Virtual Private Cloud (VPC) Explained: Key Components and Security Measures

Snigdha ChaudhariSnigdha Chaudhari
4 min read

Imagine you need to access a server on the internet with an IP address like 172.16.73.1. To achieve this securely, DevOps engineers create a Virtual Private Cloud (VPC), which includes various components such as gateways, subnets, route tables, and security groups.

What is a VPC?

A Virtual Private Cloud (VPC) is a logically isolated section of the cloud where you can launch resources in a virtual network that you define. It allows you to control your networking environment, including IP address ranges, subnets, route tables, and network gateways.

Key Components of a VPC

  1. Internet Gateway: This component allows communication between instances in your VPC and the internet. It serves as a bridge between your VPC and the public internet.

  2. Subnets: The IP address range of the VPC is divided into smaller segments called subnets, which can be either public or private. Public subnets are accessible from the internet, while private subnets are isolated from the internet.

  3. Route Tables: These contain a set of rules, called routes, that determine where network traffic is directed. Each subnet in your VPC must be associated with a route table.

  4. Elastic Load Balancer (ELB): Distributes incoming traffic across multiple targets, such as EC2 instances, in multiple availability zones. It ensures that your application can handle high traffic and improves fault tolerance.

  5. Security Groups (SG): Act as virtual firewalls for your instances to control inbound and outbound traffic. Security groups are stateful, meaning that if you allow an incoming request, the response is automatically allowed.

  6. Network Access Control Lists (NACLs): An optional layer of security that acts as a firewall for controlling traffic in and out of one or more subnets. NACLs are stateless, so rules for both inbound and outbound traffic must be explicitly defined.

How VPC Components Work Together

Accessing an Application

  1. Internet Gateway: When you access a VPC, you pass through an Internet Gateway, which connects the VPC to the outside world.

  2. Public Subnet: After passing through the gateway, you enter a public subnet, which can be accessed by the internet. Here, you might find an ELB.

  3. ELB to Private Subnet: The ELB directs traffic to the correct private subnet based on the route table. The route table defines the path from the ELB to the private subnet containing your application.

  4. Security Groups and NACLs: As traffic reaches the private subnet, security groups and NACLs provide an additional layer of security.

Let’s break down the process of reaching an application inside a private subnet:

  1. Internet Gateway and Public Subnet: To reach an application in a private subnet, a request first goes through an Internet Gateway and into a public subnet.

  2. Elastic Load Balancer (ELB): In the public subnet, the request is received by the ELB, which balances the load and forwards the request to the correct target.

  3. Route Table: The route table defines the path from the ELB to the private subnet where your application resides.

  4. Security Group: Once in the private subnet, the security group associated with the instance controls the traffic. It ensures only allowed traffic can reach the application.

  5. Application Server: Finally, the request reaches the application server located at the IP address 172.16.3.1.

Network Address Translation (NAT)

When an application within a private subnet needs to access the internet (e.g., to download updates), it uses a NAT Gateway. The NAT Gateway masks the application's private IP address with a public IP address, preventing the application's IP from being exposed to potential threats.

  • NAT Gateway: Allows instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances.

  • NAT Instance: An alternative to NAT Gateway, it performs the same function but is managed manually.

Securing VPC Components

  • Security Groups (SG): Applied at the instance level. By default, SG denies all inbound traffic and allows all outbound traffic, except for certain ports like port 25 (to prevent email spamming).

  • NACLs: Applied at the subnet level. NACLs can allow or deny specific inbound and outbound traffic. NACL rules are evaluated in ascending order, from the lowest to the highest rule number.

Shared Responsibility Model

Security in AWS is a shared responsibility between AWS and the customer:

  • AWS: Provides infrastructure, APIs, VPC components like SGs and NACLs.

  • Customer (DevOps Engineer): Responsible for configuring these components correctly to secure their applications and data.

Conclusion

Understanding and configuring VPC components like Internet Gateways, Subnets, Route Tables, Security Groups, and NACLs are crucial for building a secure and efficient cloud infrastructure. By properly managing these components, you can ensure that your applications are both accessible and protected.

1
Subscribe to my newsletter

Read articles from Snigdha Chaudhari directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSvpcSecurity#nacl

Written by

Snigdha Chaudhari
Snigdha Chaudhari