VPC: Your Private Network in the Cloud
Prerequisitesβ
Before diving into VPC, it's helpful to understand the basics of IP Addresses, Subnets, and CIDR notation. You can learn more about these concepts in our Computer Networks section.
Key Terminologiesβ
VPCβ
A Virtual Private Cloud (VPC) is essentially your own private network hosted within AWS. Think of it as a private space where you can place your resources (like EC2 instances) in a secure and isolated environment. This setup ensures that only authorized users and services have access to your network.
Subnetβ
A subnet is a smaller network segment within a VPC. You can think of it as a separate room within your private office:
-
Public Subnet: Devices in this subnet can access the internet and are accessible from the internet.
-
Private Subnet: Devices here can only communicate within the VPC, providing an extra layer of security.
Gatewayβ
A gateway connects different networks, enabling communication between them. For example, it can connect the private network of a company to the internet or another private network.
Internet Gatewayβ
An Internet Gateway is a special type of gateway that connects a VPC to the internet, allowing public access to resources (like web servers) in your VPC.
NAT Gatewayβ
A NAT (Network Address Translation) Gateway enables devices in a private subnet to access the internet while preventing direct inbound connections from the internet. It acts as a one-way gate for outbound traffic.
Use Case Examplesβ
1. Exposing Your Application to the Worldβ
Suppose you want to host a web application on an AWS EC2 instance and need it to be accessible over the internet. Hereβs how you can set up your VPC:
-
Create a VPC: Start by creating a VPC using a CIDR block (e.g.,
10.0.0.0/16), which can support up to65,534devices. -
Create a Public Subnet: This subnet will be used to allow internet access.
-
Add an Internet Gateway: Attach an Internet Gateway to your VPC to enable internet communication.
-
Set Up Routing: Configure a route table to direct traffic through the Internet Gateway to the internet.
Public Route Table
| Destination | Target |
|---|---|
10.0.0.0/16 | local |
0.0.0.0/0 | igw |
This setup ensures that if the destination IP is within the VPC (10.0.0.0/16), the traffic stays internal. Otherwise, it is routed to the internet through the Internet Gateway.
To further secure your application, you can apply security groups to the EC2 instance to only allow specific traffic types, such as HTTP and HTTPS.
For personal practice, you can use AWS's default VPC, public route table, and Internet Gateway to simplify the setup. By default, if you don't specify a private subnet, an EC2 instance is placed in the public subnet of the default VPC.
2. Updating Packages on a Private Database Serverβ
If you have a private database server that needs to access the internet (e.g., for software updates) but should not be directly accessible from the internet, you can use a NAT Gateway. This setup allows outbound internet access while blocking inbound traffic.
-
Create a NAT Gateway: From the AWS VPC dashboard, create a NAT Gateway.
-
Create a Private Route Table: Configure a route table to direct traffic from the private subnet through the NAT Gateway.
Private Route TableDestination Target 10.0.0.0/16local0.0.0.0/0nat-gtw-id -
Associate the Route Table with the Private Subnet: Make sure the private route table is associated with the private subnet to ensure proper traffic flow.