Playing with VPC AWS (Part 1): VPC, Subnet, Internet Gateway, Route Table, NAT, and Security Group

by wbt
VPC Amazon

Nowadays, most applications are running in the cloud. A middle or enterprise organizations continue developing cloud-based software to run their business. There are many benefits that we can get by using VPC, including easy collaborations, improved productivity, and cost saving.

In this post, we are going to discuss about VPC. Since it contains long article, I divide it into two parts. In Part 1, we discuss about definition of VPC, it’s usage, differences between shared hosting and VPS, configuring VPC. While in Part 2, we will discuss about how to create instance with VPC configuration that we have set.

What is VPC?

Virtual Private Cloud is a virtual network that you’d operate in your own data center or private cloud computing within public cloud computing. By using VPC, we can control its resource based on our needs, example: choosing private IP, subnet creation, route table configuration, security group, and etc.

There are a lot of providers that offer VPC, like AWS, Alibaba, Google, and DigitalOcean. However in this post, I choose AWS provider since it has widely used, famous, and have good documentations.

Shared Hosting vs VPS vs VPC

Let’s start from the terms that you might ever heard, ie: shared hosting and VPS. What is the differences between these?

Shared hosting is the most popular service for a user that want to build their first website with small scope. It is cheap and easy to use. Many user use the same IP but with different virtual home. It means, it shares the resource and capacity of the server. If one website eats lot of resources, then it can impact other users too. Those, service provider will involve in security, upgrade, and maintenance of server.

Virtual Private Server (VPS) is kind of hosting that its resources coming from one physical server, then divided into smaller virtual server. Each virtual server runs as dedicated server. Difference between shared hosting is located on resource distribution. In VPS, each server is independent and not affected other users. In addition, it gives flexibility to configure the server as our needs.

Now lets take a look for Virtual Private Cloud (VPC). VPC is better for applications with fluctuating demands, while VPS is more suitable for applications that maintain steady usage. A VPC able to virtualizes compute, storage, and network resources such that it available to multiple VPs. It has more granular control than VPS. That is why the player is from middle or enterprise organization.

See also  Playing with VPC AWS (Part 2): Key Pair and Instance

Use Case

Let say we want to build an application in public subnet (connected with NAT devices) that can be accessed via internet by connecting to internet gateway. Another one, a database that isolated from internet (private subnet) that is located in different zone and only able to be called by the application. Thus, we need to configure security group for each entity.

Lets playing with VPC

Create VPC

  • First, you need to login into aws dashboard (please register if you do not have aws account).
  • In AWS Management Console page, choose VPC (under Networking & Content Delivery), it will redirect to VPC management console.
  • Go to Your VPCs and click Create VPC button on the top right.
  • Fill the VPC name and IPv4 CIDR block. IPv4 CIDR block is basically IP range of your VPC. For example, 11.0.0.0/16. A CIDR block size must be between a /16 netmask and /28 netmask. Then submit it.
  • Once we create VPC, it will generate default route table.

Create Subnet

  • Choose Subnets menu on the left and click Create subnet button on the top right.
  • Choose the VPC that you created before.
  • Create your first public subnet, we will run our application on this subnet on connect it to Internet. Filling your subnet name, availability zone, and IPv4 CIDR block for this subnet (in this case, 11.0.1.0/24). Note, your block should be within VPC IPv4 CIDR.
  • Create private subnet that wont be connected to Internet in the different zone, we will run our database on this subnet. Filling your subnet name, availability zone, and IPv4 CIDR block for this subnet (in this case, 11.0.2.0/24). Click Create subnet.

Create Internet Gateway

The next step is creating internet gateway. An internet gateway allows communication between instances in your VPC and Internet. Please follow below steps:

  • Choose Internet Gateways menu and click Create Internet gateway button on the top right.
  • Fill your Internet gateway name and click Create Internet gateway button.
  • Once you create Internet gateway, you need to attach it to your VPC. Click Attach to VPC button on the top.
  • Choose the VPC that you created before and click Attach Internet gateway button.
See also  Playing with VPC AWS (Part 2): Key Pair and Instance

Create Route Table

A route table is a table that contains set of rules (routes). This is for determining which network traffic is directed. In this case, it controls the subnets that we created. One subnet can only be associated to one route table, but one route table can be associated to multiple subnets. Please follow below steps:

  • Choose Route Tables menu, and it will show your Main route table. Create another one by clicking Create route table button.
  • Set your route table name and select your VPC. After that, click Create route table button.
  • Once it is created, on Routes tab, click Edit Route button on the top right.
  • Since we want to connect our VPC to internet then we need to add destination 0.0.0.0/0 and choose the Internet gateway that we create. Then click Save Changes.
  • On Subnet associates tab, click Edit Subnet associations button on the top right.
  • Choose your public subnet and click Save associations. Until this state, your public subset is connected to Internet.

Create Elastic IP Address and NAT Gateway

Now, user want to know about your application address, then we need to create Elastic IP and translate it with NAT gateway. Elastic IP is different with public IP. When an instance is terminated, then public IP will be released and we will use different IP once the instance is restarted. While Elastic IP address remain the same even the instance is terminated or restarted until we release it.

Please follow below steps:

  • Choose Elastic IPs menu and click Allocate Elastic IP address button on the top right.
  • Choose which pool that you want to use. In this case, I use Amazon default pool.
  • Once you click Allocate, it will give you the IP, example: 3.21.203.94
  • Then, choose NAT Gateways menu and click Create NAT gateways button on the top right.
  • Fill your NAT gateway name and connect your public subnet to your EIP. Then click Create NAT gateway button.

Point Main Route Table to NAT

In this state, any incoming traffic from your EIP will be mapped to private IP in public subnet. Now we need to connect public subnet to private subnet by updating Main route table.

See also  Playing with VPC AWS (Part 2): Key Pair and Instance
  • Choose Route tables menu and checklist Main route table.
  • On Routes tab, click Edit routes button on the top right.
  • Choose your NAT device and click Save changes.
  • By default the subnets have not been explicitly associated with any route tables will be associated with the main route table. In this case, the private subnet that we created will be associated automatically to main root table.

Create Security Group

Those route configurations are not enough. We need another layer to secure our traffic, it is called security group. Security group is a virtual firewall that controls one or more instance. We can define rules that allow or disallow traffic between instances. Please follow these steps:

  • Under Security menu, choose Security Groups. There is one default security group there, let’s create another one for web server application by clicking Create security groups button.
  • Fill security group name (example WBT_11_WEBSERVER), description, and choose the VPC that we created.
  • In this case I would allow traffic from anywhere 0.0.0.0/0 with type HTTP, HTTPS, and SSH. You can custom your rules here. Then click Create security group button.
  • Let’s create another security group for DB server. Click Create security group button once again.
  • Fill security group name (example WBT_11_DBSERVER), description, and choose the VPC that we created.
  • As I mentioned before, we will run DB in our private subnet, and it can be called only from our web server application. In this example I choose PostgreSQL, and in the source put the security group id (web server) that we created before. I added ssh rules as well, to make it more fun 🙂

Conclusion

In this article, we are discussing about how to create VPC, subnet, Internet gateway, route tables, NAT device, and security group. At this point, we have created network skeleton of instances that we want to apply (web server and DB). Instance creation and connecting those instances to all of these stuff will be presented in the next article ~ Playing with VPC AWS (Part 2).

Comments

  1. Pingback: Playing with VPC AWS (Part 2) – Widhian's Blog

Leave a Reply

Your email address will not be published. Required fields are marked *

Proudly Powered By WordPress