ruk·si

☁️ AWS
VPC

Updated at 2016-02-23 00:41

Virtual Private Cloud (VPC) allows creating private networks on AWS.

  • VPC exists in a region.
  • VPC has multiple subnets.
  • Internet gateway can be attached to a VPC.
  • Subnet exists in a availability zone.
  • Subnet has a route table.
  • Public subnet: subnet with a route table route to an Internet gateway.
  • Private subnet: subnet without connection to an Internet gateway.
  • Subnets have an ACL (Access Control List).

If you don't know anything about ACLs, use security groups. ACL are not stateful like security groups, if you open inbound port 22, you also need to open outbound port 22.

CIDR notation defines a range of IPs. Always use 0, 8, 16, 24 or 32 mask as they are the easiest to understand.

In CIDR notation, the /NUMBER defines how many bits are used for address ranges
and how many bits are used for the network.
     0.0.0.0/0          (0.0.0.0       - 255.255.255.255, all addresses)
     10.0.0.0/8         (10.0.0.0      - 10.255.255.255)
     192.168.0.0/16     (192.168.0.0   - 192.168.255.255)
     222.222.222.0/24   (222.222.222.0 - 222.222.222.255)
     123.123.123.123/32 (only matches 123.123.123.123)

Traffic between subnets of a VPC are routed by default. The only way to limit traffic between subnets in a single VPC is by ACLs. You can limit traffic with security groups though, you can define rules that match security groups instead of IP address ranges.

If you keep your databases in a private subnet, they cannot be accessed outside of AWS.

VPC address space:  10.0.0.0/16 (10.0.0.0 - 10.0.255.255)
Subnet #0:          10.0.0.0/24 (10.0.0.0 - 10.0.0.255)
Subnet #1:          10.0.1.0/24 (10.0.1.0 - 10.0.1.255)
Subnet #2:          10.0.2.0/24 (10.0.2.0 - 10.0.2.255)
Subnet #3:          10.0.3.0/24 (10.0.3.0 - 10.0.3.255)

You can provide Internet connection for a subnet by:

  • attaching an Internet gateway to the VPC and adding a subnet route table route to the IGW making it a public subnet
  • starting a NAT server instance that is connected to the IGW; and add a route from the private subnet to the NAT instance

NAT can become a bottleneck for AWS API calls ran on your instances. If your instances need to communicate heavily with the Internet, using NAT is usually not a good idea. Favor using an Internet gateway.

Bastion host is a server that has SSH rights to instances inside a private subnet.

Open port 22 for source 0.0.0.0/0 in bastion host's security group.
Open port 22 for source bastion host in private subnet instances.

Sources

  • AWS in Action, Michael Wittig and Andreas Wittig