Understanding the basics of AWS VPC and subnets
Virtual Private Cloud (VPC) is a logically isolated network on AWS where you can launch AWS services. When you create an AWS account, it provides a default VPC in each region with the essential network components to help new users start creating resources easily. A default VPC includes a public subnet in each Availability Zone, an internet gateway, and settings to enable DNS resolution.
When you create your own VPC, you need to specify its set of IP addresses using CIDR notation. Classless Inter-Domain Routing (CIDR) notation is a simple way to represent a specific range of IP addresses.
Eg: 10.0.0.0/16 indicates all IPs from 10.0.0.0 to 10.0.255.255.
Every set of three digits in an IP address represents 8 binary values (8 bits). The /16 in the CIDR notation above indicates how many of those bits are fixed and cannot change.
Amazon VPCs can use CIDR ranges between /16 and /28.
Subnets:
Subnets are segments or partitions of a VPC divided by CIDR range. For example, a VPC with CIDR /22 includes a total of 1024 IP addresses and can be evenly divided into 4 subnets of 256 each. Subnets define which parts of the network are accessible to the internet.
In every subnet, the first 4 and last IP address are reserved for AWS use.
10.0.0.0 - Network Address
10.0.0.1 - Reserved by AWS for the VPC router
10.0.0.2 - Reserved by AWS for mapping to Amazon provided DNS
10.0.0.3 - Reserved by AWS for future use
10.0.0.25 - Network broadcast address
Before we deep dive into VPC , its necessary to understand the some of the basic networking components- Internet gateway and Route tables
Internet Gateway:
Internet gateways allow communication between the internet and your VPC. They are horizontally scaled, redundant, and highly available by default. They provide a target in your subnet route tables for internet-routable traffic.
To enable internet access for instances in a VPC subnet, follow these steps:
Attach an internet gateway to your VPC.
Ensure your subnet's route table points to the internet gateway.
Make sure instances in your subnet have public IP addresses or elastic IP addresses.
Confirm that your NACLs and security groups allow the necessary traffic to and from your instances.
Route tables:
Route tables determine where network traffic is directed. There are main (default) and custom route tables. All route tables include a local route entry, which cannot be deleted. Each subnet can have only one route table. It is best practice to use custom route tables for each subnet.
Now lets understand the types of subnets.
Public subnets:
If a subnet's traffic is routed to the internet gateway, it is a public subnet. If your services need internet access, you should create them in public subnets. These subnets have a routing table entry to an internet gateway.
Private Subnets:
If a subnet's traffic does not have a route to an internet gateway, it is a private subnet. These subnets do not have a routing table entry to an internet gateway and are not directly accessible from the public internet. We should use a "jump box" (NAT/proxy/bastion host) to support restricted, outbound-only public internet access.
Consider using larger subnets over smaller ones. It will simplify workload placement—choosing where to place a workload among 10 small subnets is more complicated than with one large subnet. This way, it is less likely to waste or run out of IP addresses.
Let's divide some workloads based on which subnet to use -
Data Store Instances - Private subnet
Batch processing instances - Private subnet
Backend instances - Private subnet
Web application instances - public or private subnets.