Amazon VPC stands for Virtual Private Cloud which enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network is quite similar to the network that you operate within your organisation, with the benefits of using AWS infrastructure.
Why we need to define VPC :
VPC enables you to :-
- Assign static private IP addresses to your instances.
- Assign multiple IP addresses to your instances if required.
- Define multiple interfaces and assign one or more network interfaces to your instances.
- Change security group membership of your instances while they are running. You can create up to 100 security groups per VPC.
- Elastic IP address remains associated with your instances when you stop it.
- You can add rules for inbound and outbound traffic while EC2 instance enables you to add rules for inbound traffic only.
Consider the scenario :
Suppose you have to run a publicly accessible web application but you don’t want anyone to access your database servers. This might be the case of your multi-tier website where the web servers are placed in public subnet and database servers are placed in private subnet.In order to establish the communication between your database and web servers, you can set up security rules and routing.
Now, let’s try to understand this scenario in detail. There are two important points to remember :-
- All the instances in your public subnets can be accessed from the internet directly, whereas the instances of private subnet can’t be.
- All the instances in your public subnets can access the internet directly, whereas the instances of private subnet can’t. But there might be a situation when you need to access internet from database instances such as to update softwares etc. To fulfill such requirement, private subnet can access the internet by using a network address translation (NAT) gateway that resides in the public subnet.
Components of VPC with Public & Private Subnets :-
- A virtual private cloud (VPC) of size /16 (example CIDR: 10.0.0.0/16) which provides 65,536 private IP addresses. This VPC further needs to be divided into two networks in order to completely isolate web servers from database servers.
- A public subnet of size /24 (example CIDR: 10.0.0.0/24) which provides 256 private IP addresses.
- A private subnet of size /24 (example CIDR: 10.0.1.0/24) which provides 256 private IP addresses.
- An Internet gateway in order to connect the VPC to the Internet and to other AWS products.
- Instances in the private subnet (10.0.1.0/24) are having private IP addresses (Example: 10.0.1.10,10.0.1.11,10.0.1.12). Since these instances are not associated with Elastic IPs, they can’t be accessed from internet.
- Instances in the public subnet (10.0.0.0/24) are having private IP addresses (Example: 10.0.0.10,10.0.0.11,10.0.0.12) which are associated with Elastic IPs (Example: 192.51.100.1 ,192.51.100.2,192.168.100.3). Since these instances are associated with elastic public IPs,they can be accessed from internet directly.
- A NAT gateway with its own Elastic IP address, in order to enable instances in private subnets to send request to internet.
- A Custom route table associated with the public subnet which contains the entry (Destination: 10.0.0.0/16) that enables instances in the subnet to communicate with other instances in the VPC and an entry ( 0.0.0.0/0) that enables instances in the subnet to communicate directly with the Internet.
- A Main route table associated with the private subnet which contains the entry (Destination: 10.0.0.0/16) that enables instances in the subnet to communicate with other instances in the VPC and an entry ( 0.0.0.0/0) that enables instances in the subnet to communicate to Internet through NAT gateway.
To implement security in VPC :
The motive behind implementing such scenario, where our database servers are not publicly assessable, is centralized around security features. Therefore, to fulfill our purpose we must ensure that security rules are implemented properly.
AWS provides two features that you can use to increase security in your VPC : Security groups & Network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level.
Security rules alone can fullfill the requirement to many VPC users. However, some VPC users wants to use both the security rules and network ACLs to take the advantage of additional layer of security that network layer provides.