Subham Nandi
Posted on August 21, 2024
A Virtual Private Cloud (VPC) is a logically isolated network in the cloud that you define within a public cloud environment like AWS (Amazon Web Services), GCP (Google Cloud Platform), or Azure. It allows you to launch resources, such as EC2 instances, RDS databases, and more, within a virtual network that you control. You can define your IP address ranges, create subnets, and configure route tables, network gateways, and security settings.
Key Components of a VPC
-
Subnets:
- Definition: A subnet is a range of IP addresses in your VPC. You can create multiple subnets within a VPC, and each subnet must reside entirely within one Availability Zone (AZ).
-
Types:
- Public Subnet: A subnet that is associated with a route table containing a route to an internet gateway.
- Private Subnet: A subnet that does not have a route to the internet, often used for databases and application servers that do not require direct internet access.
- VPN-only Subnet: Used for instances that require direct access to a corporate network, but not the internet.
-
Route Tables:
- Definition: A route table contains a set of rules (routes) that are used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet.
- Main Route Table: The default route table that comes with your VPC.
- Custom Route Tables: Additional route tables that you can create and associate with specific subnets.
-
Internet Gateway (IGW):
- Definition: An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. It serves two purposes: providing a target in your VPC route tables for internet-routable traffic and performing network address translation (NAT) for instances that have been assigned public IP addresses.
-
NAT Gateway / NAT Instance:
- Definition: A NAT (Network Address Translation) gateway or instance enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.
- NAT Gateway: Managed by AWS, scales automatically.
- NAT Instance: User-managed EC2 instance, requires more configuration.
-
VPC Peering:
- Definition: VPC peering is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. Instances in either VPC can communicate with each other as if they are within the same network.
-
Security Groups:
- Definition: Security groups act as a virtual firewall for your EC2 instances to control inbound and outbound traffic. You can create and assign one or more security groups to each instance in your VPC.
- Inbound/Outbound Rules: You can define rules that allow or deny specific traffic based on IP address, port, and protocol.
-
Network Access Control Lists (NACLs):
- Definition: NACLs are an optional layer of security for your VPC that acts as a stateless firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs operate at the subnet level.
- Rules: NACLs allow you to define both inbound and outbound rules, similar to security groups, but these rules are evaluated in a numbered list and applied in ascending order.
-
VPC Endpoints:
- Definition: VPC endpoints allow you to privately connect your VPC to supported AWS services and VPC endpoint services powered by AWS PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
-
Types:
- Gateway Endpoints: Used for services like S3 and DynamoDB.
- Interface Endpoints: Uses an Elastic Network Interface (ENI) with a private IP address to connect to services like EC2 or Lambda.
-
Elastic IP Address:
- Definition: An Elastic IP is a static IPv4 address designed for dynamic cloud computing. An Elastic IP address is allocated to your AWS account, and you can associate it with an EC2 instance or a NAT gateway.
-
VPN Connection:
- Definition: A VPN (Virtual Private Network) connection enables you to securely connect your on-premises network or another VPC to your AWS VPC using an encrypted connection over the internet or AWS Direct Connect.
-
Direct Connect:
- Definition: AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. With Direct Connect, you can establish private connectivity between AWS and your data center, office, or colocation environment.
How a Virtual Private Cloud (VPC) Works
A Virtual Private Cloud (VPC) is a fundamental component of cloud networking, providing users with a virtual network in the cloud where they can isolate, configure, and manage their resources securely and efficiently. Understanding how a VPC works involves knowing the flow of network traffic, how components interact, and how security is enforced.
1. Creating a VPC
-
Defining the IP Range: When you create a VPC, you specify an IP address range in the form of a CIDR block (e.g.,
10.0.0.0/16
). This IP range will be divided into subnets, which are smaller CIDR blocks within the VPC. - Region and Availability Zones (AZs): A VPC is created within a specific AWS region and spans multiple AZs within that region. Each AZ represents a physically isolated data center.
