Understanding VPC: The Backbone of Cloud Networking

Virtual Private Cloud (VPC) -

VPC is a virtual network or data center inside AWS for one client.

• It is logically isolated from other virtual n/w in the AWS cloud.

• Max 5 VPC can be created in one region and 200 subnets in 1 VPC.

• We can allocate max 5 Elastic IP.

• Once we created VPC, DHCP, NACL and security group will be automatically created.

• A VPC is confined to AWS region and does not extend between regions.

• Once the VPC is created you can not change its CIDR(Classless Inter-domain routing) block range.

• If you need a different CIDR size, create a new VPC.

• The different subnets within VPC can not overlap.

Components of VPC-

1. Impled router and routing table

2. Internet Gateway

3. Security group

4. Network ACl

5. Virtual private gateway

6. Peering connection

7. Elastic IP

Types of VPC -

1. Default VPC

2. Custom VPC

Default VPC -

1. Created in each AWS region when an AWS account is created.

2. Has default CIDR, security group, NACL and route table settings.

3. Has an internet Gateway by default.

Custom VPC-

1. Is a VPC created by AWS account owner.

2. AWS users creating the custom VPC can decide the CIDR for VPC. security group,

3. Has its own default security group, Network ACL and route table.

4. Does not have internet gateway by default one needs to be created if needed.

Subnet →

It is a small part of VPC, it present in availability zone. It contains EC2 and database servers

There are two types of subnet:

Public Subnet -

1. If a subnets traffic is routed to an internet gateway the subnet is known as public subnet.

2. Public subnet is having internet connectivity through IGW.

3. It is connected with Internet gateway(connected to ISP and provides internet to public subnet) hence it is called as public subnet. Internet gateway works as a bidirectional. It gets access of internet but internet traffic comes inside

4. Default VPC has all subnets public

5. Router -> establish connections between subnets, it creates automatic when we create vpc

Private Subnet -

1. If a subnet does not have a route to the internet gateway the subnet is known as private subnet.

2. You can provide internet connectivity by adding NAT gateway/NAT instance.

3. This subnet is more secure than public subnet.

Internet gateway (IGW)-

1. An internet gateway is a virtual router that connects a VPC to the internet.

2. Default VPC is already attached with an IGW.

3. If you create a new VPC then you must attach the internet gateway in order to access the internet.

4. Ensure that your subnets route table points to the internet gateway.

NAT Gateway -

1. You can use a Network Address Translation Gateway to enable internet in a private subnet.

2. It is in public subnet but works for private subnet

3. It is unidirectional

4. It provides internet to private subnet from public subnet but no outside traffic can come in private subnet

5. You are charged for creating and using NAT gateway in your account .

6. To create NAT gateway, you must specify the public subnet in which the NAT
   Gateway should reside

7. You must also specify Elastic IP address to associate with NAT gateway when you create it.

8. No need to assign public IP address to your private instance.

9. Deleting a NAT gateway disassociates its elastic IP address, but does not release the address from your account.

Internet Flow -> Router -> nat gateway-> internet

Route table-

To manage which connection you want in subnets. One by default local entry will add with same CIDR as VPC Ip when you create VPC.

For public add internet gateway

For private add NAT gateway

CIDR 0.0.0.0/0 -> All traffic

• CIDR -

Classless Inter-Domain Routing

192.168.10.0/26 -> It is class C & 26 is CIDR

255.255.255.0 -> it is subnet 3

Here to identify number of networks and host

255 is 11111111 & 0 is 00000000

Now divide 26/8 reminder is 2 like below

n is reminder

N = 8-n = 8-2 = 6

11111111 11111111 11111111 00000000

8 8 8 n=2, N =6

Q 1. How to find out the number of network?

