A common practice when deploying applications into AWS is to first set up VPC in your AWS console. VPC or Amazon Virtual Private Cloud is similar to the network you operate on-premise but come with the scalability of the AWS infrastructure.
VPC is a region-specific service, so you have to specify your VPC region in the AWS console and also configure it by defining the IP address range (CIDR): IPv4 or IPv6.
To build your own Amazon VPC infrastructure, you should at least be familiar with the following concepts.
- Subnet
- Route table
- Internet Gateway/ NAT Gateway
Subnet
Subnet is the range of IP in your VPC, the CIDR block of the subnet must be the subset of the VPC CIDR block. You can launch any AWS resources into a specific subnet, e.g. EC2, EMR and so on.
Usually, you would like to configure your subnet into either a public or private subnet.
- Public Subnet has a route towards Internet Gateway and is able to be accessed by public internet.
- Private Subnet doesn’t have a route towards Internet Gateway and is not able to be accessed by public internet. It has connectivity over NAT Gateway for outgoing requests and their responses.
A common strategy would be putting your application in the public subnet so that it can be accessed by the public but host your database in the private subnet so that nobody can access it except your own application.
Besides, there would be a Network Access Control List (NACL) virtual firewall for each subnet. NACL is stateless and allows all inbound and outbound traffic by default. we can use NACL to block traffic from an IP address or range of IPs.
Route table
Route table comes with the VPC by default, you may also define your own route table for any subset. Route table contains the rules which define how the traffic flow within the subnet or gateway.
A route consists of a target and destination.
- Destination — The range of IP addresses where you want traffic to go.
- Target — The gateway, network interface, or connection through which to send the destination traffic.
E.g.
| Destination | Target |
|:------------|------------:|
| 0.0.0.0/0 | igw-id |To create a public subnet, we would define a route table with destination 0.0.0.0/0 (all ipv4) and your internet gateway as the target. By doing so, all requests to ipv4 address would be directed to the internet gateway.
Internet Gateway
Internet Gateway is a component that allows traffic flow between VPC and the internet. One IG can only be associated with one VPC.
IG also act as a NAT. Thus, instances in the VPC should also have a public address. When traffic comes into the instance, It would use the public address as the destination and the address got translated into the private IP address when the internet gateway.
NAT Gateway
You can use a NAT gateway so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. The NAT gateway uses its own IP when sending request and when sending response traffic to the instances, the NAT device translates the addresses back to the original source IP address.
