VPC

VPC (Virtual Private Cloud)

This is your private section of AWS, where you can place AWS resources, and allow/restrict access to them.

  • exists within a single AWS region

  • user defined IP address range

Internet gateway (IGW)

Provides your private network with a route to the world outside of VPC.

  • IGW <one-to-one> VPC

  • if (VPC contains active resources) {
    IGW can not be detached from VPC
}

Route tables RTs

RTs contains rules (routes) that are used to determine where network traffic is directed.

  • 172.31.0.0/16 local

    • if destination IP address falls in this range => communication is kept local inside VPC

  • 0.0.0.0/0 igw-<some-id>

    • if destination IP is not in the range above (172.31...) => communication is directed through the IGW out to the internet 

    • if (IGW is detached) {
    RTs still directs traffic to IGW
    But IGW has no connection to outside world
}
    • if (detach IGW_1 & attach IGW_2 for VPC) {
    update_RTs_routes()
}

func update_RTs_routes() {
    delete route for IGW_1
    add "0.0.0.0/0" route to IGW_2
}

Network Access Control List (NACL)

It is a optional layer of security for VPC that acts like a firewall for controlling traffic in and out of one or more subnets.

Rules:

  • numbered (processed from lowest to highest)

    • The first rule evaluated that applies to the traffic type get immediately applied and executed regardless of the rules that come after (have a higher rule #)

  • "*" is a default (i.e. if you do not explicitly allow traffic => default rule will DENY it)

💡 Subnet <-1-1-> Network ACL (subnet can be in only one NACL)

⚠️ Whenever you have a problem with connectivity of services => check NACL

Subnet

💡 One subnet can not span more than one availability zone.

Subnet <=> Route table. So if Route table does not have a route to internet => Subnet is private.

Availability zone

When you create a VPC => it spans all of the Availability zones in the region. After creating a VPC, you can add one/more subnets in each Availability zone.

  • High availability

    • I can always access my data in the cloud

    • My website never crashes and it always available to customers

  • Fault tolerance

    • If web server failed => backup server immediately takes over

    • If something in the system fails => it can repair itself

PreviousAWSNextEC2

Last updated

Was this helpful?