2^n - Where n is total number of bits borrowed from host

2^2 =4

Q.2 How to find out the number IP address on each network?
2^N - Where N is total number of host bits
2^6 = 64

Q.3 How to find out the number of hosts in each network?
2^N -2 (Where N is total number of host bits)
\= 64-2
\= 62

We can create 62 EC2 instance with 62 IP addresses

Note- In every network, the first IP address is reserved for the network id and the last IP address is reserved for broadcast id.

Network-1

192.168.10.0/26

192.168.10.0 - Network ID

192.168.10.1 - First usable

-

-

-

192.168.10.62 - Last usable IP

192.168.10.63 - Broadcast ID

Netowork-2

192.168.10.64 - Network ID

192.168.10.65 - First usable IP

-

-

-

192.168.10.126 - Last usable IP

192.168.10.127- Broadcast ID

Netowork-3

192.168.10.128 - Network ID

192.168.10.129 - First usable IP

-

-

-

192.168.10.190 - Last usable IP

192.168.10.191- Broadcast ID

Netowork-4

192.168.10.192 - Network ID

192.168.10.193 - First usable IP

-

-

-

192.168.10.254 - Last usable IP

192.168.10.255- Broadcast ID

• Below IP addresses wastes and not in use

10.0.0.0 - Network Address

10.0.0.1 - Reserved by AWS VPC router

10.0.0.2 - Reserved by AWS IP address

DNS server.

10.0.0.3 - Reserved for future use

10.0.0.255 - Broadcast address

Flow to create VPC-

1. VPC

2. IGW

3. Subnet

4. Route table

Steps to create VPC-

1. Create a VPC with give CIDR.

2. Create a IGW and attached it to VPC.

3. Create Public & Private subnets.

4. Create a Public & Private route tables

5. Added IGW connectivity to Public routes.

6. Associates Public route with Public subnet and Private route with Private subnet.

7. Create EC2 instances in Public and Private subnets.

8. Take an access and verify internet connectivity.

Service Base - Infosys - Bank - USBANK -> WLTH(Business Unit)-> PCT (Platform Cloud Team)

Business demo for Product Base:

1. Create a VPC with CIDR value. - USBANK-WLTH-PCT-VPC (10.0.0.0/16)

2. Create IGW - USBANK-WLTH-PCT - IGW

3. Create a subnet with CIDR value. - USBANK-WLTH-PCT-SUBNET-PRIVATE-1 (CIDR) (10.0.1.0/24)

   USBANK-WLTH-PCT-SUBNET -PUBLIC

   1 (CIDR) (10.0.0.0/24)

4. Create a route table - USBANK-WLTH-PCT-PRIVATE-ROUTE, USBANK-WLTH-PCT-PUBLIC-ROUTE

5. Configure route table

6. Launch EC2 m/c in both subnets. USBANK-WLTH-PCT-PRIVATE-LINUX-1 ,

   USBANK-WLTH-PCT -PUBLIC- LINUX-1

7. Take a access of public EC2 instance and verify internet connectivity - Verified

8. Take a access of private EC2 instance and verify internet connectivity - Verified - No
   Internet connectivity

Now you can access public IP but cannot access Private IP because we need NAT gateway in Private route table

