Table of Contents
- VPC Diagram
- VPC Endpoint Diagram
- NAT Gateway vs. NAT Instances
We can think of VPC as logical datacenter in AWS or a mini cloud inside AWS. It has following components:
- Internet Gateway
- Network Access Control List (NACL)
- Route Table
- Security Group
- NAT (Network Address Translation) Gateway
- NAT Instance
- VPC Endpoint
When we create a VPC, AWS creates a default Route Table, Network Access Control List (NACL) and a default Security Group. However, AWS does not create any subnets and internet gateway.
Some facts about AWS VPC:
- AWS Availability Zones are randomized. The AZ with the name us-east-1a in one account might be different in another AWS account.
- Amazon always reserves 5 IP addresses within the subnets.
- We can only have one Internet Getway per VPC
- Security Groups cannot span VPCs.
We can launch instances in the subnets, assign custom IP address and control the network traffic with a VPC. When we create an AWS account, AWS will set up a default VPC in each AWS Regions. The default VPC is user friendly and can be used immediately without any further configuration. Note that all subnets in default VPC have a route out to the internet and each EC2 instance in the subnets has both public and private IP addresses.
Other VPC related topics that are not covered in this post:
- Custom VPCs and ELBs
- VPC Flow Logs
- VPC Private Link
- Transit Gateway
- VPN Hub
- Direct Connect
- Setting up a VPN over a direct connect connection
- Global Accelerator
- VPC Peering
The diagram below shows the structure of a VPC. The orange box represents the "border" of VPC. Internet Gateway is the entry point to our VPC. Incoming traffics from the internet needs to be directed to the Internet Gateway in order to enter VPC.
Subnets are basically clusters of EC2 instances. We can define multiple subnets in a VPC. There are two types of subnets
- public subnets
- private subnets
EC2 instances launched in a public subnet have public IP address and they can be accessed from the internet.
Note that there are two types of traffics:
- incoming traffics
- outgoing traffics
The routing for incoming traffics is handled by AWS automatically. For example, if we launch an EC2 instance in a public subnet, AWS will assign a public IP to this instance which can be then used to ssh into the host. When we ssh to the host, the request will be sent to the Internet Gateway and AWS will route the traffic to the EC2 instance. This is all set up automatically and we don't need to configure anything.
Most of the custom configuration is related to (1) routing table and Network Access Control list attached to subnets and (2) outgoing traffic routing. For a public subnet to communicate with the internet, we just need to attach the internet gateway to the public subnet. To enable outgoing traffic for private subnets, we have two options
- Use NAT instance
- Use NAT Gateway
NAT Gateway is preferred because it's more scalable and we don't need to manually install software patches. You may find a comparison table in appendix.
In the diagram below, the dotted blue line represent an incoming traffic and the dotted purple line represent an outgoing traffic. The top subnet has a NAT Gateway so it's a public subnet.
Note: A general pattern is to use public subnet as a middle man between private subnet and the internet. Examples are:
- NAT Gateway / NAT instances
Suppose we want to download a file in S3 from an EC2 instance in a private subnet. Without VPC endpoint, the request will be routed to the NAT Gateway, then it goes through the internet and eventually gets to S3. This is the blue path in the diagram below.
Because our VPC and S3 are both in AWS, we don't really need to go through the internet. What we can do is to create a S3 endpoint and add it to subnet (in this case, it's the private subnet). With the VPC endpoint, request from the EC2 instance will be routed to S3 directly inside AWS without going through the internet. This is the green path in the diagram.
NAT Gateway vs. NAT Instances
|NAT Gateway||NAT Instances|
----- END -----
©2019 - 2022 all rights reserved