2. Setting Up Subnets
- Public and Private Subnets: After defining the VPC, you create subnets within it. Each subnet is associated with one AZ. You can create public subnets (which are accessible from the internet) and private subnets (which are isolated from direct internet access).
- Subnet Association: Public subnets are associated with a route table that directs traffic to an Internet Gateway, making them accessible from the internet. Private subnets are associated with a route table that does not have a route to the Internet Gateway, keeping them isolated.
3. Routing Traffic
-
Route Tables: Route tables direct traffic within the VPC. Each subnet is associated with a route table, which contains rules (routes) that specify where network traffic should be directed.
- Internet Gateway Route: A public subnet will have a route in its table that sends traffic destined for the internet (0.0.0.0/0) to the Internet Gateway.
- Private Subnet Routing: Private subnets may have routes that direct traffic to a NAT Gateway for accessing the internet or direct traffic to other subnets within the VPC.
- NAT Gateway/Instance: In private subnets, a NAT Gateway or Instance allows instances to initiate outbound connections to the internet without exposing them to inbound traffic from the internet.
4. Managing Network Access
-
Security Groups: Each instance within the VPC is associated with a security group, which acts as a stateful firewall. Security groups control both inbound and outbound traffic at the instance level.
- Inbound Rules: Control the incoming traffic to instances.
- Outbound Rules: Control the outgoing traffic from instances.
-
Network Access Control Lists (NACLs): NACLs operate at the subnet level, providing an additional layer of security. They control traffic flow into and out of subnets using stateless rules, meaning each request and response is evaluated independently.
- Inbound and Outbound Rules: NACLs have numbered rules that are processed in order, allowing or denying traffic based on IP address, port, and protocol.
5. Connecting to Other Networks
- VPC Peering: VPC peering connections allow you to route traffic between VPCs as if they were part of the same network. Traffic between peered VPCs uses private IP addresses, ensuring security and efficiency.
-
VPN Connections: Virtual Private Network (VPN) connections enable secure communication between your on-premises network and your VPC over the internet.
- Customer Gateway (CGW): A device on your on-premises network that connects to the VPC.
- Virtual Private Gateway (VGW): The AWS-side endpoint for the VPN connection.
- Direct Connect: AWS Direct Connect provides a dedicated, private connection from your data center to AWS, bypassing the internet, which can improve bandwidth and reliability.
6. Using VPC Endpoints
- VPC Gateway Endpoints: Allow private connectivity between your VPC and AWS services like S3 and DynamoDB without using the internet.
- VPC Interface Endpoints: Use Elastic Network Interfaces (ENIs) within your VPC to connect to services using private IPs.
7. Handling Traffic Between Subnets
- Inter-Subnet Traffic: Traffic between instances in the same VPC, whether in the same subnet or different subnets, is routed internally. This traffic never leaves the AWS network and is therefore faster and more secure.
- Security Considerations: Both NACLs and security groups manage traffic between subnets. For example, traffic between two private subnets in different AZs might be controlled by a combination of NACL rules and security group settings.
8. Scaling and High Availability
- Auto Scaling: You can configure auto-scaling groups within a VPC to automatically increase or decrease the number of EC2 instances based on demand.
- Load Balancing: AWS Elastic Load Balancers (ELBs) distribute incoming application traffic across multiple instances in multiple AZs, ensuring availability and reliability.
1. Accessing the AWS Management Console
- Log in to the AWS Management Console: Open your web browser and go to the AWS Management Console. Enter your credentials to log in.
- Navigate to the VPC Service: Once logged in, use the search bar at the top to search for "VPC" and select the VPC service from the results.
2. Creating a VPC
- Choose the VPC Option: In the VPC dashboard, click on "Create VPC". You will see two options: "VPC only" and "VPC and more".
- Select 'VPC and more': This option allows AWS to automatically create associated resources like subnets, route tables, and an internet gateway.
