Virtual Private Cloud (VPC) is one of the (essential) services from AWS that offers cloud users the ability to create isolated instances of virtual data centers. Any EC2 instances created in the AWS will require to be part of a VPC for internal and external connectivity. AWS VPC can be customized by segmenting the VPC into multiple subnets based on the business requirement and leverage the route-table and different gateways to control the communications from/to each subnet.
VPC with Internet and NAT Gateway
Let us discuss the concept further with an example shown below:
In the above example, we created two different types of VPC for different customers catering different business requirements. For example, NyaCorp requires the below:
- REQ1 --> Any workloads in public-subnet can communicate with all other workloads in the VPC and also can be reached from the Internet.
- REQ2 Any workloads in private1 subnet can communicate only with other workloads in the VPC but not with Internet.
- REQ3 Any workload in provate2 subnet can communicate with other workloads in the VPC and can trigger outbound session to the Internet but not inbound.
Accordingly, A new VPC named Nyacorp-vpc is created with a CIDR block of 172.16.0.0/16 assigned and an Internet gateway named Nyacorp-igw. As part of this new VPC, 3 subnets were created in 1 availability zones (us-east-1a) from us-east region.
- The subnet to cater REQ1 named as Nyacorp-subnet-public1-us-east-1a is created in us-east-1a availability zone.
- The subnet to cater REQ2 named as Nyacorp-subnet-private1-us-east-1a is created in us-east-1a availability zone
- The subnet to cater REQ3 named as Nyacorp-subnet-private2-us-east-1a is created in us-east-1a availability zone.
Each such created subnet will have its own dedicated route table with a list of routes to steer the traffic accordingly.
- Nyacorp-subnet-public1-us-east-1a is created as a public subnet and so the route-table will have the CIDR entry 172.16.0.0/16 with target as local and a default route with a target as the internet gateway.
- Nyacorp-subnet-private1-us-east-1a is created as a private subnet and so the route table will only have a CIDR entry 172.16.0.0/16 with target as local.
- Nyacorp-subnet-private2-us-east-1a is also created as a private subnet and so the route table will only have a CIDR entry 172.16.0.0/16 with target as local.
It could be noted that both Nyacorp-subnet-private1-us-east-1a and Nyacorp-subnet-private2-us-east-1a don’t have any connectivity to the Internet gateway. While this is expected for Nyacorp-subnet-private1-us-east-1a, we need an outbound triggered internet connection from Nyacorp-subnet-private2-us-east-1a.
To address the need of Nyacorp-subnet-private2-us-east-1a, we create a NAT gateway named Nyacorp-nat-gw with a connection to the internet gateway and associate the NAT gateway to Nyacorp-subnet-private2-us-east-1a. Now, the route table of Nyacorp-subnet-private2-us-east-1a is populated with a default entry towards the NAT gateway.
The resource map of the above scenarios is represented below:
It could be noted that each subnet have its own route table where the one associated to public subnet is connected to Internet gateway, the other route table associated to private2 is connected to the NAT gateway and the 3rd route table associated to private1 doesn’t have connectivity to both Internet gateway or the NAT gateway.
VPC with VPN Gateway
Let’s now take another customer RaasaCorp who would like to have all the VPC traffic (including internet) to be steered towards the corporate Datacenter.
In this case, a VPC is created with no Internet gateway or NAT gateway. Instead, a VPN gateway is created and associated to the VPC. This VPN gateway is used to establish secure VPN tunnel to the corporate datacenter.
A default route is created in the route table towards the VPN gateway to steer all the traffic towards the datacenter over the secure VPN tunnel.
No comments:
Post a Comment