Computer Networks

Cloud Networking: VPC

In the past, running your own data center meant renting space, buying servers, and running cables. Today a VPC in AWS can be created in 30 seconds - a fully isolated network with public and private subnets.

  • **Netflix** - thousands of VPCs across different regions for streaming infrastructure
  • **Stripe** - multi-VPC architecture for isolating PCI DSS data
  • **Airbnb** - VPC Peering between production and analytics

Предварительные знания

  • Subnets and Masks
  • Firewall: Wall of Fire

VPC (Virtual Private Cloud)

**VPC (Virtual Private Cloud)** is a logically isolated virtual network in the cloud. It's your own data center, only virtual: you define IP ranges, subnets, routes, and security rules.

Imagine: AWS has one enormous data center with millions of servers. VPC creates the illusion that your 10 servers are in a separate isolated network, invisible to other AWS customers.

**VPC Isolation:** Traffic between different VPCs doesn't pass by default. Even if IP addresses overlap (10.0.0.0/16 in both VPCs), there's no conflict - they're in separate virtual networks.

**Key VPC components:** • **CIDR block** - IP address range (e.g. 10.0.0.0/16 = 65,536 addresses) • **Internet Gateway** - egress point to the internet • **NAT Gateway** - internet access for private subnets (outbound only) • **Route Tables** - rules for routing traffic • **Subnets** - network segments in different Availability Zones

What provides isolation between VPCs of different AWS customers?

Public and Private Subnets

**Subnet** is a segment of a VPC tied to a specific Availability Zone. Subnets are divided into **public** (with internet access) and **private** (without direct access).

A **Public Subnet** has a route to the Internet Gateway. Instances get public IPs and are reachable from the internet. A **Private Subnet** has no direct egress - only through a NAT Gateway for outbound traffic.

**Why NAT Gateway?** Private instances (databases, backends) need to download updates and call external APIs. NAT allows outbound traffic but blocks incoming - the instance is invisible from the internet.

**Multi-AZ architecture:** For high availability, subnets are created in different Availability Zones. If AZ-a fails, traffic switches to AZ-b. A Load Balancer distributes requests across zones.

What is the difference between a public subnet and a private subnet?

Security Groups

**Security Group** is a virtual stateful firewall at the instance level (EC2, RDS, Lambda). It defines which inbound and outbound traffic is allowed.

**Stateful** means: if inbound traffic on port 80 is allowed, the response is automatically permitted back. You don't need to separately allow outbound traffic for replies.

**Security Group References:** Instead of IP addresses, you can reference other Security Groups. For example: app-sg allows traffic from web-sg. When new web servers are added, the rules apply automatically.

**Security Group best practices:** • **Principle of least privilege** - open only necessary ports • **Use references** instead of IP addresses where possible • **Separate by function** - separate SGs for web, app, db • **Don't use 0.0.0.0/0 for SSH** - use VPN or bastion only

What does 'stateful' mean in the context of Security Groups?

Network ACL

**Network ACL (NACL)** is a stateless firewall at the subnet level. Unlike Security Groups, NACL has numbered rules and applies to ALL traffic in the subnet.

**Stateless** means: you must explicitly allow both inbound and outbound traffic. If HTTP on port 80 is allowed inbound, you also need to allow ephemeral ports (1024-65535) for responses outbound.

**When to use NACL?** For blocking known malicious IPs at the subnet level, as an additional layer of defense (defense in depth), and for compliance requirements. In most cases Security Groups are sufficient.

**Defense in Depth:** ``` Internet → NACL → Security Group → Instance │ │ │ Subnet Instance Application level level level ``` NACL is the first line of defense at the subnet level. Security Group is the second, at the instance level. Application firewall (WAF) is the third.

Security Groups are sufficient; NACLs are not needed

NACLs complement Security Groups for defense in depth and allow blocking traffic at the subnet level

Security Groups only protect instances that have the group assigned. NACLs protect the entire subnet, including new instances. Also, NACLs can do deny (block specific IPs), which Security Groups cannot

Why does NACL require an explicit allow rule for ephemeral ports for return traffic?

Key Takeaways

  • **VPC** - logically isolated virtual network in the cloud with your own CIDR block
  • **Public Subnet** → Internet Gateway, **Private Subnet** → NAT Gateway
  • **Security Groups** - stateful firewall at the instance level, Allow rules only
  • **NACL** - stateless firewall at the subnet level, Allow + Deny, evaluated by rule number
  • **Defense in Depth:** NACL → Security Group → Application firewall

Related Topics

Cloud networks are built on classic concepts of subnets and firewalls:

  • Subnets and CIDR — VPC and Cloud Subnets use standard addressing
  • Firewalls — Security Groups and NACLs are cloud implementations of firewalls

Вопросы для размышления

  • Which services in your application should be in a public subnet, and which in a private subnet?
  • How would you organize VPCs for prod/staging/dev environments - one VPC or separate ones?
  • In what cases is NACL more useful than Security Groups?

Связанные уроки

  • os-12-virtualization
Cloud Networking: VPC

0

1

Sign In