Network Concepts in AWS

AWS VPC

AWS's Virtual Private Cloud (VPC) is a fundamental feature offering a customizable, isolated virtual network environment within the Amazon Web Services cloud. Users define IP ranges, subnets, routing tables, and security settings. VPCs enable secure hosting of AWS resources like EC2 instances, databases, and more.

Subnets

In AWS's Virtual Private Cloud (VPC), a subnet refers to an IP address range and serves as a segmented section within the VPC. Subnets accommodate resources like Amazon EC2 instances and share a common address component. They are categorized into Public Subnets and Private Subnets.

Private Subnet

In Amazon AWS, instances residing in a private subnet are deliberately isolated from direct internet access, requiring only private IPs. Their internet-bound traffic is routed through a Network Address Translation (NAT) gateway located in the public subnet, ensuring a controlled gateway for internet connectivity. For instance, placing critical resources like a Database Server or Application Server in a private subnet ensures they are shielded from direct internet exposure, only accessible via connections from instances, machines, or services in the public subnet. By configuring the absence of a route to 0.0.0.0/0, a truly private subnet can be established, fortifying its isolation from external internet access.

Public Subnet

In Amazon AWS, instances in a public subnet are accessible from the internet since they have public IPs and are configured with a route for 0.0.0.0/0 via an Internet Gateway (IGW). Commonly, resources like Load Balancers and Web Servers are placed in the public subnet to directly communicate with the internet, enabling external traffic to reach these services. This intentional setup of public subnets to channel internet traffic through an IGW ensures easy access to these resources from the internet, creating an ideal environment for services intended for public interaction.

CIDR notation

Mask bits, commonly represented in CIDR (Classless Inter-Domain Routing) notation, indicate the number of bits used for the network portion of an IP address. CIDR notation uses a format where the IP address is followed by a forward slash and a number, which represents the number of bits used for the network portion of the address. For example, in the CIDR notation "192.168.1.0/24", the "/24" indicates that the first 24 bits are used for the network part, and the remaining 8 bits are for hosts.

Example 1: In the CIDR notation "10.0.0.0/24", the "/24" indicates that the first 24 bits are used for the network part, and the remaining 8 bits (32 - 24 = 8) are for hosts. Number of hosts consists of 28 = 256 hosts. Azure reserves five IP addresses in each subnet: the first four and the last address. Similarly, AWS generally reserves five IP addresses as well.

Example 2: In the CIDR notation "10.0.0.0/16", the "/16" indicates that the first 16 bits are used for the network part, and the remaining 16 bits (32 - 16 = 16) are for hosts.

Subnet Bits

Subnet bits are used in the process of subnetting, where a larger network is divided into smaller sub-networks. The subnet bits determine how many subnets can be created within the given network space.

The number of subnet bits designates the portion of the IP address that is used to identify the subnet. More subnet bits mean a larger number of subnets but fewer available host addresses within each subnet.

For example, if you have 3 subnet bits, you can create 2^3 (8) subnets.

Internet Gaway (IGW)

In Amazon Web Services (AWS), an internet Gateway (IGW) is like a doorway that connects your cloud-based Virtual Private Cloud (VPC) to the vast world of the internet. It allows your cloud resources, such as instances or servers within the VPC, to both send and receive data to and from the internet.

NAT Gateway

In Amazon Web Services (AWS), a NAT Gateway is a managed service designed to enable instances in private subnets within a Virtual Private Cloud (VPC) to access the internet while maintaining a level of security and control. Instances within private subnets lack public IP addresses and cannot directly access the internet. The NAT Gateway provides a means for these instances to send outbound traffic to the internet by translating their private IP addresses to a public IP address.

Routing Table

A routing table in a VPC acts as a set of guidelines that determine the pathways for network traffic within the cloud environment. It instructs how data moves between various subnets, local instances, and external networks, such as the internet.

For public subnets, the routing table includes a specific route directing internet-bound traffic through the Internet Gateway.

In contrast, private subnets use a different route in their routing tables, directing internet-bound traffic to a NAT Gateway. The Network Address Translation (NAT) Gateway acts as an intermediary that allows instances in private subnets, with only private IP addresses, to access the internet indirectly. Outgoing traffic from private instances is sent through the NAT Gateway, which then forwards it to the internet, and the responses are relayed back to the instances, ensuring controlled and secure access while maintaining the privacy of these resources.

Route Table Association

Public subnets are configured to associate with a routing table that has a route to the Internet Gateway, allowing instances within these subnets to send and receive data directly from the internet.

Private subnets on the other hand are configured with a route in their routing tables that directs traffic destined for the internet to the NAT Gateway. This arrangement enables instances within private subnets, which typically have private IP addresses, to access the internet indirectly. Outgoing traffic from these instances is routed through the NAT Gateway, which then translates their private IP addresses into a public IP address, allowing the traffic to reach the internet. The responses from the internet are relayed back through the NAT Gateway to the instances within the private subnets.

AWS VPC: Creating 8 Subnets within the VPC 10.0.0.0/16

To explain the VPC and subnet I used in this article series, I am using a VPC with 10.0.0.0/16 network range, dividing the network into 8 subnets. In a network with a /16 mask, there are 216 = 65,536 possible host addresses. Allocating 65,536 possible host addresses equally to 8 subnets will give 8,192 host addresses to each subnet.

Now, any subnets that we create within our VPC need to reside within this CIDR block range. So let's take a look at the case of 8 subnets in the above network.

When dealing with TCP/IP addresses in your subnet, the initial four addresses in any subnet are reserved and cannot be used for host addresses. Similarly, the last address is also reserved. This restriction implies that you have only 8,187 available IP addresses (out of 8192) for assigning to your host resources within that specific subnet.

Another look at each subnet:

In the image below, the network portion of the IP address will be the same for each host in the network. Likewise, the host portion of the IP address which is in blue color will be the same for each host in the subnet. Any host in each subnet can have any combination of 0 and 1 as represented in red.