Confused by AWS VPCs and Security Groups and Subnets? Read this.
The above diagram is taken from the AWS official tutorial:
What is VPC?
Think of VPC as a traditional network in your own data centre / server room in the olden days. In AWS, VPC acts as an entry point to access any AWS service in the AWS account. A VPC is your private network within AWS, and it isolates your resources from everyone else’s.
Thumb Rule:
Use a VPC to connect to AWS services privately, without the use of an internet gateway or NAT device.
Use an internet gateway to connect your VPC to the internet.
While creating a VPC, we will have to associate an IP address range (this is called the CIDR block; read about it). IP addresses enable resources in your VPC to communicate with each other and with resources over the internet.
Internet Gateway (IGW)
An Internet gateway is a part of the VPC that facilitates communication between the Internet and the VPC.
Subnets
I will not get you bored with terminology. As I said earlier, while creating an VPC, we provided range of Ip addresses. To further secure our AWS resources, we create subnets that fall within the assigned VPC IP range.
Say VPC has 65536 IPv4 addresses. We create different subnets based on business use cases (ex., To protect financial data, we can create subnet with specific Ip address range)
Read more about the CIDR calculator on the internet to understand how the IP address range is calculated and assigned.
So, we can have 3 or 4 or more subnets based on our needs. We should create and use subnets.
So, this comes to introduce types of subnets.
Public Subnet:
Via the Route Table entry, the public subnet can communicate with the internet gateway.
For example, in an application, the load balancer needs to be accessed from the internet; we can use a public subnet to host ALB.
Private Subnet:
A private subnet doesn’t allow access to the internet. The lack of Internet access provides an additional layer of security.
ex: We can place RDS/databases in a private subnet, as this is more specific to the company's network and doesn’t need public internet access.
Security Groups:
Within VPC, security groups act as a virtual firewall. Meaning you can control whom (specific IP address, port) you can allow to access your AWS resources.
You will hear terminologies like inbound and outbound rules.
Inbound: from outside the AWS network to your AWS resources.
Outbound: from your AWS resource to access internet resources (outside of AWS network)
Thumb Rule: Security groups work at the instance level.
e.g.: Your ec2 instance, your lambda function, etc.
What if you want to block access to a specific IP address at the subnet level, not at the instance level? NACL comes in handy here.
NACL :NACLs apply to an entire AWS subnet, which contains multiple instances. This means that the rules you define in a NACL will affect all resources within that subnet.
NACL comes in handy when an attack happens, and you want a quick resolution to mitigate the risk.
Now you know all the basic jargon that is used in AWS development. It’s good to know, as a developer, how data flows from the internet to your AWS resources.
That’s all for now. Understanding small details can differentiate us from our colleagues. If you have come this far and hope you like this article, you can encourage me with your clap