Virtual Private Cloud (VPC) is one of the (essential) services from AWS that offers cloud users the ability to create isolated instances of virtual data centers. VPC offers complete control over the cloud networking for the instances created in the AWS cloud. It allows us to create multiple subnets for micro segmenting the virtual instances in different subnets and leverage the network ACL and Security Groups to control inter-subnet communication. It also offers internet connectivity to the instances created in the AWS cloud.
Any EC2 or other instances created in the AWS must be associated with a VPC to get network connectivity.
Each AWS region will be assigned with a unique VPC. In other words, VPC is local to the region. AWS assigns a default VPC for each region for each cloud user. The default VPC created by AWS is assigned with a CIDR of 172.31.0.0/16. This default VPC can be deleted on a per-region basis and the users are free to create their own instance of VPC for better control.
Below is a snapshot from the AWS console that highlights different options to create the default VPC and the custom VPC.
Using the "Create default VPC" option will create the default VPC for the respective region with a CIDR of 172.31.0.0/16 and auto-creates subnets for each availability zones (AZ) in the region by assigning a block of subnets from the CIDR. For example, Ohio is one of the regions with 3 AZ. When a default VPC is created in this region, there will be 3 subnets created with /20 block assigned from the CIDR as shown below:
Using the "Create VPC" option will create a custom VPC and the user must assign a CIDR value and create the subnets for relevant AZ manually.
Below is an example figure that shows a total of 3 VPCs in N. Virginia (US-East), Ohio (US-Central), and Mumbai (Asia-Pacific) regions. For clarity, we illustrated different CIDR while in reality, the default VPC will always have 172.31.0.0/16.
Each region will have more than one AZ and a subnet is assigned for each AZ. In the N. Virginia region, there are 6 AZs. Each AZ will have a unique subnet that is assigned from the region CIDR block. For example:
All AZs in N. Virginia region is assigned with subnets from 172.31.0.0/16
All AZs in Ohio region is assigned with subnets from 172.32.0.0/16
All AZs in Mumbai region is assigned with subnets from 172.33.0.0/16
Each default VPC will also come with its own dedicated Internet Gateway that connects all the subnets to the internet.
Each Subnet will have its own Route table with a minimum of 2 entries as below:
Local destination address.
The default route (0.0.0.0/0) pointing to the VPC's Internet Gateway
Below is a snapshot of one of the subnets from the Ohio region where it could be noted that the Route table is populated with 2 entries as explained earlier.
The Network ACL for the default VPC will have rules for both inbound and outbound traffic. By default, it allows all traffic both inbound and outbound direction which as the readers could imagine is a serious security threat and not a recommended design. Below is a snapshot of the Network ACL from the Ohio region.
When an EC2 instance is created in one of the AZ, the IP address from the respective subnet is assigned to the instance and the Route table with a default route pointing to Internet GW will offer full connectivity to the EC2 instance.
Reference
Great writing.. to the point
ReplyDelete