AWS Networking Key Terms Explained
Traditional Networking is very difficult. It involves equipment, cabling, complex configurations, and specialist skills.
Amazon VPC hides the complexity and simplifies the deployment of secure private networks.
VPC
VPC (Virtual Private Cloud) is a virtual network that you can create in the cloud, it allows you control over the resources you deploy in the virtual network. Resources that can be provisioned here include EC2 instances, database and storage.
The default VPC is configured so that you can launch resources as soon as you start using AWS. The default VPC is configured with the CIDR range of 172.31.0.0/16. This CIDR range includes all addresses from 172.31.0.0 through 172.31.255.255, which is a total of 65,536 addresses.
VPC is a regional resource
Note: You can provision your own VPC - Check this link
Real Life analogy of how a VPC operates.
Imagine you have a big state with a couple of houses/Villas. One of the houses has multiple rooms. Each room represents a different area where you can place things like furniture or appliances. In this analogy, your estate is similar to the AWS cloud, each house is like a separate network space called a VPC, and each room is a subnet.
Think of it this way: you can set up different rooms (subnets) in your house (VPC) for specific purposes. For example, you might have a living room (public subnet) where everyone can gather, watch TV, and socialize. This room is connected to the outside world, just like a public subnet in a VPC that can directly communicate with the internet. On the other hand, you may have a bedroom (private subnet) where you keep personal items and have private conversations. This room is not directly accessible from the outside, just like a private subnet in a VPC that is not directly connected to the internet.
In addition, you can control who can access your house and its rooms. With AWS VPC, you can define security rules (security groups) that act like locks on each door of your rooms, allowing only specific people (IP addresses or sources) to enter.
In summary, AWS VPC provides you with your private area within the AWS cloud, allowing you to create isolated network spaces (subnets) and control access to your resources. It's like having different rooms in your house, each with its purpose and level of privacy.
Subnets
Subnets short for subnetworks, are small partitions of a larger network. For AWS VPC, it is divided into Public or private subnets, each with its IP address range and specific characteristics.
Public subnets are used for resources that must be connected to the internet
Private subnets are used for resources that must remain isolated from the internet.
Note the following:
Subnets are zonal resources
Subnets have to be attached to a VPC.
Each subnet in A VPC has a distinct CIDR range of addresses available in the VPC.
You must ensure that CIDR ranges do not overlap with address ranges used in the other Subnets.
The subnet Mask determines the range of IP addresses that belong to a particular subnet. The subnet mask helps identify the network portion and the host portion of an IP address.
AWS always reserves 5 addresses in each subnet for networking purposes.
Internet Gateway
IGW facilitates Communications between the resources in a VPC and the internet. The internet Gateway is attached to the VPC. Public subnets are associated with the IGW.
IGW is a regional resource
IGW serves two primary purposes;
Provides internet connectivity to resources within your VPC. It acts as an entry and exit point for network traffic between your VPC and the Internet.
Performs Network Address Translation (NAT) for outbound traffic from private subnets in your VPC. Private subnets do not have direct Internet connectivity, so their outbound traffic is routed to the IGW for translation before reaching the Internet.
Routes
A route table contains a set of rules, called routes, that are used to determine where network traffic is directed. Each subnet in a VPC must be associated with a route table because the table controls the routing for the subnet. A subnet can be associated with only one route table at a time, but you can associate multiple subnets with the same route table.
Create routes that direct internet-bound traffic to the IGW.
Security Group
A security group acts as a virtual firewall for instances to control inbound and outbound traffic.
Security groups operate at the level of the elastic network interface for instance. Security groups do not operate at the subnet level. Thus, each instance can have its own firewall that controls traffic. If you do not specify a particular security group at launch time, the instance is automatically assigned to the default security group for the VPC.
Two types of rules need to be deployed here,
Inbound rules
Outbound rules
Network Address Translation (NAT) Gateway
NAT gateway is a managed service that enables instances within a private subnet to communicate with the internet while maintaining a level of security.
NAT gateway allows instances within private subnets to initiate outbound connections to the internet. It acts as a gateway or intermediary between the private subnet and the public internet.
NAT gateway helps preserve the privacy and security of resources within the private subnet by hiding their private IP addresses from the internet. Outgoing traffic appears to come from the NAT gateway's public IP address, rather than the individual instances' private IP addresses.