AWS VPC: A Beginner's Complete Guide
Understanding VPC (Virtual Private Cloud)
Virtual Private Cloud (VPC)
A VPC provides a secure, isolated, and controlled network environment in the cloud. It allows you to define your network’s topology, including IP address ranges, subnets, route tables, and gateways, similar to traditional on-premise networks but with cloud scalability and flexibility.
Key Features
CIDR Block
When you create a VPC, you specify a CIDR (Classless Inter-Domain Routing) block to define the IP address range for the entire VPC.
CIDR Range Example: 10.0.0.0/16
Provides 65,536 total IP addresses.
Out of these, 65,531 addresses are usable (5 addresses are reserved by AWS for network purposes).
CIDR (Classless Inter-Domain Routing): A method used to allocate IP addresses and efficiently route IP packets across networks.
Subnets
A subnet is a smaller, segmented part of a VPC that helps organize and isolate resources. Each subnet is associated with a specific CIDR block within the VPC’s CIDR range.
Public Subnet:
Contains resources (e.g., web servers) accessible from the internet.
Must be associated with an Internet Gateway and a route table that allows public internet access.
Private Subnet:
Contains resources (e.g., databases) that are isolated from public internet access.
Requires a NAT Gateway to access the internet indirectly for updates or outbound traffic.
Example:
VPC CIDR Block: 10.0.0.0/16
Public Subnet CIDR: 10.0.1.0/24 (256 IP addresses)
Private Subnet CIDR: 10.0.2.0/24 (256 IP addresses)
Route Table
A set of rules (routes) that determine how network traffic is directed within the VPC or to external destinations. Each subnet must be associated with a route table.
Public Subnet Route Table:
- Contains a route to the Internet Gateway to allow public internet access.
Private Subnet Route Table:
- Contains a route to a NAT Gateway for outbound internet access.
Example Routes:
Destination: 0.0.0.0/0 (all traffic)
Target: Internet Gateway (for public subnets) or NAT Gateway (for private subnets).
Internet Gateway and NAT Gateway
Internet Gateway:
A horizontally scaled, redundant, and highly available VPC component that allows resources in public subnets to access the internet.
Must be explicitly attached to the VPC.
NAT Gateway:
Enables resources in private subnets to initiate outbound traffic to the internet while preventing inbound connections.
Requires an Elastic IP address (a static, public IP).
Bastion Host (Jump Host)
- A bastion host is a special-purpose instance used to securely access private instances. It acts as a bridge to the private network.
Implementation Guide
Step 1: Create a VPC
Steps in AWS Console
Go to the VPC Dashboard.
Click on "Create VPC".
Assign a CIDR block (e.g., 10.0.0.0/16).
Select the region (e.g., us-east-1).
Step 2: Create Subnets
Steps in AWS Console
Go to the Subnets section in the VPC Dashboard.
Create a public subnet:
Name: vpc01-public-subnet
CIDR range: 10.0.1.0/24
Enable auto-assign public IP
.
Create a private subnet:
Name: vpc01-private-subnet
CIDR range: 10.0.2.0/24
Disable auto-assign public IP.
Step 3: Set Up Internet Connectivity
**For Public Subnet
**
Steps in AWS Console
Create an Internet Gateway (e.g., vpc01-internet-gateway).
Attach the Internet Gateway to your VPC.
Create a public route table:
Name: rt-vpc01-public-subnet
Add a route to the Internet Gateway (destination: 0.0.0.0/0).
Associate the public route table with the public subnet.
**For Private Subnet
**
Steps in AWS Console
Create a NAT Gateway (e.g., vpc01-nat-gateway):
Place it in the public subnet.
Allocate an Elastic IP for the NAT Gateway.
Create a private route table:
Name: rt-vpc01-private-subnet
Add a route to the NAT Gateway (destination: 0.0.0.0/0).
Associate the private route table with the private subnet.
Step 4: Launch EC2 Instances
Public Instance (Bastion Host)
Steps in AWS Console
Launch an instance in the public subnet.
Name the instance (e.g., vpc01-public-instance).
Enable public IP.
Configure a security group to allow SSH access.
Private Instance
Steps in AWS Console
Launch an instance in the private subnet.
Name the instance (e.g., vpc01-private-instance).
Do not assign a public IP.
Configure a security group to allow SSH access from the bastion host.
**
Step 5: Configure Bastion Host Access**
Steps in AWS Console
Transfer the private instance key to the bastion host.
Set appropriate key permissions on the bastion host.
Use the bastion host to securely access the private instance.
Copy
# From local machine to bastion host
scp -i bastion-key.pem private-instance-key.pem ubuntu@bastion-public-ip:~/.ssh/
- Set Key Permissions:
bash
Copy
chmod 400 ~/.ssh/private-instance-key.pem
- Access Private Instance:
bash
Copy
ssh -i ~/.ssh/private-instance-key.pem ubuntu@private-instance-ip
a
Summary
This guide provides a detailed setup for creating a VPC in AWS, defining subnets, route tables, gateways, and launching EC2 instances for both public and private networks. Happy Learning !!