Amazon Virtual Private Cloud (VPC)

What is VPC

Amazon Virtual Private Cloud (VPC) is a service that allows you to create a dedicated, private section within the AWS Cloud where you can launch AWS resources within a virtual network defined by you. Amazon VPC provides control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. This virtual network resembles a traditional network you'd operate in your own data center, with the benefits of using AWS's scalable infrastructure.

Components of VPC

The main components of an Amazon VPC are:

• Subnets: A subnet is a range of IP addresses within your VPC. You can launch AWS resources into a subnet that you select.

• Route Tables: These control the traffic flow between subnets and AWS services.

• Internet Gateways: This is a gateway you attach to your VPC to enable communication between resources in your VPC and the internet.

• NAT Gateways: NAT gateways enable instances in a private subnet to connect to the Internet or other AWS services but prevent the Internet from initiating a connection with those instances.

• Security Groups and Network ACLs: They are virtual firewalls for your instance to control inbound and outbound traffic.

• VPC Peering: This networking connection between two VPCs enables you to route traffic between them using private IPv4 or IPv6 addresses.

Subnets and Difference Between Public and Private Subnets

In a VPC, a subnet is a range of IP addresses. You can launch AWS resources such as EC2 or RDS instances into a subnet of your choosing. Subnets can be public or private, depending on whether they have direct access to the internet.

• Public Subnets are associated with a route table that directs traffic to the VPC's internet gateway. If a subnet's traffic is routed to the internet gateway, the subnet is known as a public subnet.

• Private Subnets are associated with a route table that does not direct traffic to the internet gateway. Instances in a private subnet cannot directly access the internet. They can access the internet via a Network Address Translation (NAT) gateway that resides in the public subnet.

CIDR Blocks

CIDR stands for Classless Inter-Domain Routing. A CIDR block is a notation used to identify a network's range of IP addresses. In AWS, when you create a VPC, you specify a range of IPv4 addresses for the VPC in the form of a CIDR block (e.g., 10.0.0.0/16). This is the primary CIDR block for your VPC.

Security Groups

A security group acts as a virtual firewall to control inbound and outbound traffic for your instance. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.

To configure a security group, you add rules that control the inbound traffic to instances and outbound rules that control the outbound traffic.

Default VPC

Every AWS account has a default VPC with a size /16 CIDR block (172.31.0.0/16). This allows you to immediately deploy instances into this VPC and get it connected to the internet right out of the box. The default VPC includes a main route table, a security group, a network access control list (ACL), and a DHCP options set.

A default VPC is suitable for starting quickly and running public, unprotected, non-production workloads. For more complex architectures or secure applications, creating a new VPC from scratch is usually best, allowing you to control every aspect of the environment's setup.

For Example: Suppose we have an application with a web server that needs to be accessible from the Internet and a database server that shouldn't be exposed to the Internet. We can use a public subnet for the web server and a private subnet for the database server. In this scenario, the web server interacts with the internet to serve web pages and interacts with the database server over the private subnet.