AWS Notes

Networking: Virtual Private Cloud

Last updated
Reading time
7 min read

Overview

By default, most AWS resources spin up in a Virtual Private Cloud (VPC). This means that they aren't accessible over the open internet. Traffic going into this network must pass through a gateway and several other barriers before reaching any AWS resources.

A VPC is initialized with a single IPv4 CIDR block which is the range of available IP addresses. These must be unique across the VPC to avoid conflicts during internal communications like when a web server in a public subnet fetches something from a database in a private subnet. Optionally, an IPv6 CIDR block can also be created. Along with these two, AWS allows the creation of 4 secondary IPv4 blocks. That's 1 primary, 1 optional IPv6, and 4 secondaries for a total of 6 blocks of IP addresses.

These private IPs will be assigned to resources deployed into the VPC. First, a portion of this range is allocated to a subnet (with a CIDR block within one of the VPC's six blocks). Then, for example, an EC2 instance or an RDS DB instance is assigned an IP address from that subnet's available range.

Subnets

In a VPC, subnets are segments of a CIDR block that are tied to a single availability zone. They have their own CIDR block that is a subset of the VPC's range. In fact, when creating an EC2 instance in the management console, selecting an AZ deploys the instance into a subnet behind the scenes. Of course, when working more directly with a VPC, the subnet can be specified and configured directly.

Public IPs and Network Address Translation (NAT)

Private IPs are used for internal communications within the VPC only and cannot be accessed by the internet. Therefore, an EC2 instance web server will need a public IP to be accessible and able to receive requests. This is achieved by assigning it a public IP. Public subnets can be configured to assign a public IP automatically using the Auto-assign Public IP setting. Whenever the instance starts and stops, the dynamic, auto-assigned IP will change which could be problematic depending on the use case. If a static, public IP address is required, an Elastic IP can be created and explicitly associated with the EC2 instance.

Lastly, when a private instance needs to communicate outbound with the internet, Network Address Translation (NAT) Gateways or NAT Instances can be used. These work by translating the instance's private IP into a temporary, public IP. When the instance initiates a request to the internet, NAT will perform the translation outbound and then reverses the translation when receiving the inbound response. Since the instance doesn't have an actual public IP, all other inbound traffic from the internet cannot reach the instance.

Gateways

Gateways facilitate different types of communication by controlling ingress (entering) and egress (exiting) traffic. Because they exist on the edge of the network, it is referred to as edge routing. It is the first barrier packets must pass through in order to reach their destination inside of a VPC.

There are three main types of gateways: NAT Gateways (covered in a previous section), Internet Gateways, and Virtual Private Gateways. Additionally, there is a fourth way to connect to a VPC called AWS Direct Connect which provides a dedicated fiber connection that is physically private. The traffic uses this path to get to the VPC's gateway which is typically a Virtual Private Gateway.

Internet Gateway (IGW)

An IGW facilitates public internet access to instances in the VPC. A client can send a request through the IGW into the VPC to a publicly available resource like a web server. These resources must exist in a public subnet and have a public IP address.

Virtual Private Gateway (VGW)

A VGW allows a connection between an external private network and a VPC through a VPN tunnel. It is used when an external network needs to connect to private resources over a secure connection. Traffic is encrypted at the starting point, then decrypted upon reaching the VGW. Resources do not need public IP addresses to be accessed through a VGW.

Note that Virtual Private Gateways do not support IPv6.

Direct Connect

Direct Connect offers the most secure way to connect, as it is a physical connection from an external network directly to AWS and the VPC. An AWS partner will setup a private, fiber connection that physically bypasses the public internet. In doing so, external network congestion is avoided resulting in a more reliable connection. The fiber optic cable is often installed by the customer's network provider or telecom company, who are referred to by AWS as Direct Connect Partners.

Additional Filtering

Apart from gateways, there are other barriers that can be configured to protect a VPC and its resources.

Network Access Control List (NACL)

NACLs offer subnet-level rules to filter out traffic. By default, an AWS account's NACLs allow all inbound and outbound traffic. This filtering is stateless meaning that all traffic in or out will be evaluated against the configured rules. Packets passing through the NACL can be filtered by port numbers, traffic direction (in or out of the subnet), the protocol, or the IPs of the origin and destination of the request. An AWS account's default NACL setting is to allow all inbound and outbound traffic.

Security Groups

Security Groups act as a firewall around an EC2 instance. By default, all inbound traffic is denied while all outbound traffic is allowed. Additionally, the filtering is stateful. This means that once packets are allowed through, either outbound or inbound, they can pass back through in the opposite direction automatically because the Security Group remembers the previous decision. When creating something like a web server, rules must be customized to allow the appropriate traffic in to access the resource.

Summary by Examples

On the way to a web server, traffic can have 3 main layers of security before reaching its destination: the gateway, the subnet-level NACL, and the server's Security Groups. The gateway filters by ports, protocols, or IP, and may include security policies. NACLs filter for a similar set of controls on the subnet-level. While the previous layers deal with inbound and outbound traffic, Security Groups offer additional rules for internal communications. They operate at the instance-level and are stateful so that when inbound traffic is allowed in, it can remember and automatically allow it to exit.

Inbound Public Traffic Flow (IGW)

  1. Internet traffic enters VPC via IGW

  2. Traffic routed to a destination CIDR block as determined by the route table

  3. Arrives at subnet

  4. Evaluated by stateless Network Access Control List (NACL) that acts as a subnet-level firewall, filtering traffic (exists in the subnet)

  5. Evaluated by an instance's Security Groups for even further security (exists outside of instance, but is associated with the instance or multiple instances in multiple subnets as they exist VPC-wide)

  6. Arrives at instance

One thing to note is that if using ELB (ELastic Load Balancer), it will automatically attach its own security groups that are not configurable as they are managed by AWS.

Inbound Private Traffic Flow (VGW)

  1. Request initiates communication process with VGW

  2. VPN tunnel is established between the external network and the VGW

  3. Data is then encrypted and sent through this tunnel to be decrypted on the other end by the VGW

4. - 8. Same as IGW 3. - 6.