VIRTUAL PRIVATE CLOUD
The Virtual private cloud or VPC is a private virtual cloud network. As it is private, it is logically separating from other networks or VPCs. This means that others can’t see inside data. It also means there’s no problem with IP addresses. You can use same level of IP addresses in different VPCs.
Following are key components VPC
- Routing table
- Internet gateway
- Elastic IP Addresses
- VPC endpoint
- Security groups and Network access control lists
The VPC contains its own high availability virtual router. Virtual router is an intelligent switch which contains multiple interfaces. Router contains a logic to determine how to get traffic from one terminal to another terminal. When you want to communicate with another subnet, you need a router to make forwarding decisions. Whether that traffic is on the internet, or that traffic is in your data center, or whether that traffic is in another part of the AWS network.
If your instance is running inside the VPC subnet and you would like to connect to public internet, you need internet gateway. For example, if a system needs to connect with the internet, request goes through an internet gateway. If system need a public IP address and a gateway is going to need a public IP address as well.
To setup internet gateway we need attach an internet gateway to VPC. Then, create default route pointing to the internet gateway. Your public IP address should be assigned to your internet gateway.
In many cases, you have systems that actually need to access the internet, but not other way around. That’s the next component of a VPC called the NAT gateway. NAT translates one network address into another network address. One example of NAT is during periods of migration such as when an organization gets merged into another organization that is using the same IP addresses. Something needs to be done because systems with the same IP address can’t communicate.
By using a NAT gateway, you can have private IP addresses on all your internal systems, which means they’re not reachable from the internet, but they can still reach out to the internet to pull back patches and software updates and such. When you use a NAT gateway without an internet gateway, your systems will be able to reach out to the internet and bring back data, but the outside internet will not be able to reach to them.
Elastic IP Addresses
Any system that needs to be reachable from the internet needs public IP address. It doesn’t have to be on the web-server, it could be on an ELB. But it must be understood that if a system is going to be reachable from the internet, it must have a public IP address.
There’s not a whole lot of public IP addresses available, so what Amazon does is maintain a pool of IP addresses. This pool is called elastic IP addresses. When the organization needs a public address, they take an address from the pool of elastic IPs and use it for as long as they need. As soon as the organization is done using the elastic IP address, that elastic IP address is then returned to the pool. Then Amazon can use that for another user or organization. This allows customers to have private IP addresses on the inside of their network and have public IP addresses as needed.
VPC endpoint is the ability to use the AWS network to connect to another AWS services or another Amazon customer’s VPC. VPC endpoint is used to traverse internal AWS network not internet. If your subnet does not have endpoint then if you want to connect with AWS Storage you need to go via internet and enter back into AWS network. This scenario would have major latency issue plus you need to pay for internet access.
AWS private network like backbone has better performance than the internet. The main reason the AWS backbone has better performance than the internet is, that Amazon manages the AWS network. AWS have strict quality control and quality of service guarantees. But when request goes to the internet, it goes via multiple service provider with no guarantee of speed. So, the endpoint is a way to get guaranteed performance as well as high security by traversing the AWS network to either other partners or other AWS services.
There are two types of endpoints
Interface endpoint - endpoint on an elastic network interface that uses a private IP address from the VPC’s pool. An organization uses this endpoint as an entry point from their organization to a supported service. This uses the AWS private link service. And supported services could include almost anything on the AWS cloud or other VPCs.
Gateway endpoint - This endpoint which is a private endpoint that provides high-security access to an AWS service. What happens is it places a route in the VPC’s routing table for traffic destined to that service.
Security groups and Network access control lists
A network access list is similar to an access list that’s on a router, it’s stateless. Access lists have to be put in terms of inbound and outbound terms because they are stateless and network access lists are attached to the subnet. So they’re use to keep traffic out of a subnet.
A security group is a host-based firewall. Security groups are stateful and attached to a server or a service. So, while the network ACL keeps traffic out of this subnet, the security group keeps traffic outside of a system like an EC2 instance or virtual machines.
For more details click here