Fundamental Network Services
It is pretty amazing when you think about just how much “networking” AWS is responsible for. If we take a recent estimate of the number of AWS customers, we are looking at about 1.5 million entities (at this writing). That number is amazing enough, but when we remember that each of these customers is apportioned at least one Virtual Private Cloud, the scale of AWS becomes mind-boggling. In this section of the chapter, you’ll become very comfortable with the important concept of VPCs in AWS.
Virtual Private Cloud (VPC)
When you think about virtual networking in the public cloud of AWS, think VPCs. A VPC allows you to create private virtual networks and use the same concepts that you are already familiar with from traditional networking. With a VPC, you have complete control of your network configuration. You have the ability to isolate resources from or expose resources to the public Internet or to your private host systems inside your corporation.
With AWS VPCs, there are several layers of security controls (as you would expect). For example, security groups and network access control lists (NACLs) act as firewalls. Security groups control traffic into and out of your Elastic Compute Cloud (EC2) instances, whereas NACLs control traffic into and out of your subnets in a VPC.
When you are architecting solutions in AWS, you deploy various services and resources into a VPC in order to make up the full solution. You can be very specific with service and resource placement so you know exactly where in your virtual network the resources reside. These services also conveniently inherit the security you have built into your network. Examples of services you would deploy into a VPC include EC2, Elastic File System (EFS), Relational Database Service (RDS), and Elastic Load Balancing (ELB).
These are the main features of a VPC you should be aware of:
High availability: VPCs build on the high availability built into AWS Regions and Availability Zones (AZs). Your VPCs live within a Region, and you can have multiple VPCs per account.
Subnets: Just like your private network infrastructures, VPCs are made up of subnets that you can use to provide segmentation at Layer 3 (the network layer).
Route tables: You can use route tables to route traffic entering and exiting your subnets. You get this familiar model without needing to worry about physical routers.
Internet gateways (IGWs): An IGW gives you easy-to-configure access to the Internet for your VPC. Figure 15-1 shows an IGW in AWS.
Figure 15-1 An Internet Gateway
NAT gateway: A NAT gateway translates your privately addressed VPC resources to access the Internet using public IP addresses.
NACLs: NACLs allow you to control access to your VPC subnets. They are stateless constructs, which means you must configure inbound and outbound rules, as there is no automatic recognition of state with traffic flows, and there are no automated access entries.