AWS Networking

Here it is about VPC standing for Virtual Private Cloud. It is the service that allows you to isolate a section of the whole AWS network and make it your own virtual private network. In this network, you are the administrator and you can configure it as you desire, choose your IP address range, choose your segmentation into subnets, choose the kind of traffic filters you want to use… The resources you are going to launch or the databases are going to run in this VPC, and are going to use the pre-defined IP address ranges and the routing rules defined within this VPC.

This VPC network can even be connected to an on-premise network in a datacenter for instance, either through a VPN gateway or through a more advanced service called Direct connect.

1. Introduction

When an account is created on AWS, the base unit is the VPC. VPC is a private network which is available on a specific region on AWS while a subnet of a VPC is located in an availability zone.

To connect our VPC to Internet or another VPC, Internet Gateway (IGW) and Virtual private Gateway (VPG) respectively are two essential elements needing to be used.

Routers allow to route packets either internally between private networks or to the outside world by IGW or VPG, and all this is managed with routing tables.

To manage the traffic, security is needed to authorize or not the different transfers. To do this, there is a first layer of security specific to the network called Network Access Control List (Network ACL), which is a firewall that will, for instance, accept incoming traffic on a particular port to a subnet and not another one. To complete this security at the network level, there is another level of security which are the security groups (SG) at the AWS instances level.

2. Create a VPC

When connecting to the AWS console, it is simple to create a VPC using the VPC service of AWS. You just need to click on Your VPCs and then Create VPC. As shown in the following figure, you have to fill in the name (here mydefault) of your VPC and an IP address range (here 10.0.0.0/16).

By default, a VPC is created with DHCP options, a route table, a network ACL; and it is possible to properly customise each of them.

3. Create an Internet gateway and attach to the VPC

It is simple to create an Internet gateway: using the VPC service, click on Internet Gateways and then on Create internet gateway. As shown in the following figure, you have to give a name (here my-igw).

Once created the Internet gateway, to attach it to the VPC, you have to choose it among all the Internet gateways and, in the Actions menu, select Attach to VPC and then, select the chosen VPC (here mydefault), as shown in the following figure. It is also possible to do it using AWS CLI.

4. Create a subnet

To create a subnet, always in the VPC service, click on Subnets and then on Create subnet. As shown in the following figure, you have to specify the VPC ID, its name, an availability zone among all the possible choices, and an IP address range (here 10.0.0.0/20)

I created 3 subnets in 3 availability zones and, for each one, using the Actions menu, I enabled auto-assign public IPV4 address to give a by default public IP address to any instance in the subnets.

5. Route tables

When creating a VPC, by default there is only a local route. As a public network is wanted, routes have to be added to enable public access using for instance an Internet gateway. By clicking on Route Tables in the VPC service of AWS, there are all the available route tables. I selected the route attached to the subnets, and as shown in the following figure, I edited the route tables to enable a public route to all IP address using the Internet gateway.

6. Network ACL

When creating a VPC, there is already a network access control list (Network ACL). And by default, as shown in the following figures, as Inbound Rules or Outbound Rules, it is ALLOW ALL (ALL Traffic Type, ALL Protocol, ALL Port Range, ALL Source, ALL Destination)

It is also possible to create another network ACL and associate it with a VPC, add new inbound and outbound rules as by default all is denied.