AWS VPC for beginners

Tram Ho

This week, I re-presented what I have learned about Amazon’s Virtual Private Cloud (VPC). If you’d like to see what I’ve learned about AWS, check out the DynamoDB Overview and S3 Overview .

This article is more informative if you are thinking of taking the Exam “AWS Developer Associate”.

What is VPC?

VPC is a virtual network just for you in AWS so you keep all of your AWS services on hand. It is a logical datacenter in AWS and will have gateways, route tables, network access control lists (ACL), subnets, and security groups.

Things need to notice:

  • Each subnet exists in 1 available area.
  • Security groups are state, ACLs are stateless.
  • VPCs can be reviewed under the same account and across AWS accounts.
  • Bridging peer-to-peer functionality is not allowed, which means you cannot switch from one VPC to another, through another VPC. You must have direct access.

Why use VPC?

When you open a service in a public cloud, it opens globally and is vulnerable to Internet attacks. To lock your instances and secure them from outside attacks, you lock them in VPC. VPC restricts the type of traffic, your IP address and also the users who can access your instances.

This prevents unwanted visitors from accessing your resources and protects you from things like DDOS attacks. Not all services require internet access, so they can be securely locked down in a private network. Then you can only display certain machines to the Internet.

Obviously, if you want to install software or access the Internet from private instances that are blocked from the Internet, then this is a problem. However, there are a couple of solutions to this problem that I will cover next.

NAT Instances

Can a NAT instance be used to solve the “how do I install everything from the internet on my secure private instances” problem?

A NAT instance is created in a public subnet that has access to the internet. After you allow access from your private instance to the NAT, your private instance will then be able to make internet requests. This access is one way, ie someone from the internet cannot access your instance.

Things need to notice:

  • A NAT instance must be in a public subnet ..
  • It must have Elastic IP
  • There must be a route from your private subnet to the NAT instance.
  • You can manually create high availability using Autoscaling groups and multiple subnets.
  • Unlike Bastian because NAT is used to provide internet access to private instances, a Bastian is used to manage instances using SSH, for example.
  • They are currently deprecated and have been replaced by NAT Gateways.

Photo taken from:

NAT Gateways

NAT Gateways have essentially replaced NAT instances because they allow the same access to the internet from a private subnet with the same security. However, they are much easier to set up and extend as they are all managed by Amazon.

Things need to notice:

  • Automatic scale up to 10Gbps
  • No manual patching required – amazon will take care of this
  • Not affiliated with security groups
  • Automatically assigns a public IP

Network Access Control Lists (ACL)

By default, the VPC will come with Network ACLs and it will allow all inbound and outbound access. However, if you create a default Network ACL, it will block all incoming and outgoing traffic and you will have to manually allow access.

Each subnet in the VPC must be connected to the Network ACL, however, each subnet can only be connected to 1 VPC at a time. However, the ACL can be connected to many different subnets.

Things to remember:

  • The Network ACL contains an ordered list of rules to allow access.
  • The convention is to start with 100 rules and increment by 100.
  • Rules will be considered to make sure if you want to allow all ssh access beyond a certain IP address, add your rule block before allowing all rules.
  • There are separate rules for inbound and outbound access, so you have to set rules for each.
  • They are stateless meaning that the response to dependency is dependent on outbound access rules and this applies in a different way.
  • Block IP addresses with Network ACLs, not Security groups

Resiliency (Resiliency)

For resilience you should always have 2 public subnets and 2 private subnets and make sure both are in different availability zones. The same applies to Elastic Load Balancers.

NAT Instances are a bit harder to have high availability, so we recommend using NAT Gateways instead, as all of this is done and doesn’t need to be done manually.

You can always monitor the traffic in your VPC by enabling VPC flow logs .

Article translated from:

Share the news now

Source : Viblo