Pages

Friday, April 30, 2021

Life Before VPC

In this article we will understand what a VPC is, Components of VPC etc but before we will see what a life before VPC. it is advisable to read the basics of networking over here before going through this.

In the initial days of Cloud,  there is a single network associated with every resource that we create. If we create multiple instances, all of these are configured in the same, single network. In order to restrict access to the instances, we have to configure access controls. Managing , configuring them with controls is a nightmare for admins.

Here comes VPC ( Virtual Private Cloud ), So What VPC does is it allocates part of the Cloud as private network, ie a separate,dedicated network for people to create their resources. Since we have our own network, we have control over IP addressing, who has access to network and when we are connecting to instance, we can connect to network first and then connect to them using private ips assigned to our instances.

We will not get a part of the aws physical network rather we get a virtualized network on the physical network. The VPC can be shared or dedicated. We have an option called “dedicated tenancy,'' by which we can ask aws to provide dedicated hardware that manages our network. Instead of using routers, we can ask aws to give router access that handle network. This is not that we get a physical router instead this is virtual one.

VPC are created in a regions which means they stretch all the AZ’s and there Subnets are created. A VPC is always in a region and it cannot stretch a region. If you want 2 vpc from different regions to connect we have to use VPC peering.

Subnets in a VPC can be created either public or private.Public Subnet have internet access, web facing application web servers etc and private subnet have no internet access or not allowing access to instances from internet, we keep them in private subnet

When we create a subnet , there is no public or private. We make them public or private by defining rules to access.

IP CIDR : IP CIDR talks about the number of ips that can be allocated in that ip range. Let's say we have an IP address 192.168.100.124. Now we know that the IP address  is a 32 bit each part containing 8bits and represented in octal format.

Now if i define a CIDR range as : 10.0.0.0/16, this means the 8 bits starting from left up to 16 bits will not change which means, in the above ip adding first and second 8bits will be 16 hence these 2 will not change. The rest 2 part of 8 bits will change. The number of ip that can be configured is from 10.0.0.0 to 10.0.255.255. Since the 2 power 8 is 256. For example, 192.168.0.0/24 which mean we 192.168.0.0 to 192.168.0.255

We need to make sure we define the correct CIDR range for our network based on our requirements in VPC, else we may go out of the ip address to assign. More than that we need to create subnets in a VPC , so we need to have correct and more CIDR range assigned to VPC based on our requirements.

A CIDR notation does not mean to be a multiple of 8 like it can have
10.0.0.0/26. If we have 10.0.0.0/26, the first 3 8bits are not changing. But in the last 8 bit, the first 2 bits will not change and set to 11. The rest 6 bits will keep on changing giving 10.0.0.1 to 10.0.0.62 ip range

A VPC should be in range between /16 and /28. We can't have /29 or /30 vpc configured which means, 
/16 means it can have 256x256  = 65535 ips
/24 means it can have 256 ips
/31 means 1 ip

Recently aws provided an option of adding additional CIDR ranges added to existing VPC which is not possible earlier and also we cannot edit existing vpc once created and being used.

WHen specifying IP for VPC, we need to assign then based on the RFC1918 standards , ie 
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
If we have a Public IP already bought we can configure aws router configured with the public IP

Some ip are not allowed by aws are,
10.0.0.0 : network address
10.0.0.1: Reserved for VPC Counter
10.0.0.2: Reserved for DNS server
10.0.0.3: Reserved for Future Usage
10.0.0.255: Broadcast address but not available in Aws VPC. So reserved for future

Router & Route Table : Router works by looking at the route table. Route table holds information about how to transfer a request to a particular network. It defines routes as to where connections should go etc.
Route tables are associated to subnets

Elastic IP : elastic IP is a static public IP.  dynamically an ip is assigned when we start a new Ec2 instance. That dynamic ip is not permanent , it goes when we restart the instance. For this we can create an elastic ip and assign it to the instance which lasts until we release that elastic ip.

Elastic Network interface ( ENI ) : a Network card. Virtual network card. When ever we are assigning ips, they will be assigned to the network interface rather than instance. Then this interface assigned to instance. This interface can be moved to other instances when we need. One Ip address goes to 1 ENI. No Multiple Static IPs address can be assigned to the 1 ENI.

For example, let's say we are running an application inside a ec2 which has elastic ip set. Since this ip is set to interface and interface is assigned to ec2 instance, whenever there is a problem with the instance, we can just shift the interface from the  old one to the new one and using the same elastic ip assigned earlier.

Internet Gateway : Now lets say we have our VPC and subnets are created. We want to provide internet access to the instances in one of the subnets and no to the other subnet.This is where Internet Gateway ( IGW ) comes into the picture. 

An Internet gateway is a logical connection between an Aws VPC and the internet. It is not a physical device and only one igw is associated with each VPC. this will not limit the bandwidth of internet connectivity. An IGW rule needs to be added to route table for forwarding requests.

NAT gateways : Let's say we 2 subnets, public and private. The public subnet connects to an internet gateway ( IGW ) which provide internet access to the instances in the public subnet. Private subnet as the name says private and no internet access.

Now we have an Instance running a DB server in the private subnet. How can we allow this DB to update patches from the internet since we don't have the internet connection. This is where NAT gateway comes into.

A NAT gateway sits on the public subnet, the DB instance is allowed to talk to the NAT gateway that sits on the public network. The public network then using IGW will get the patches for the DB instance. The advantage here is the connection is outbound only which means from DB to NAT to IGW and Internet. No inbound connections will be allowed. This works only for the IPV4. For IPV6 use the egress-only internet gateway. A NAT gateway is used to simulate DMZ where inbound public access is restricted and outbound is allowed

Virtual Private Network & Direct connect : Most of the companies have well established network in their data centers and when they are coming to cloud network, how can they connect their Data center network with aws Vpc. this is where VPN and Direct connect comes into picture.

We can use these to connect our existing data center or network to the aws vpc. This lets our existing network router to connect to aws vpc. Then it becomes a virtual single network. We can easily communicate between existing DC to aws VPC using private IP address. 

VPN Connection & Customer gateway & Virtual Private Gateway
Since VPN is used to connect customer network with aws network, there should be an anchor holding these connection on both side. A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway. Ie is
Customer gateway on customer side
VPG gateway on the aws side

In between these 2, we have the VPN connection created. An IPSEC connection is created in between customer gateway and VPG. The only limitation is that a VPG has 1.5g/per second bandwidth. This can lead to problems by bandwidth exceeding.

VPC endPoints : VPC End Points are basically connectivity that allows to talk to certain aws resources privately like Ec2 to s3. S3 is a service that have only public endpoints, so if we want to connect to s3 from ec2, the connection goes to internet and then connects to the public interface. The connection is not secured. Vpc endpoints allows ec2 instances to talk to end point and from there the request goes to the s3 instance. This way the connection is secured.

VPC peering : VPC peering is a way where we can use to connect 2 Vpc allowing instances inside them talk to each other.

A representation of the components that are available in VPC are,
Read More