Virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS Cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC.When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example,
10.0.0.0/16. This is the primary CIDR block for your VPC.
You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.'
Additionally, you can create a Hardware Virtual Private Network (VPN) connection between your corporate data center and your VPC and leverage the AWS Cloud as an extension of your corporate data center
For example, this graphic the two subnet networks are isolated..One of them has access to the internet, for example, apps for users..The other subnet doesn't have that access (company servers and data)
Diagram A
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet. In diagram A, subnet 1 is a public subnet. If you want your instance in a public subnet to communicate with the internet over IPv4, it must have a public IPv4 address or an Elastic IP address.
If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet. In this diagram, subnet 2 is a private subnet.dress (IPv4).
A VPC can have multiple Availability Zones but the subnet is mapped to only a single availability zone
When you create a VPC, you must specify a range of IPv4 addresses for the VPC in the form of a Classless Inter-Domain Routing (CIDR) block; for example,
10.0.0.0/16. This is the primary CIDR block for your VPC.
You can have a Default VPC but we don't suggest that for several reasons:
- You will have a more secure network
- You can customize your virtual network
- You can define your own IP address range
By default instances that you launch into your VPC cannot communicate with your own network, but you can connect to your data center using what is called Hardware VPN access
When you connect your data center into the cloud you create a hybrid environment ..
To do this you will need a Virtual Private Gateway (VGW), and this is a VPN concentrator on the Amazon Side.
Now on your side of the data center, you will need a Customer Gateway (CGW) and this is a physical device or software application that sits on your side of your VPN Connection.
- To create a VPN connection, a VPN tunnel comes up when traffic is generated on your side of the connection
- VGW is not the initiator, CGW must initiate the tunnel
- If the VPN experience a period of Idle time, usually 10 seconds depending on the configuration, the tunnel may go down. To prevent this, a network monitoring tool to generate keep alive pings. for example by using IP SLA
- If you delete a virtual VPC you will need to contact Amazon to get it back again
We need to understand the VPC pairing connection
Diagram B
In this graphic, VPC A will communicate with B and C ..But VCP B and C can NOT communicate with each other unless directly paired..besides that VPC with overlapping VPC with overlapping subnets ..Can NOT be paired if they have the same IP ranges
Elastic IP Addresses
Elastic IP Addresses
Choose your region
:
Go to Console..Network..VPC
Check on VPC..you will find the default one
We will create a new VPC
We will choose the name My-VPC, the CIDR block we mention before and we will not choose dedicated tenancy..with better performance but a more expensive option
We check on our recently created VPC and verify the information
we will click on the route table
There is not subnet associated with the VPC we just created. A subnet is required to launch our instances.
We will try to lauch new instances using EC2
We will try to lauch new instances using EC2
We will choose an instance
we will need to create a subnet...
Remember this:
When you terminate an instance a public IP address is released...you get a new associated Ip address, when the new instance starts.
To retain an IP address you will need an Elastic IP address. It remains in your account until you decided to release it.AWS will charge you in you have an Elastic IP address and not allocated into an Instance
We will show now how to create an Elastic IP address to be used to associate with the NAT gateway
So we are back to aws Console.
We will choose Elastic IP
We will choose to allocate a new address
We will verify what kind of new instance we will create..and then allocate it
The netmask y to your subnet will always be / 20: 172.31.0.0/20 and 172.31.16.0/20
A VPC can have multiple availability zones, but a subnet can have only a single availability zone
Inside every availability zone, we have a subnet
Now we will create the private one
We will verify the private and public subnets
The next chapter we will find out about the internet gateway and how to make them get internet access
Remember this:
- Private IP address is not reachable through the internet
- Public IP address is reachable on the internet
- Elastic IP address is a persistant static IP address
When you terminate an instance a public IP address is released...you get a new associated Ip address, when the new instance starts.
To retain an IP address you will need an Elastic IP address. It remains in your account until you decided to release it.AWS will charge you in you have an Elastic IP address and not allocated into an Instance
We will show now how to create an Elastic IP address to be used to associate with the NAT gateway
So we are back to aws Console.
We will choose to allocate a new address
We will verify what kind of new instance we will create..and then allocate it
Creating a Subnet in Your VPC
To add a new subnet to your VPC, you must specify an IPv4 CIDR block for the subnet from the range of your VPC
A VPC can have multiple availability zones, but a subnet can have only a single availability zone
Inside every availability zone, we have a subnet
We will create subnets and put them in our public VPC
Instances in Public subnet would be reachable from the internet; which means traffic from internet can hit a machine in Public Subnet. You normally keep things like Web Server in Public Subnet.
Instances in Private Subnet would not be reachable from the internet. E.g. you can put Database Server in the Private subnet and no one can access it from the internet. It would be accessible only via Instances in a Public subnet (Web server).
We will create them..Let's go to AWS Console
We will put a VERY specific name to our subnet..we will show you in a few the reason for that..
We will verify the private and public subnets
The next chapter we will find out about the internet gateway and how to make them get internet access
VPC-Part 1
Reviewed by ohhhvictor
on
July 02, 2018
Rating:
Reviewed by ohhhvictor
on
July 02, 2018
Rating:
No comments: