We had a four-week break from AWS to talk extensively about GeeCON, as well as our guest author article about scaling Scrum. Let’s get back to the cloud again as we have another important group of services to tackle. I’ve mentioned networking services in the AWS introduction episode, as one of three most basic, along with storage and compute. This was supposed to be third article about group of services, but somehow it comes fourth, after an article on databases. Also, it will have two parts. Let’s start with VPC service.
Virtual Private Cloud is used to divide our cloud into logically separate sections and conquer various network elements, including: subnets, route tables, DHCP, access control lists, security groups, internet gateways, elastic IPs, elastic network interfaces, endpoints, NAT gateways and instances, peering connections and VPN configurations. Lots of stuff to play with indeed.
VPC is a networking layer for EC2 instances. It was launched three years later than EC2 and, because of that, there are actually two networking platforms in AWS. The older one is called EC2-classic, but it’s not supported by accounts created after 2013.
When creating VPC, we need to specify IPv4 address range by choosing a Classless Inter-Domain Routing (CIDR) block. CIDR block address format looks like: a.b.c.d/n where a, b, c and d are numbers between o and 255, just as in IPv4 address and n is a netmask – number of leading bits in network mask. The smaller n is, the more available addresses the block has. Single VPC can support between 16 (mask /28) and 65536 (mask /16) addresses. By default, we can create up to 5 VPCs per region. VPC can span multiple availability zones.
Subnet is a segment of VPC containing a subset of its addresses, where we can launch AWS resources like EC2 instances or databases. Subnet address range is defined again by CIDR block with netmask between 28 and 16. We need to remember, however, that five addresses are reserved: for network address, router, DNS server, broadcast and further use. By default, a VPC contains one public Subnet per Availability Zone with a netmask of /20.
We can have multiple Subnet in single Availability Zone, but the Subnet cannot span multiple Availability Zones. Public Subnets have route to internet, and are typically used for web servers. Private Subnets, on the other hand, are used for protected back-end resources like databases. There are also VPN Subnets, but that’s for later.
Route Table is a set of rules applied to Subnets to direct the traffic. It allows different Subnets to talk to each other, as well as to Internet Gateways, NAT Gateways and NAT Instances, Virtual Private Gateways and Peering Connections. Each Route Table rule has a destination CIDR block (where the traffic is expected to land finally) and a target (where we route such traffic internally). By default, new VPC comes with the Main Route Table that we can modify. We can also add other Route Tables. Each Subnet must be associated with Route Table and if it’s not done explicitly, it will be associated with the Main Route Table
Internet Gateway is a very important thing required to download cat pictures form the Internet. Or perhaps updates for operating systems, web server or other software on EC2 instance if we insist on being serious. It’s a transparently scalable and redundant component that translates private addresses of instances to public IPv4, or Elastic IP, depending on configuration, when there is an inbound or outbound connection. There is a single Internet Gateway per VPC.
DHCP Options Set is a configuration for Dynamic Host Configuration Protocol (DHCP) used for automatic passing of configuration to hosts within a network. There is a single DHCP Options Set per VPC that includes definition of domain name, NetBIOS node type and up to four of the following: custom Domain Name System (DNS) servers, custom Network Time Protocol (NTP) servers, custom NetBios name servers.
Security Groups vs Network ACLs
Security Group is a firewall controlling network access to an AWS resource. We can specify rules for traffic source in case of inbound traffic, destination in case of outbound traffic, protocols and port ranges. Default security group allows all traffic within itself as well as all outbound traffic and denies all inbound traffic. Security Group is stateful, meaning that if we define an inbound rule that accepts an inbound request, an outbound response for that request will be allowed. Only allow rules can be specified and all rules are evaluated when deciding whether allow given traffic.
Network Access Control List is somewhat similar to Security Group, but with few notable differences. It operates on Subnet level as opposed to instance level, acting as second layer of network defense in case something is screwed up on Security Group layer. It supports both allow and deny rules. It is stateless, meaning it is not aware of outbound responses for inbound requests, and we need to manually define both inbound and outbound rules to let responses out. Also, rules are processed in order, and the first one that applies to given traffic is applied ignoring the rest.
Elastic IP Address is a static IPv4 address that can be dynamically assigned to AWS resource. There is pool of such addresses per region and we can grab some of them and assign them to EC2 instances. The difference between Elastic IP address and EC2 instance public IP address is that we can control dynamic reassignment in case of our instance failure, thus we remain transparent to the outside world. Elastic IPs remain associated with our account, even if not assigned to anything, until we explicitly release them.
Elastic Network Interfaces
Elastic Network Interface, or ENI for short, is a virtual network interface that can be attached to an EC2 instance. They are associated with a Subnet and can have one public IP address and several private IP addresses with one of them being the primary. EC2 instance can have more than one ENI, which makes it dual-homed and have presence with multiple Subnets. ENI is independent from the EC2 instance, and can be reassigned to another one in case of failure.
Endpoint enables us to create private connection between VPC and another AWS service without access over internet, through NAT, VPN connection or Direct Connect. It currently supports S3, and experimentally DynamoDB in some regions but is planned to expand to other services. We can create multiple endpoints for single service, use different Route Tables and enforce different access policies for different Subnets.
NAT Instances vs NAT Gateways
Network Address Translation (NAT) enables instances in private Subnets to access internet in order to download software or updates, while being protected from external access. This can be accomplished via NAT Instance or NAT Gateway.
NAT Instance is a dedicated EC2 instance, usually created from specific Amazon Linux Machine Image (AMI) that receives traffic from private Subnet, uses its own public IP address, forwards it to Internet Gateway and handles the response if there is any.
NAT Gateway is a AWS managed resource that basically does the same as NAT Instance, but is transparently scalable and highly available. Of course, we can achieve similar results with multiple NAT Instances put in autoscaling group behind load balancer, but NAT Gateway does the trick for us.
It is generally recommended to use NAT Gateways instead of NAT Instances. You can find a detailed comparison here.
VPC Peering is a network connection that allows stuff in two different VPCs to talk to each other as if it was a single network. We can even create Peering Connection between VPC that belong to different AWS accounts. VPC can have multiple connections, but they are not transitive, meaning if VPC A is connected to VPC B and VPC B is connected to VPC C, it doesn’t mean that VPC A and VPC C tan talk through VPC B. If it is required, we need to setup a separate connection.
Virtual Private Network Connection is used to seamlessly connect AWS VPC network with external networks. It consists of Virtual Private Gateway (VPG) – a VPN concentrator on AWS side and Customer Gateway (CGW) – a hardware or software component on client side. A VPN connection can be the established between those two. The connection uses two IPSec tunnels for performance and redundancy. Single VPC can be connected to multiple CGWs.
My Eyes Hurt!
Uff, that was a long one. But again, VPC is a large topic when you really start to dig in (which is what I’m currently doing with AWS). Previously, I thought that I will contain all networking services in a single article, but then I’ve decided to split it into VPC and the rest and even after that I’ve arrived with this monstrous wall of text. But so be it. Next week we will talk about remaining services in the networking group: Route 53, CloudFront and DirectConnect. Stay tuned!
3 responses to “Amazon Networking Services, Part One: VPC”