AWS Virtual Private Clouds(VPCs)

-

 


 In the spirit of my last blog on cloud computing, we will discuss VPC's in this blog. 

What are VPC's ?

Before I answer this question I need to explain this picture and the terms used. In AWS(and other cloud providers) we have several things that make up the global cloud infrastructure. Those things are Regions, Availability Zones, and Edge Locations(not pictured). A region is a geographical area around the world that consist of multiple availability zones. An availability zone can be thought of as multiple discrete data centers that have separate power, cooling, networking, and housed in separate buildings. Edge locations are places where CloudFront caches your content to provide ultra-low latency delivery of your content. According to AWS they currently have 32 regions, 102 availability zones, and more than 550 PoP's(points of presence). These things together make it possible to create global resources in minutes that serve millions of customers. 

A VPC or Virtual Private Cloud is a logically isolated portion of the cloud where you can deploy resources such as compute and storage. A VPC is a virtual network that is dedicated to your AWS account and is logically separate from other aws virtual networks. A VPC can have both public and private subnets(networks), which are defined within an Availability zone, even though the VPC spans all AZ's in a region. You can create up to 5 VPC's in a region. A subnet is confined to a sinlge AZ and if you are wanting to deploy in multiple AZ's then you will need to have multiple subnets. By default, a public subnet is created in every availability zone in a region. The public subnets are routeable on the internet and private are not. In these subnets is where you launch your AWS resources such as EC2 instances, etc. In order for private subnets to have access to the internet you have to use a NAT gateway or NAT instance. When you create public subnets you need to associate them with an internet gateway so that it can access the internet. When creating private subnets you need to associate them with a different routing table and have a default route in the routing table going to the NAT gateway so your private subnets can access the internet. For the case when you have multiple VPC's, whether they are in the same region or not, you can interconnect them allowing communication by utilizing VPC peering. This peering is a private connection and doesn't go through the internet to get to the other VPC.

Besides subnets, there are a few other things that can make up a VPC.

  • Internet Gateway: The AWS VPC connection to the internet
  • Router: A router will allow the interconnection between subnets and internet gateways
  • NAT Instance: Allows internet access for EC2 instances in your private subnet and is managed by you
  • NAT Gateway: Allows internet access for EC2 instances in your private subnet and is managed by AWS
  • Virtual Private Gateway: The AWS VPC's side of a VPN
  • VPC Endpoints: This is a private connection to public AWS resources
  • NACL's: A way of securing your VPC at the subnet level
  • Security Groups: A way of securing your VPC at the instance level
  • AWS Direct Connect: A private connection from customer DC to AWS
  • Customer Gateway: Customer side of a VPN

There are ways of securing a VPC, one is using a network ACL(NACL) and the other is using a security group. A NACL provides security at a subnet level, meaning that it controls traffic going to and coming from a subnet. NACL's are stateless and are processed from a top down approach, so from the top it goes down the list and it accepts the first match it sees. One thing to note is that because this is stateless you must define an entry for both directions of traffic. There is a default deny at the end of the list, so if there is no specific match in a NACL it is automatically denied. The Security group provides security at an instance level, meaning it controls communication to and from an EC2 instance, for example. The security groups are actually stateful in nature, meaning that they keep "state" of the communications and as long as there is a session or state information for traffic it will automatically allow the return traffic. Both serve a specific function so depending on what you are trying to accomplish you may need one or both of these. 

Thank you for taking the time to read this blog, let me know what you thought about it and if you enjoyed it consider subscribing to keep up with my latest blogs.

 















Comments

Post a Comment

Popular posts from this blog

AWS Identity and Access Management(IAM)

-
Image
 IAM   With the cloud becoming more and more prevalent, how do we secure who can access cloud resources and which resources can speak to each other. This very important problem is solved with AWS Identity and Access Management(IAM) resource.  IAM enables you to control who can access your AWS environment, what actions they can perform, and which resources they can interact with. It allows you to set fine-grained permissions and policies to meet your security and compliance requirements. So what are the parts that make up Identity and Access Management(IAM) ? - User groups - Users - Roles - Policies - Identity Provider Lets go into more detail about each resource that makes up IAM. User groups are groups you can define to logically group users together that perform similar functions in job. This is kind of like having different groups for different job roles. Users are just the manually configured users created for use on the management console. This is where you define all the diffe
Read more

IPSec VPN - Fundamentals

-
A VPN, or Virtual Private Network, is a way to establish a tunnel between two endpoints, like two routers or two endpoints. VPN’s are used to provide a way of secure communication over an unsecure medium. A simple example would be secure communication between two branch offices over the unsecure internet. This is important because we need secure communication so that people can’t eavesdrop and steal important company information. Oftentimes, people misunderstand VPN's and think just because "private" is in the name that it's secure. This is not always the case, especially in the service provider world where there are different types of VPN's that do not provide any sort of encryption. IPSec VPN's do however provide encryption and other features. There are several different types of VPN’s that can be deployed. The most common ones are Site-To-Site and Remote Access, although there are many more and depending on the use case, the most common could be differe
Read more