Concepts
VPC, or Virtual Private Cloud, is a cornerstone of AWS infrastructure that provides a logically isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. Understanding VPC configurations is key to managing AWS environments effectively and is essential knowledge for the AWS Certified SysOps Administrator – Associate exam.
Subnets
A subnet is a range of IP addresses in your VPC. Subnets allow you to partition your VPC’s IP address range into separate segments that can be used to optimize resource allocation, improve security, and ensure that network traffic flows efficiently.
Each VPC is subdivided into subnets that are located within one Availability Zone. For instance, if your VPC has an IP address range of 10.0.0.0/16, you could create a subnet with a range of 10.0.1.0/24.
Public vs Private Subnets
- Public Subnet: It uses a route table that directs traffic to the VPC’s internet gateway. Instances in a public subnet can be directly accessed from the internet if they have a public IP or Elastic IP address.
- Private Subnet: It uses a route table that doesn’t have a route to the internet gateway. Instances here cannot directly access the internet; they might access the internet via a NAT gateway or NAT instance located in a public subnet.
Route Tables
Route tables contain rules, called routes, that determine where network traffic from your subnet or gateway is directed. Each VPC has a main route table by default, and you can create additional custom route tables. Each subnet must be associated with a route table, which controls the routing for the subnet.
Example of Route Table Entries:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | igw-abc123 |
In the table above, the first route sends all traffic destined for the local VPC to the “local” target, ensuring that instances within the same VPC can communicate with each other. The second route directs all other traffic (0.0.0.0/0) to the internet gateway (igw-abc123), allowing instances with public IPs to access the internet.
Network ACLs
A Network Access Control List (ACL) acts as a firewall for controlling traffic at the subnet level. By default, each VPC comes with a default network ACL that allows all inbound and outbound traffic. You can create custom Network ACLs with specific inbound and outbound rules.
Example Network ACL Rules:
| Rule # | Type | Protocol | Port Range | Source | Allow / Deny |
|---|---|---|---|---|---|
| 100 | HTTP | TCP | 80 | 0.0.0.0/0 | ALLOW |
| 120 | SSH | TCP | 22 | 203.0.113.0/24 | ALLOW |
| 130 | ALL | ALL | ALL | 0.0.0.0/0 | DENY |
Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
Security Groups
Security groups act as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance, you associate it with one or more security groups. You can add rules to each security group that allow traffic to or from its associated instances.
Unlike Network ACLs, security groups are stateful – if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules.
Example Security Group Rules:
| Type | Protocol | Port Range | Source | Description |
|---|---|---|---|---|
| HTTP | TCP | 80 | 0.0.0.0/0 | Allow all web traffic |
| SSH | TCP | 22 | 203.0.113.0/24 | SSH access from corp |
Comparing Network ACLs and Security Groups
Here’s a comparative look at some key differences:
| Feature | Network ACLs | Security Groups |
|---|---|---|
| Scope | Subnet level | Instance level |
| Rules | Stateless; Return traffic must be explicitly allowed by rules | Stateful; Return traffic automatically allowed |
| Default Setting | Allows all inbound and outbound | Denies all inbound; Allows all outbound |
| Rule Evaluation | Processes in order (lowest numbered rule first) | Evaluates all rules before allowing traffic |
| Supports Allow and Deny | Yes | Only allows allow rules |
To effectively interpret VPC configurations, it is critical to understand the use-cases and implications of subnets, route tables, network ACLs, and security groups, and how they interact to facilitate secure and efficient network architecture within AWS. Practitioners should ensure they apply the principle of least privilege, meaning every resource should only have the access that it absolutely needs to function.
Answer the Questions in Comment Section
True or False: VPC stands for Virtual Private Cloud, which is a virtual network dedicated to your AWS account.
- 1) True
True, a VPC is a Virtual Private Cloud that provides a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
In a VPC, can you create a subnet that spans multiple Availability Zones?
- 2) False
False, a subnet must reside entirely within one Availability Zone and cannot span zones.
Which AWS resource acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic?
- A) Route Tables
- B) Network ACLs
- C) Security Groups
- D) Internet Gateway
C) Security Groups, Security Groups act as a virtual firewall for instances to control inbound and outbound traffic at the instance level.
True or False: Network ACLs are stateful, meaning that they automatically return traffic for sessions that are initiated from within the subnet.
- 4) False
False, Network ACLs are stateless; they do not keep track of the state of network connections. Each inbound and outbound packet is evaluated independently.
If a subnet doesn’t have a route to the internet gateway, what type of subnet is it classified as?
- A) Private subnet
- B) Public subnet
- C) Isolated subnet
- D) Both A and C are correct
D) Both A and C are correct, A subnet without a route to an internet gateway is considered a private subnet or an isolated subnet.
What is the purpose of an Internet Gateway within a VPC?
- 6) True
False, you can have multiple routes in a single route table, one for each destination CIDR block that you want to define routing for.
Is it possible to associate a security group with a network interface at the instance and subnet level?
- A) True, but only at the instance level.
- B) True, but only at the subnet level.
- C) True, at both the instance and subnet level.
- D) False, you cannot associate a security group at any level.
C) True, at both the instance and subnet level., Security groups can be associated with network interfaces, allowing you to specify rules at both the instance level and subnet level.
True or False: By default, all outbound traffic is allowed in a VPC’s security group.
- 10) True
True, by default, security groups allow all outbound traffic unless you add rules that specifically deny outbound traffic.
What happens if you create a VPC with the same CIDR block as another VPC in your account?
- A) They will merge into a single VPC.
- B) AWS will not allow the creation of overlapping CIDR blocks within the same account.
- C) They will co-exist without any issues.
- D) You will need to connect them with VPC peering for them to operate correctly.
B) AWS will not allow the creation of overlapping CIDR blocks within the same account., AWS does not allow the creation of VPCs with overlapping CIDR blocks within the same account to avoid IP addressing conflicts.
True or False: You can add or remove rules within a security group at any time, and the changes are applied immediately to all instances associated with the security group.
- 12) True
True, any changes made to the security groups are applied immediately, affecting all instances associated with the security group.
Great post! Can someone explain the difference between a subnet and a route table?
The explanation of Network ACLs was very helpful. Thanks!
Could someone clarify if Security Groups are stateful or stateless?
Fantastic overview of VPC configurations!
Why would one use a Network ACL if Security Groups are already in place?
Appreciate the insights on route tables.
Does anyone have a good strategy for managing Security Groups?
What are some best practices for subnet design?