π This is not properly displayed? Here is the online version! π‘
β
Hi Reader ππ½
today's service of the week is Amazon Virtual Private Cloud, better known as VPC π€οΈ.
What's Amazon VPC and why does it matterβ
π₯ In a nutshell: because it's a powerful tool that allows you to create private & secure virtual networks for your AWS resources. It provides isolation and protection, ensuring the confidentiality and integrity of your instances. π
In this issue, we'll explore:
Let's dive in! π
β
VPC offers the following components to effectively isolate and secure your instances and resources:
1. CIDR Blocks: Your Network Address Space πβ
βYour VPC requires a range of IPv4 addresses that attached network interfaces can use. These ranges are defined as Classless Inter-Domain Routing (CIDR) blocks.
They consist of two sets of numbers. The Prefix - a binary representation of the address - and the Suffix - the total number of bits in the entire address.
2. Subnets: Slicing Your Network πͺ
Public subnets are used for resources that require Internet access, while private subnets are used for resources that should not be directly accessible from the Internet.
3. Routing Tables: Directing Traffic π
VPCs use routing tables that contain a set of rules, called routes, which determine where network traffic is directed. Each route has a destination IP range and a target, which can be a subnet, an Internet Gateway, or a Virtual Private Gateway.
4. NACLs: Network-Level Security π
NACLs act as a firewall for subnets, controlling inbound and outbound traffic. They allow or deny traffic based on defined rules.
5. Security Groups: Instance-Level Security π
Security Groups control inbound and outbound traffic at the instance level. They provide granular control over access to resources.
Each VPC is created for a region and always spans across all availability zones. Each availability zone can contain subnets, which are another breakdown of your VPC.
Subnets cannot span multiple availability zones but only a single one. For redundancy and availability reasons, it is therefore recommended to have at least two subnets for a single region so that you can have resources in at least two availability zones.
Every AWS account created after the end of 2013 comes with a default VPC per region. Each of these default VPCs also has a public subnet in each availability zone, an internet gateway, and settings to enable DNS resolution.
Subnets allow you to further divide your network into smaller parts. The most important segregation is between public and private subnets:
Resources in each subnet can be protected with multiple layers of security, such as their own Security Groups or Network Access Control Lists.
Some AWS services require you to launch instances into a private subnet, such as ElastiCache.
Depending on the type of resource and your requirements, it is necessary to further restrict access to and between your resources.
Common requirements include:
You can achieve this using Security Groups (SGs) and Network Access Control Lists (NACLs).
Security Groups define and allow rules for your traffic - inbound or outbound. They enable traffic filtering based on protocols and port numbers.
Security groups operate on the instance level and are stateful. Stateful means that return traffic doesnβt need to be allowed explicitly.
Network Access Control Lists act as a firewall on the network level. They can hold one or multiple allow and/or deny rules which are ordered via priority numbers.
Evaluation starts with the lowest rule number, and the first match will be executed.
Each subnet must be assigned to a network ACL, and return traffic must be explicitly allowed, as NACLs are stateless.
To connect your VPC to the internet and enable internet access for your resources, you can utilize the following components:
1. Internet Gateway: Enabling Internet Access
An Internet Gateway allows traffic from public subnets to access and communicate with the Internet.
2. NAT Gateway: Private Subnet Internet Access
A NAT Gateway enables outbound internet traffic from private subnets while keeping resources hidden from the public internet.
We've covered all the theories. But how can we put VPC into practice and where do we find it in the real world?
Let's explore a few prominent examples. ποΈ
With VPC, you have the flexibility to construct multi-tier architectures that encompass both public-facing resources, such as load balancers and DNS servers, and private components like application servers and databases.
In this architecture, the application servers maintain a connection to the internet through the public subnets but are safeguarded against direct internet access.
They can only be reached through the load balancer in the public subnets. On the other hand, the databases are located in a dedicated private subnet without any outgoing internet access. Access to the databases is exclusively granted to the applications running in the separate private subnet, ensuring a secure and controlled environment for data storage and retrieval.
VPC allows companies to meet regulatory compliance requirements by implementing strict access controls.
Private subnets can be dedicated to storing and processing sensitive data, ensuring data privacy and protection.
Public subnets can host resources that don't handle sensitive information, creating a secure and compliant environment.
VPC supports connecting on-premises infrastructure to the cloud.
With a VPN or Direct Connect connection, you can establish secure communication between your VPC and on-premises resources.
This enables organizations to leverage the scalability and flexibility of the cloud while maintaining connectivity to their existing infrastructure.
Amazon VPC provides a robust framework for isolating and securing your instances and resources in the AWS cloud.
By leveraging subnets, NACLs, security groups, and connectivity components, you can design a secure network architecture. Whether you're building web applications, microservices, ensuring compliance, or integrating with on-premises infrastructure, VPC offers the necessary tools and flexibility to meet your specific requirements.
β
At our core, we value high-quality content and appreciate the work of talented creators.
Starting with this issue, we are thrilled to introduce a new addition to our newsletter lineup: a curated selection of exceptional newsletters.
We want to emphasize that our recommendations are driven solely by our genuine appreciation for these newsletters and the value they provide. We do not receive any commission or incentives for featuring them. Our aim is to share these gems with you, confident that you will also find them engaging and enriching. Keep an eye out for our star-rated recommendations! π
β
This week's star is Milan JovanoviΔ. He runs a weekly newsletter where he talks about best practices for .NET, Azure, and software architecture in general.
With one practical tip every week, it's always less than a 5-minute read.
A small excerpt from his recent issues:
If you're interested, you can join more than 24,000 other engineers here! π
β
That's all for this time! βοΈ
See you in two weeks! π
Tobi & Sandro
If you're interested in more, have a look at our
βAWS Fundamentals blog π
β
Join our community of over 8,800 readers delving into AWS. We highlight real-world best practices through easy-to-understand visualizations and one-pagers. Expect a fresh newsletter edition every two weeks.
β Reading time: 10 minutes π Main Learning: Building a Serverless Platform With SST, Lambda & Next.js βοΈ Read the Full Post Online π Hey Reader ππ½ In this post, we want to guide you through our complete setup for our custom video platform. Our CloudWatch Book's Video Section This starts from the purchase to actually accessing our custom build video-access platform. Overview about our CloudWatch Book Landing Page & Video Platform Architecture We'll explain why we decided against a third-party...
β Reading time: 11 minutes π Main Learning: Step Functions - Express vs. Standard πΎ GitHub Code βοΈ Blog Post Hey Reader while Sandro is learning something new at the AWS Community Day in Munich today, we'll explore Express and Standard Step Functions, the two types of workflows offered by AWS Step Functions. Weβll break down their differences, when to use each, and the benefits of both. Example Application: running both workflow types to see their performance differences If you want to try...
Hey Reader First things first: we apologize for not providing updates on The CloudWatch Book for a while! π’ Sometimes, things don't go as planned and unexpected obstacles arise. But now, we're back in action, creating videos and putting the final touches on the book's content! π₯ Don't just take our word for it! As an early subscriber, here's a free video from one of our favorite chapters: Anomaly Detection π In this deep-dive, you'll learn how to detect unusual patterns in metrics without...