Amazon VPC - Introduction to Amazon Virtual Private Cloud

Amazon VPC (Virtual Private Cloud) is like your own private data center inside the AWS cloud. It lets you launch servers (EC2 instances) in an isolated, secure network that you fully control.

Within a VPC, you can:

• Create public or private subnets,
• Set access rules using security groups and network ACLs,
• Control IP addresses, route tables, and internet gateways,
• Decide whether your servers connect to the internet or stay private.

It is a customizable and secure environment to run your applications, databases, and services just like building your own network inside the cloud.

Example

Let's try to understand it by taking an example of the GeeksforGeeks office setup. Just like GeeksforGeeks carefully organizes its departments and controls access, a VPC organizes and secures resources in the AWS cloud.

• The entire GeeksforGeeks office building = VPC (a private space where everything is managed securely)
• Different departments like Editorial, Development, HR = Subnets (some open for external interaction, some private for internal work)
• Security guards at every gate = Security Groups and Firewalls (deciding who can enter or leave)
• The internet connection for employees and visitors = Internet Gateway (allowing public access where needed)
• Private tunnels connecting to partner companies = VPN or Direct Connect (secure, private connections to other trusted networks)

Amazon VPC Architecture Overview

The basic architecture of a properly functioning VPC consists of many distinct services such as Gateway, Load Balancer, Subnets, etc. Altogether, these resources are clubbed under a VPC to create an isolated virtual environment. Along with these services, there are also security checks on multiple levels. 

It is initially divided into subnets, connected with each other via route tables along with a load balancer. 

Core Components of Amazon VPC

The following are the components of Amazon VPC:

1. VPC

You can launch AWS resources into a defined virtual network using Amazon Virtual Private Cloud (Amazon VPC). With the advantages of utilizing the scalable infrastructure of AWS, this virtual network closely mimics a conventional network that you would operate in your own data center. /16 user-defined address space maximum (65,536 addresses)

2. Subnets

A subnet divides the large network into smaller, logically separated networks

• You can create up to 200 subnets.
• Some subnets can be public (accessible from the internet), and some can be private (only internal communication).

This helps you control traffic and increase security within your VPC.

3. Route Tables

Route Tables are mainly used to Define the protocol for traffic routing between the subnets. They tell data where to go inside your VPC. For example, whether to stay within a private network or head out to the internet.

• Each subnet must be associated with a route table.
• Routes define the direction of traffic based on IP addresses.

4. Network Access Control Lists

Network Access Control Lists (NACL) for VPC serve as a firewall by managing both inbound and outbound rules. There will be a default NACL for each VPC that cannot be deleted.

5. Internet Gateway(IGW)

The Internet Gateway (IGW) will make it possible to link the resources in the VPC to the Internet allowing resources like web servers to be accessed publicly. Without an IGW, your VPC cannot communicate with the internet.

6. Network Address Translation (NAT)

A NAT Gateway allows instances in private subnets to initiate outbound internet connections, without allowing inbound access from the internet. It allows instances in a private subnet to access the internet outbound (like downloading updates) while keeping them hidden from outside users.

Amazon VPC (Virtual Private Cloud) Fundamentals

• If the subnet has internet access then it is called PublicSubnet.
• If the subnet doesn't have internet access then it is called PrivateSubnet.
• A subnet must reside entirely within one Availability Zone. 
• An entire subnet must be contained within a single Availability Zone.
• Access between instances is managed by VPC Security Groups for both inbound and outgoing traffic (Security Groups support both inbound and outbound rules, but they are stateful, unlike NACLs).
• We can specify Subnet IP Routing with the aid of the Route Table.
• If a server/instance which is in a private subnet wants to reach the internet then it must have NAT in a public subnet.

Subnet

• A subnet is a smaller portion of the network that typically includes all the machines in a certain area.
• We can add as many as subnets we need in one availability zone. Each subnet must reside entirely within one availability zone.
• The public subnets will be attached to Internet Gateway which enables Internet access.
• The private subnets will not have internet access.
• Every subnet in the VPC must be associated with the routing table. 

Internet Gateway

• With the help of IGW (Internet Gateway), the resources present (e.g: EC2) in the VPC will enable access to the internet.
• A VPC can have only one attached Internet Gateway at a time, but you can create multiple IGWs in your account.
• If resources are running in a certain VPC then IGW can not be detached from that particular VPC. 

Route Table

• Route Table contains a set of rules, called route which helps us to route the network traffic.
• A single VPC can have as many as route tables it requires.
• If the dependencies are attached to the route table then they can't be deleted. 

NACL Network Access Control Lists

• The NACL security layer for VPC serves as a firewall to manage traffic entering and leaving one or more subnets.
• The NACL for the default VPC is active and connected to the default subnets.

Classless Inter-Domain Routing (CIDR)

• A technique for allocating IP addresses and for IP routing is called Classless Inter-Domain Routing (CIDR), and its range is 0-32.
• When setting up a VPC, we must specify a set of IPv4 addresses using Classless Inter-Domain Routing (CIDR), for (Example:10.0.0.0/16 For our VPC, this will serve as the main CIDR block).

RFC1918 Address(Private address)

• An enterprise organization will give an internal host an IP address known as an RFC1918 address. These IP addresses are employed in private networks that cannot be accessed or accessed through the internet.

The following networks are included in the RFC1918 address(Private address) 

10.0.0.0 -10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 

 Amazon VPC Network Address Translation (NAT) 

• RFC1918 address is a workable solution to IPv4 address exhaustion issues thanks to Network Address Translation (NAT).
• An internal host can communicate with an internet server with help of NAT.
• The internet and a private network are separated by a NAT device. 

Use cases of Amazon VPC

The following are use cases of Amazon VPC:

• Using VPC, you can host a public-facing website,  a single-tier basic web application, or just a plain old website.
• The connectivity between our web servers, application servers, and database can be limited by VPC with the help of VPC peering. 
• By managing the inbound and outbound connections, we can restrict the incoming and outcoming security of our application.

Amazon VPC (Virtual Private Cloud) Working

Follow the steps mentioned below to configure Virtual Private Cloud(VPC)

Step 1: Login into AWS Console and navigate to the VPC as shown below.

Step 2: After navigating to the AWS VPC now click on create VPC.

Step 3: Configure all the details required to create as shown in the image below. Some of the most required settings to configure VPC are as follows

• Name of the Network.
• IPv4 CIDR.
• And tags of VPC after that click on create VPC.

Step 4: Virtual Private Cloud created successfully with the required settings.

Step 5: Check the VPC dashboard whether the VPC created is available to use as shown in the image below GFG-VPC.

AWS VPC Console 

To create and manage a Virtual Private Cloud (VPC) in AWS, follow these steps:

1. Log in to your AWS account.
2. Once inside the AWS Management Console, click on the “Services” menu at the top.
3. From the list of categories, navigate to “Networking & Content Delivery”.
4. Select “VPC” from the options provided.

After selecting VPC, you will be redirected to the VPC dashboard. On the left-hand side, the navigation pane displays various options and services related to VPC management.

Refer to the image attached below for a better understanding.