As the delivery means of cloud services, network is also the support skeleton of cloud internal system, which is an indispensable infrastructure. Therefore, this series starts with the network environment on AWS.
VPC (Virtual Private Cloud)
VPC is an important and commonly used service on AWS. It provides logically isolated private network environments.
In isolation, a VPC is isolated from the Internet and other VPCS, restricting network communication between the VPC and the Internet. This isolation is logical and is achieved through the use of software level techniques, not physical device connectivity isolation.
A VPC can be used almost as if it were your own Intranet, except that the Intranet environment is hosted by AWS for maintenance. With AWS, almost all service instances (machines) you create need to be in a VPC. It provides a private network environment to ensure the most basic network isolation security.
As a private network, a VPC has its own private address range. In AWS, the address range is usually represented by CIDR block, for example, 172.31.0.0/16, which indicates that the first 16 bits of the IP binary are fixed, and the last 32 to 16 bits are available. The IP address range is 172.31.0.0 to 172.31.255.255. Private addresses of instances in a VPC can be assigned only in this range.
Subnets
A VPC can be divided into subnets, which are the smallest component of a network in AWS.
As a subdivision of a VPC, a subnet has its own private address range. The IP address range is a subset of the VPC address range, for example, 173.31.0.0/20 (the first 20 bits of an IP address are fixed, and the last 32 to 20 bits are available), that is, 173.31.0.0 to 173.31.15.255. A subnet range is a subset of the VPC range, and the subnet address ranges in a VPC do not overlap.
Public subnet and private subnet
Subnets are classified into public and private subnets based on whether they can directly connect to the Internet. A subnet that is open to inbound/outbound traffic on the Internet is a public subnet, while a subnet that is not exposed to the Internet is a private subnet. Instances in a public subnet can be directly connected to the Internet, send network requests generated within the subnet to the Internet, or receive network requests from the Internet. A private subnet cannot communicate directly with the Internet.
By default, all subnets in a VPC can communicate with each other, whether public or private.
Why distinguish between public and private subnets
What is the difference between a public subnet and a private subnet?
Let’s start with a typical scenario. Typically, a slightly larger Web service is designed as a multi-tier architecture. Take the three-tier architecture of the Web site layer, application layer, and database layer as an example, each layer corresponds to several virtual machine instances:
- The Web site layer accepts the user’s operation request in the Web page;
- After simple processing, the Web site layer forwards the request to the application layer for business processing.
- After the application layer finishes processing, the data to be persisted is saved to the database layer.
In this scenario, the Web site layer needs to handle traffic from the Internet, so it needs to be placed in a public subnet to be exposed to outside access. The application layer does not need to directly communicate with the Internet. Therefore, the application layer can be added to a private subnet to avoid direct interaction with the Internet and prevent external intrusion or attack. The database layer, like the application layer, can be placed in a private subnet. The default communication between public and private subnets ensures normal communication between the Web site layer and the application layer.
The combination of public and private subnets improves network security while ensuring flexibility.
Create a VPC
When an AWS account is created, each zone has a default VPC that contains three subnets by default.
You can also use the creation wizard in the VPC control panel to easily create VPCS and subnets that meet different requirements:
There are 4 seed network configurations to choose from when creating:
The first option VPC with a single public subnet is used as an example.
Fill in the above parameters. CIDR was introduced earlier. Fill in as required or use the default value. VPC name and subnet name are used for easy identification, and this parameter is no exception.
There are also some parameters that you may not be familiar with, so let’s briefly introduce them:
- IPv6 CIDR Blocks: Select “IPv6 CIDR blocks provided by Amazon” if your network needs to use IPv6.
- Availability zone: A region is further subdivided. An area contains multiple availability zones, one of which roughly corresponds to a data center. Availability zones are physically isolated, and multiple availability zones are used for DISASTER recovery.
- Enable DNS host name: If yes is selected, the DNS host name is assigned to the instance created in the VPC by default.
- Hardware lease: Two options are available: Default and Dedicated. Dedicated means that an instance created in the VPC has exclusive access to a dedicated physical machine in the AWS data center. By default, your instance shares a dedicated physical machine with other users’ instances.
After setting the parameters, click Create VPC.
Note that this section only describes how to create a VPC with a single public subnet using the VPC wizard. The VPC wizard provides three other VPC configurations. These three configurations involve private subnets, and you need to configure the NAT gateway or VPN. Of course, we can also create a VPC and subnet separately without using the VPC wizard. These are covered in AWS Network Environment -VPC (Advanced).
VPC advanced
For a VPC, this is all you need to know for daily use. If you want to use it flexibly, you will need to know something more advanced, which can be found in the next article: AWS Network Environment -VPC Advanced.
The series can be viewed by clicking on my avatar