Introduction
Welcome to the world of AWS, In this article I will take you on a journey to explore the fundamentals of networking within AWS. Whether you're preparing for the AWS Certified Solutions Architect exam or simply curious about how AWS manages networking,then this article will provide you with valuable insights.Throughout our journey we will touch upon essential topics such as Virtual Private Clouds (VPCs), subnets, security groups, internet gateways and so many more.
Let's Get Started !
Virtual Private Cloud (VPC)
Ever wondered how millions of cloud users worldwide can utilize the same hardware for their applications without encountering resource conflicts?
Well the answer is vpc , essentially it's a private network within the cloud that isolate your cloud resources from other aws customers.
It is a regional service (Tied to a single region)
By default, each region gonna have a default vpc initially created by aws but we can create up to 4 additional vpcs per region which total to 5
Subnets
Subnets as their name suggests are logical partitions within a vpc created at the availability zone level which means a subnet can only exist within a single AZ.
Can create up to 200 subnets per vpc.
There are two type of subnets :
- Public Subnet : resources that live here have access
to the internet.
- Private Subnet : resources that live here can't access
the internet directly.
IP Adressing
Each vpc require a range/pool of private ip addresses called a cidr block, an example would look like this 10.0.0.0/24
The /24 part called suffix identifies the network part of the ip address, now without entering the details of how the ipv4 address scheme work the only thing we need to know is choosing the suffix depends on the size of infra we wanna build for example a /24 cidr block would provide us with 256 ip addresses, the first 5 addresses are reserved which leaves us with 251 ips or in other words can only have 251 running machines inside the vpc.
If you want me to write an article explaining how ipv4 and CIDR blocks work tell me in the comments bellow
In the meanwhile check this user guide provided by amazon on how to choose a cidr block for a vpc
Each subnet in the vpc needs also a cidr block that is a subset of the vpc's cidr block.We can achieve this by taking the vpc cidr block and subnetting it even further using different techniques that are out of the scope for this article.
There are 3 types of ip addresses in aws
- Public : Identifies resources on the internet
Temporary (changes everytime we stop/start
the instance).
- Private : Identifies resources in the vpc and it's
permanent unless the instance is terminated
- Elastic : A static public ip address (permanente).
Created seperately and can be attached to
an ec2 instance.
Aws only charge money when it's not in use.
Internet Gateway
It is a VPC component that allows communication between your VPC and the internet as simple as that.
Route Table
A table that contains the different routes in/out a subnet.
By default, aws creates a route table called main route table in every main vpc (default vpc /region) and associate it with all default subnets in the vpc (in every AZ aws creates a default subnet )
So to enable access to or from the internet for instances in a subnet in a VPC using an internet gateway, you must do the following :
- Create an internet gateway and attach it to your VPC.
- Add a route to your subnet's route table that directs internet-bound traffic to the internet gateway.
- Ensure that your network access control lists and security group rules allow the desired internet traffic (we will get to this later in the article when discussing security groups and Nacls )
Overall, we will have something like this at the end
Nat Gateways
What if you want to make some updates to an ec2 instance that lives in a private subnet ? how can you access the internet to pull the updates ?
Well nat gateways is there for the rescue, it's a managed solution provided by aws that allows instances in a private subnet to connect to services outside your VPC such as the internet or other isolated vpcs.
There are two types :
Public (default) : Instances in private subnets can
connect to the internet, but cannot receive connections
from it.
Must be created in a public subnet
Must associate an elastic IP address with the NAT
gateway at creation.Private : Instances in private subnets can connect to
other VPCs or your on-premises network through it.
In most cases we use public Nat gateways.
The only thing left to do is to update the route table associated with the private subnet to be able to direct internet-bound traffic to the Nat gateway.
Security groups and Nacls
They are both firewalls
Security groups are stateful and controls inbound/outbound traffic at the instance level.
By default all outbound traffic is allowed and all inbound traffic is denied
Stateful means that if a connection to/from the instance is made in one direction (Passed the firewall rule) then the reply in the other direction is automatically allowed.
wich means requests have to pass the firewall rules only once.
Example of an inbound rule
Example of an outbound rule
Some notes about security groups :
- Specific to a region and a vpc.
- Source and Destination can be a cidr or another security group
Nacls are stateless and controls inbound/outbound traffic at the subnet level.
By default it allows all traffic from anywhere.
Example : Let's say we want to deny http traffic on port 80
Rules are evaluated by number (lowest number evaluated first)
The default rule designated by (*) can't be deleted and it's always evaluated last and catches anything that didn't match prior rules.
An advantage of Nacls over security groups is that they give us the ability to define deny rules which allows us to block a specific ip addresses from reaching resources on a specific subnet.
Bastion Hosts
Now imagine that we want to ssh into an ec2 instance that lives in a private subnet to perform some configurations.
Answer : Bastion hosts also called jump hosts.
They are regular ec2 instances that live in a public subnet and we use them as a intermediary for ssh'ing into an instance within a private subnet.
Vpc Endpoints
In simple words they allow instances in a vpc to reach 'Paas' services like S3 and Dynamodb through aws's private network instead of going through the internet.
Can be used for additional layer of security.
There are two type of endpoints :
- Gateway : Allows connections to S3 and DynamoDB only.
- Interface : Allow connections to all other aws services.
Services that are managed by aws like S3 , DynamoDB etc do not belong to a vpc.
The only way for resources within our vpc to reach these services is through the internet or through vpc endpoints.
Vpc Peering And Transit Gateways
So far we talked about how vpcs are isolated from each other which means there is no network reachability between them.
How can we make two or more vpcs communicate with each other through aws's private network.
We have two ways to do it :
- Vpc peering : We create a peering connection that allow two vpcs to behave as a single network under the condition that these two vpcs cannot have overlapping cidr ranges.
We can peer two vpcs within same account or accross multiple aws accounts
Not transitive.
We also have to update the routing tables in each vpc to allow traffic back and forth.
- Transit Gateway : Allow us to connect two or more vpcs together and unlike vpc peering they are transitive.
They also can peer other transit gateways.
At the moment this is the only service that support multicast routing.
Multicast : means delivering single stream of data to multiple recieving instances simultaneously.
Site-to-Site Vpn
Suppose we want to connect a on-premise cloud to aws
One option for doing this is through vpn
On the customer side you'll need a customer gateway managed on-premise and on the Aws side you'll need a virtual private gateway.
In the subnet route tables we need to enable route propagation and in the security groups of the ec2 instances we need to allow inbound icmp messages in order for this to work.
Even though the traffic is encrypted it's still going through the public internet.
So if we want maximum security then we can use direct connect.
Direct Connect
This offers a dedicated physical connection (using optic fibers) from on-premise to aws.
More expensive and takes longer to setup.
Conclusion
In this article I tried to provide an overview of networking fundamentals in AWS. It is important to recognize that a comprehensive understanding of AWS networking requires a deeper exploration beyond the scope of a single article.
As with any technical subject, hands-on experience and continuous learning are crucial.
Alright that concludes our journey today thank you for your time
If you have any questions don't hesitate to ask in the comment section.
Have a nice day !
Top comments (0)