To access private IP from Public IP

1. Take access of Public EC2

2. On that try to access ssh Private EC2

3. Create new key pair with .pem

4. Copy key from downloads where you kept key

5. Paste in new file

6. Give permission chmod 400 filename

7. Try to ssh

Now you can access internet on private IP through public IP

9. Create NAT Gateway and associate it - USBANK-WLTH-PCT-NAT - Yes, Internet connectivity

• Follow below steps to create VPC and get internet access using NAT gateway

1. VPC - Create VPC

2. VPC only - name - CIDR (10.0.0.0/16) - save

3. Internet gateway- Create Internet gateway

4. Name - Create internet gateway

5. Attach to VPC - select specific VPC - Attach internet gateway

6. Internet gateway created

7. Now create Private subnet

   Subnets - Create subnet

8. Select VPC

9. Give name

10. Give CIDR(10.0.1.0/24) - save

11. Now create Public subnet

    Subnets - Create subnet

12. Select VPC

12. Give name - CIDR(10.0.0.0/24)

13. Route table-create Route table

14. Give name - select VPC -create route table

15. Associate subnet to route table

    Select private route table - Edit subnet association

16. Select private subnet- save

17. Route table is created for private subnet

18. Create public route table

    Name - select VPC - Create

19. Edit route- 0.0.0.0/0 internet gateway- save

20. Associate public route table with public subnet

21. Two route tables are created as below

22. Now create two EC2 instances for public and private subnets

    Private EC2 -> Edit network- select private subnet as below

23. Public EC2 -> Edit network- select public subnet as below

24. Create NAT gateway for private subnet to get internet access from public subnet

    NAT gateway - Create NAT gateway

25. Name - Public subnet ID - Connectivity type Public

26. Allocate Elastic IP -> one IP will generate automatically

27. Add NAT gateway in private route table

28. 0.0.0.0/0 - NAT gateway- save

Now connect on cli through private EC2 and you will get internet access

• Deletion flow

1. Terminate EC2 machines

2. Private Route table - delete entry of NAT

3. Delete NAT

4. Delete VPC

5. Release Elastic Ip

Q. Can you connect two different EC2 on different VPCs?

Ans : Yes, if both are having Public subnet we can access

And you want to communicate on Private IP you need to go with VPC peering.

• VPC Tenancy

1. Default Tenancy

• Shared hardware resources

• No additional cost

• Limited control over hardware resources.

• Suitable for most workloads

• It is mostly used

2. Dedicated Tenancy-

• Dedicated hardware resources

• Additional cost will apply

• Full control over hardware resources.

• Suitable for workloads requiring for high security, compliance or performance.

Q. Difference between Security group and NACL?

1. Router traffic first goes to NACL then security group

2. NACL is attached to network subnets

3. Security group is attached to EC2 group

4. One security group for one instance OR one security group to many instances

5. It will decide which ports need to be allowed

Inbound & Outbound in security group

Inbound → Traffic gets in EC2 machine through internet

It is traffic you selected

VPC - Security group- select any group

Outbound-> Traffic goes out from EC2 to internet

It is always all traffic

Inbound & Outbound in Network ACL

You can allow or deny traffic in inbound rule which was not available in Security group

Outbound traffic in NACL is by default Deny but in security group it was allowed

Q. What if same port is allowed and denied at same time?

Ans: In this case low rule number is prioritised by AWS.

Here traffic will be allowed

Q. You have allowed port 80 in NACL but not in security group, traffic will come at EC2?

Ans: No, traffic will come at subnet level only

Q. You have allowed port 80 in security group but not in NACL, traffic will come at EC2?

Ans: No, traffic will not get at subnet level so can’t reach to security group

Q. You have open port 80 in both security group and NACL, traffic will go to internet?

Ans: Traffic will go from security group but will block at NACL because outbound in NACL is deny by default

First need to allow outbound in NACL

Q. What is stateful and stateless? Which group is stateful and stateless?

Ans: Stateful simply means it remembers interactions

Stateless doesn’t remember interactions

Here security group is stateless because if it can flow traffic in both directions

But NACL does not allow to go traffic outside because outbound is by default Deny

Hence NACL is stateless

• VPC Peering -

  To get connectivity on private IP on same region

Follow below steps to create VPC peering

1. Create 2 VPC with CIDR.

VPC A and VPC B as below

2. Create two IGW A and B & attach to VPCs.

3. Create Subnets in both VPC.

4. Configure route table with IGW connectivity and associates subnets.

5. Launch EC2 m/c in both VPC with Public IP.

6. Create VPC peering and configure connection in both route tables

Test the connection over private IP.

Now connect EC2 instance A and over that connect B and test internet.

• Deletion flow

1. Delete both EC2

2. Remove entry from route table

3. Delete VPC peering

4. Delete both VPC