What is Amazon VPC and its components — Part -1 !!

Sanjeeb Mohapatra
8 min readSep 28, 2022

Amazon VPC (Virtual Private cloud) is the service that create a virtual network in which users can defines AWS resources. This is same as on prem traditional network. The big advantage of VPC is to create it in quick time and deploy the resources in minutes.

The main important components of VPCS are

CIDR (Cashless Inter Domain Router) : When you define an VPC, you need to define and IP range ( private IP range) so that you can isolated your Network within AWS. Users can define CIDR block in AWS in one of the below form.

10.0.0.0 -10.255.255.255 (10/8 prefix)

172.16.0.0 -172.31.255.255 (172.16/12 prefix)

192.168.0.0 -192.168.255.255 (192.168/16 prefix)

Subnets: Within VPC, users can separate the VPC into multiple subnets so that they can define resources either public or private subnets. A subnet must reside in a single Availability Zone. Each subnets have their own IP ranges (CIDR block from the VPC) and they will NOT overlap to each other. If a subnet is defined as public subnet, user needs to assign a public IP address or enable the auto assignment at Subnet level. Do not worry we will create the VPC and see these options.

Route tables: The route tables contain the set of rules which is called routes. The route determines how the network traffic will flow from your subnet.

1. When a VPC is created, by default a route table is attached at VPC level, this is called main route table. By default, there is a local route attached to the main route so that traffic can be established within the VPC without any additional effort.

2. Users can define custom route table at subnet level and one of the best practices if resources are public faced, better to define custom route table and define your public traffic at subnet level route table. Also in custom route table, the local route is attached by default

Security Groups: Security groups are virtual firewall at instance level or service level (for example EC2 instance) which control the incoming and outgoing traffic.

1. Security group are stateful which means which an inbound rule defined, no need to define the outbound rule for that traffic.

2. By default, all outbound rule is allowed in Security group.

3. There is NO deny rule in security group, users can allow only attach allow rules.

4. Maximum 5 security groups allowed to attach to a single EC2 and each security group, user can define maximum 100 (in/outbound) rules.

5. Security group changes are in effect immediately.

Network ACL (NACL): Network ACL (NACL) is attached at subnet level and considered as 2nd level of network security.

1. NACL is stateless which means both inbound and outbound rules need to be explicitly defined.

2. The rules in NACL is executed in order that means the least order is executed first.

3. Default NACL allowed both inbound and outbound.

Internet Gateway ( Igw) : Internet Gateway is a VPC component that allows communication between your VPC and the internet.

1. An internet gateway enables resources in user public subnets (such as EC2 instances) to connect to the internet if the resource has a public IPv4 address or an IPv6 address.

2. For enabling the internet access, add a route to user subnet’s route table that directs internet-bound traffic to the internet gateway and ensure that your network access control lists and security group rules allow the desired internet traffic to flow to and from your instance

Too much theory now, let’s jump into practical and create our VPC. Adventure is going to start now.

Step -1: Search for VPC service, click on VPC and click on create VPC

Step -2: User can give any name in auto-generate field so that this information will be added to the components of VPC. Here we selected the CIDR block as 10.0.0.0/16 ( total available IP address is 65536 but AWS keep 5 IP address for internal use at subnet level). From VPC, user can define total number of public, private and Nat gateway. Here we defined as 0 as we will create it manually and attached to the VPC later stage.

Note-

Both DNS hostname and DNS resolution marked as enabled.

1. The DNS hostnames attribute determines whether instances launched in the VPC receive public DNS hostnames that correspond to their public IP addresses.

2. The DNS resolution attribute determines whether DNS resolution through the Amazon DNS server is supported for the VPC.

Step -3: Click on Create VPC, it will create a VPC for you. Congratulation, you created a custom VPC in your aws account 😊 . Click View VPC to get the VPC details.

User can get details like CIDR block and other VPC configuration details.

Step -4: To enable the internet access, let’s create an Internet Gateway

Click on the internet gateway (VPC console — left hand panel) . Click on the create internet gateway to create an internet gateway. Give the name of the internet gateway and click create internet gateway.

Step -5: To attach the internet gateway to your VPC. Click on the internet gateway, you can see the newly created internet gateway is detached mode. Select the internet gateway, click on Action and attach to VPC. Select your VPC and click on the attach internet gateway.

Note — You can also do this operation from Aws CLI command, to get the command details, select aws command line interface command to get the details.

Step -6: Let’s create subnets within VPC so that we can deploy the applications in subnets. To create a subnet, click Subnets (left hand side of VPC console), click on create subnet, select the VPC ID for your subnet. For Subnet settings, give the subnet name and select IPv4 CIDR block ( ensure that you need to select the cidr block within the range of VPC cidr block).

We can add another subnet as well by clicking add new subnet and create a private subnet.

Note –

Ensure that the CIDR block for private subnet is NOT overlapped to another subnet. Each subnet should have mutual exclusive cidr block.

Step -7: For public subnet, enable auto-assign public IPv4 address so that when we deploy the resources in the subnet, automatically this option is enabled, and public IP will be assigned. To do the same, click on the public subnet, click on actions, click on edit subnet settings and enable auto-assign public IPv4 address checked and click save.

Step -8: Now its time for creating custom route table. Before doing that, lets verify the default route table which is attached to the VPC. Click on the route and on the bottom of the selected route, click on the Routes tab to see the destination and target as local. This routes the internal traffic is available (However we still need to configured how private subnet ( ec2) will connect with public subnet ( ec2) ).

Step -9: Let’s create 2 route tables, one for public and one for private. For public route, attached internet gateway so that resources created in the public subnet can route to internet. To create new route table,

1. click Route tables (left panel of VPC console), click create route tables.

2. Give name of the route table and select the VPC and click on the create route table.

3. Once the route table is created, since it is a public route table, we need to attach the internet gateway to the route. To do the same, select the route table, click on the Routes ( bottom) and click edit rules. Click add route, and add a new route. Add 0.0.0.0/0 as destination and target is internet gateway. Click on save.

Step -10: We need to do the Subnet association to ensure that custom route table is attached to the right subnet, click on the edit subnet associations. Select the right subnet (in this case it is public subnet). Select the right subnet and click save associations.

Step -11: We can create another route table (same process like step -9 and 10) for private subnet and the only change, we do not require to attach the internet gateway to the route as it is private.

Step -12: There are scenarios where instances in private subnet needs to connect to internet to download security patches, to do the same, we need to create nat gateway and nat instance.

1. It provides Internet Access to instances in private subnet without IGW

2. Nat gateway is managed by AWS and highly available in AZ.

We will create Nat gateway in this section, and we will use it later point of time. To create the nat gateway, click natgatway( left panel of VPC console) and click create nat gateway.

1. Give the name of the nat gateway

2. Select the subnet, the nat gateway needs to put in a public subnet so that you can connect to public subnet from private and then route to internet.

3. Allocate an EIP ( Elastic IP) so that nat gateway route can flow through this IP.

4. Click on the create nat gateway.

5. Once the nat gateway is created, we need to update the route table (associated with private subnet and add the nat gateway route)

Great, we are able to create a custom VPC with necessary details. In next blog, we will use this VPC and explore how we can install resources in the private and public subnets.

Note –

We did not create any security group in this blog as security group is attached at instance level and we will explore it upcoming blogs.

--

--