.

Public IPv4 addresses

All subnets have an attribute that determines whether a network interface created in the subnet automatically receives a public IPv4 address. When you launch an instance into a subnet that has this attribute enabled, a public IP address is assigned to the primary network interface (eth0) that’s created for the instance.

  • A public IP address is mapped to the primary private IP address through network address translation (NAT).
  • A public IP address is assigned from Amazon’s pool of public IP addresses; it’s not associated with your account.
  • When a public IP address is disassociated from your instance, it’s released back into the pool, and is no longer available for you to use.
  • You cannot manually associate or disassociate a public IP address.
  • If you require a persistent public IP address allocated to your account that can be assigned to and removed from instances as you require, use an Elastic IP address instead.
  • If your VPC is enabled to support DNS hostnames, each instance that receives a public IP address or an Elastic IP address is also given a public DNS hostname.
  • Public DNS hostname is resolved to the public IP address of the instance outside the instance network, and to the private IP address of the instance from within the instance network.

Route Tables

  • A route table contains a set of rules, called routes, that are used to determine where network traffic from your VPC is directed.
  • You can explicitly associate a subnet with a particular route table.
  • By default, the subnet is implicitly associated with the main route table.
  • Each route in a route table specifies the range of IP addresses where you want the traffic to go (the destination) and the gateway, network interface, or connection through which to send the traffic (the target).

Accessing the Internet

You control how the instances that you launch into a VPC access resources outside the VPC.

Default VPC and Default Subnet

  • A default VPC includes an internet gateway, and each default subnet is a public subnet.
  • Each instance that you launch into a default subnet has a private IPv4 address and a public IPv4 address.
  • Instances can communicate with the internet through the internet gateway

Non-Default VPC and the Internet

  • By Default, each instance that you launch into a non-default subnet has a private IPv4 address, but no public IPv4 address.

  • Public IPv4 is assigned only when,

    • specifically assign one at launch
    • modify the subnet’s public IP address attribute
  • Instances can communicate with each other, but can’t access the internet.
  • You can enable internet access for an instance launched into a non-default subnet by attaching an internet gateway to its VPC (if its VPC is not a default VPC) AND associating an Elastic IP address with the instance.

Outbound Internet only

To allow an instance in your VPC to initiate outbound connections to the internet but prevent unsolicited inbound connections from the internet, you can use a network address translation (NAT) device.

NAT maps multiple private IPv4 addresses to a single public IPv4 address.

You can configure the NAT device with an Elastic IP address and connect it to the internet through an internet gateway. This makes it possible for an instance in a private subnet to connect to the internet through the NAT device, routing traffic from the instance to the internet gateway and any responses to the instance.

Accessing Corporate or Home Network

You can optionally connect your VPC to your own corporate data center using an IPsec AWS Site-to-Site VPN connection, making the AWSCloud an extension of your data center.

A Site-to-Site VPN connection consists of two VPN tunnels between a virtual private gateway or transit gateway on the AWS side, and a customer gateway device located in your data center. A customer gateway device is a physical device or software appliance that you configure on your side of the Site-to-Site VPN connection.

VPC Peering

You can create a VPC peering connection between two VPCs that enables you to route traffic between them privately.

Instances in either VPC can communicate with each other as if they are within the same network.

Transit Gateways

You can create a transit gateway and use it to interconnect your VPCs and on-premises networks.

The transit gateway acts as a Regional virtual router for traffic flowing between its attachments, which can include VPCs, VPN connections, AWS Direct Connect gateways, and transit gateway peering connections.

This bit of theory is a necessary foundation for delving deep into AWS VPC Networking. We will revisit each of these in much details in later posts when we start building our VPC from scratch.

Till then, Happy Coding !!!

aws

vpc

aws-series

cloud

networking

© Copyright Debojit Roy
Built using Gatsby