-
Configure VPC Settings:
-
Name your VPC: Enter a name for your VPC (e.g.,
demo-VPC
). -
IPv4 CIDR Block: By default, AWS provides a CIDR block like
10.0.0.0/16
, which gives you 65,536 IP addresses. Adjust the block if needed (e.g.,10.0.0.0/24
for 256 IP addresses). - Number of Availability Zones: You can choose the number of Availability Zones. For simplicity, select one Availability Zone.
- Subnets: AWS will create both public and private subnets for you.
- Internet Gateway: AWS will automatically create and attach an Internet Gateway to the VPC.
- VPC Endpoints: You can leave this as default (e.g., S3 Gateway).
-
Name your VPC: Enter a name for your VPC (e.g.,
Create the VPC: Click on "Create VPC". AWS will now create the VPC along with the associated resources.
3. Reviewing the VPC Configuration
- View Resources: After creation, you can view the created resources such as the VPC, subnets, route tables, and internet gateway.
- Resource Map: AWS provides a visual representation of your VPC resources, which you can view to understand the configuration.
4. Launching an EC2 Instance in the VPC
- Navigate to EC2 Service: Go to the EC2 service from the AWS Management Console.
- Launch Instance: Click on "Launch Instance" to start the process of creating an EC2 instance.
-
Configure Instance Details:
-
Instance Name: Provide a name (e.g.,
demo-instance
). - AMI Selection: Choose an Amazon Machine Image (AMI) like Ubuntu.
-
Instance Type: Select the instance type (e.g.,
t2.micro
for free tier eligible). - Key Pair: Choose an existing key pair or create a new one for SSH access.
-
Network Configuration:
-
VPC Selection: Choose the custom VPC you created (
demo-VPC
). - Subnet: Select the public subnet within your VPC.
- Auto-assign Public IP: Ensure this is enabled for SSH access.
-
VPC Selection: Choose the custom VPC you created (
- Security Group: Create a new security group or use an existing one. This will control inbound and outbound traffic to your EC2 instance.
-
Instance Name: Provide a name (e.g.,
- Launch the Instance: After configuring all settings, click "Launch Instance".
5. Configuring Security Settings
-
Security Group Configuration:
- Edit Inbound Rules: Add rules to allow traffic. For example, allow SSH (port 22) and HTTP (port 8000) by specifying the port number and selecting "Anywhere" for the source.
-
Network ACL Configuration:
- Navigate to Network ACLs: Go back to the VPC dashboard and select Network ACLs.
- Edit Inbound Rules: You can specify rules to allow or deny traffic based on port numbers and IP addresses. For instance, you can deny traffic on port 8000.
6. Testing the EC2 Instance
-
SSH into the Instance:
- Obtain Public IP: Get the public IP address of the EC2 instance from the EC2 dashboard.
-
Connect via SSH: Open a terminal and use the SSH command to connect to the instance (e.g.,
ssh -i your-key.pem ubuntu@<public-ip>
).
-
Install and Run a Python HTTP Server:
-
Update Packages: Run
sudo apt update
to update the package list. -
Start HTTP Server: Run a simple Python HTTP server on port 8000 using
python3 -m http.server 8000
.
-
Update Packages: Run
7. Testing Network Access
-
Access the HTTP Server: In your web browser, enter the public IP of the EC2 instance followed by
:8000
(e.g.,http://<public-ip>:8000
). - Check Access: If security group rules allow traffic on port 8000, you will see the directory listing served by the Python HTTP server.
8. Advanced Security Testing with NACLs
-
Block Traffic with NACL:
- Edit the Inbound Rules of the NACL associated with the subnet to deny traffic on port 8000.
- Test Access: After applying the rule, refresh the browser. You should no longer be able to access the HTTP server.
-
Order of Rules in NACL:
- Rule Priority: NACLs evaluate rules in order, starting from the lowest numbered rule. If a rule denies traffic on port 8000, it takes precedence over a later rule that allows all traffic.
9. Final Verification
- Re-enable Traffic: Modify the NACL to allow traffic again by adjusting the rule order or editing the rules.
- Confirm Access: Once the NACL permits traffic, you should be able to access the HTTP server on port 8000 again.
Posted on August 21, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.