Concepts
A subnet is a range of IP addresses in your VPC. When creating a VPC, you can partition it into multiple subnets, which can be either public or private.
- Public Subnets have routes to the Internet through an Internet Gateway, allowing resources like Amazon EC2 instances to directly access the Internet.
- Private Subnets do not have a route to the Internet and are used for resources that shouldn’t be directly accessible from the outside.
For example, you might have the following subnet configuration:
Subnet Type | CIDR Block | Description |
---|---|---|
Public | 10.0.1.0/24 | For web servers that need Internet access |
Private | 10.0.2.0/24 | For back-end servers like databases |
Internet Gateways (IGW)
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the Internet. It serves two purposes:
- To provide a target in your VPC route tables for Internet-routable traffic.
- To perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
An IGW is essential for any subnet that requires direct access to the Internet.
Route Tables
Route tables contain a set of rules, known as routes, that determine where network traffic from your subnet or gateway is directed. Every subnet in a VPC must be associated with a route table, which controls the routing for the subnet. A VPC automatically comes with a main route table, and you can create additional custom route tables.
A route table might have the following routes:
Destination | Target | Explanation |
---|---|---|
10.0.0.0/16 | local | All traffic within the VPC |
0.0.0.0/0 | igw-id | Default route via an Internet Gateway for public subnets |
Network Access Control Lists (NACLs)
NACLs are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They provide a rule-based tool for controlling network traffic at the subnet level. NACLs are stateless, meaning they do not track the state of network connections and apply separately to inbound and outbound traffic.
Security Groups
Security Groups act as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Unlike NACLs, security groups are stateful: if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Similarly, outbound responses to allowed inbound traffic are also allowed, no matter the outbound rules.
NAT Gateways and Instances
NAT Gateways provide a method for instances in a private subnet to connect to services outside your VPC (e.g., the Internet) without allowing incoming connections. A NAT instance is an EC2 instance configured to perform NAT. A NAT Gateway is a managed service provided by AWS, which provides greater availability, higher bandwidth, and requires less maintenance than a NAT instance.
VPC Endpoints
VPC Endpoints allow private connections between your VPC and supported AWS services without the need for an IGW, NAT device, VPN connection, or AWS Direct Connect connection. Endpoints are virtual devices that are horizontally scaled, redundant, and highly available. They allow communication between instances in your VPC and services without requiring the traffic to traverse the public internet.
VPC Peering
VPC Peering is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network. However, VPC peering connections do not support transitive routing.
Understanding these components and how they interact is critical for designing and operating a secure and efficient AWS environment. As a cloud practitioner, you’ll be expected to have familiarity with these concepts to make informed decisions about cloud architecture, networking, and security best practices on AWS.
Answer the Questions in Comment Section
True or False: A Virtual Private Cloud (VPC) in AWS is a region-level resource.
- (A) True
- (B) False
B False
A VPC in AWS is actually considered a regional resource, as it can span multiple Availability Zones within that particular region.
What is the primary component of a VPC that defines IP address ranges?
- (A) Internet Gateway
- (B) Route Table
- (C) Subnet
- (D) Network Access Control List (NACL)
C Subnet
A subnet is a range of IP addresses in your VPC which can be used to group instances according to security and operational needs.
What does an Internet Gateway (IGW) in a VPC enable?
- (A) Intra-region communication
- (B) Inter-VPC communication
- (C) Internet connectivity
- (D) Private subnet connectivity
C Internet connectivity
An Internet Gateway allows resources within your VPC to communicate with the internet.
True or False: Route Tables in a VPC can be used to direct traffic from one subnet to another within the same VPC.
- (A) True
- (B) False
A True
Route Tables contain a set of rules, called routes, which determine where network traffic from your subnet or gateway is directed.
Which AWS resource allows a VPC to connect to on-premises networks?
- (A) Internet Gateway
- (B) Virtual Private Network (VPN) Connection
- (C) AWS Direct Connect
- (D) Both B and C
D Both B and C
AWS offers both VPN Connection and AWS Direct Connect to establish a secured, private connection between an AWS VPC and on-premises networks.
True or False: Each subnet in a VPC must be associated with a Network Access Control List (NACL).
- (A) True
- (B) False
A True
By default, each subnet in a VPC must be associated with a NACL, which acts as a firewall for controlling traffic in and out of the subnet.
What can you use to provide a private, static IP address for your instances within a VPC?
- (A) Route Table
- (B) Internet Gateway
- (C) Elastic IP Address
- (D) Subnet
C Elastic IP Address
Elastic IP Address is a static IPV4 address designed for dynamic cloud computing. You can use an Elastic IP address to provide a fixed IP address to your instance within a VPC.
True or False: A VPC Peering connection allows for instances in different VPCs to communicate with each other.
- (A) True
- (B) False
A True
VPC Peering allows two VPCs to communicate with each other as if they are within the same network.
Which component acts as a virtual router for traffic coming in and out of a VPC?
- (A) Route Table
- (B) Internet Gateway
- (C) AWS Direct Connect
- (D) Subnet
A Route Table
The route table acts as a virtual router within a VPC. It contains a set of rules that determine where the traffic coming from different sources is directed.
True or False: Security Groups in a VPC operate at the instance level and not the subnet level.
- (A) True
- (B) False
A True
Security Groups are associated with instances and provide stateful filtering of ingress/egress traffic at the instance level, not the subnet level.
What kind of Gateway is used to connect a VPC with another cloud service provider?
- (A) NAT Gateway
- (B) Transit Gateway
- (C) Internet Gateway
- (D) VPC Peering Connection
B Transit Gateway
A Transit Gateway is a service that enables you to connect your virtual private clouds (VPCs) and on-premises networks through a central hub. It simplifies the connectivity and can be used across cloud providers.
True or False: You can associate a Virtual Private Gateway to a VPC for S3 endpoint connectivity.
- (A) True
- (B) False
B False
A Virtual Private Gateway is used for VPN and AWS Direct Connect connections, not for S3 endpoint connectivity. For Amazon S3 and other AWS services, you can create a VPC endpoint that allows private connections between your VPC and the service.
Great post! Can someone explain the purpose of an Internet Gateway in a VPC?
Appreciate the blog post, very informative!
Can someone clarify the difference between a public and private subnet?
Thanks for the detailed explanation!
Very helpful article, thanks!
Geeky question: why do we need a NAT Gateway?
Appreciate the clear explanations, they’re really useful!
I’m a bit confused about route tables. Can someone elaborate on their role within a VPC?