Lab 1 - Building a VPC with Public/Private Subnets, NAT Gateway & Security Groups

A Virtual Private Cloud

A public subnet is a part of the VPC that can be accessed from outside via the Internet. You can put your webserver in the public subnet. An Internet gateway makes it so. A private subnet can not be accessed from the outside via the Internet. You can put your database and application servers in the private subnet as a security measure.

A NAT gateway allows a private subnet to be accessed from a public subnet. It resides in the public subnet.

A security group is a firewall which controls traffic into an instance. It is stateful and so by default does not allow traffic. You would need to enable it first to work. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.

Every AWS account has a default VPC with its accompanying default Internet gateway and default route table. This ensures an automatic internet connection to instances created in the default VPC. It is a good practice to create a user-defined VPC within your AWS account when you want to launch resources both for development and production purposes.

I will demonstrate how easy it is to create a VPC with private and public subnets and soon after, launch two instances into the subnets. I will also demonstrate how to create an Internet gateway and attach it to the VPC. Furthermore, route tables would be created and associated with the subnets. Finally, a NAT gateway will be launched, demonstrating how a private subnet can be accessed using it. This article offers some useful hints on how to go about all these.

Here are the steps to guide us:

1. From your AWS management console, search for VPC and click on “Create VPC”. Enter your private IP range (ex. 10.0.0.0/16 for a total of 65k+ IPs). This allows us to choose a range of IP addresses that we would be needing to set up the subnets. CIDR, which stands for Classless Inter-Domain Routing, is a method of assigning IP addresses that improves efficiency in how they are distributed across the internet. It replaces the older, classful system and allows for more flexible and granular allocation of IP addresses. We will choose “MyVPC” as the name of our VPC.

   

   2. 

      Create the subnets - As mentioned above, subnets are an integral part of the VPC. They allow the architect or engineer to create logical units or divisions within the VPC address space. These are a set of IP addresses within a specific range, typically associated with a particular availability zone. An availability zone being a part of the larger geographical region where AWS servers are located. For instance most of my labs are carried out in the eu-west-1 region. This being Europe West 1 which is in the geographical region of Dublin, Ireland. There is also eu-west 2 which is London, UK. Other AWS regions are in United States, Canada, South America, Asia and Africa(South Africa).

      So from the side bar while on the VPC area, we would select “Subnets” and then “Create subnet”.

      

      We will create four (4)subnets; two private and two public. two subnets will be in one availability group. By the way, an availability zone(fondly known as AZ) consists of one or more discrete data centers, each with redundant power, networking, and connectivity, and housed in separate facilities. So we will have two availability groups in all for starters. This is so in order to provide resilience for our resources should one availability group fails. So in our case, we would have eu-west-1a and eu-west-1b . For our subnets, we would the following; PrivateSubnetA, PrivateSubnetB, PublicSubnetA and PublicSubnetB. For each availability zone, we will have one public subnet and one private subnet.

      In summary we have the following ;

      PublicSubnetA with a CIDR(ex 10.0.0.0/24)-->256 hosts for the first availability zone(eu-west1a) and

      PublicSubnetB with a CIDR(10.0.1.0/24)-->256 hosts for the second availability zone.

      PrivateSubnetA with a CIDR(ex 10.0.16.0/24)-->4096 hosts for the first availability zone and

      PrivateSubnetB with a CIDR(10.0.32.0/24)-->4096 hosts for the second availability zone.

      

      Security of the subnets

      A well architected VPC environment ensures that the subnets are not a throughfare. Traffic would need to be controlled in order not to allow resources within to be accidentally tampered with or worse, criminally compromised. So there exists network access control lists or NACLs that secure the subnets. NACLs are like a firewall which control traffic from and to subnets. There is one NACL per subnet and new subnets are assigned the Default NACL. NACLs are guides by rules which the engineer defines. They are also stateless, meaning each packet is evaluated independently against the rules. If you allow inbound traffic, you must explicitly allow the corresponding outbound traffic, and vice versa.

   3. Launch EC2 instances in the 4 subnets

      An EC2 instance is a virtual computer, or server, within Amazon's Elastic Compute Cloud (EC2) service. It lets users rent computing power in the cloud, similar to using a computer in a data center. You can select different types of EC2 instances, each with various configurations of CPU, memory, storage, and networking, to match different workloads. For our lab, we will choose an Amazon Linux instance of the free tier type that will not incur costs for the duration of the exercise. Launching an EC2 instance is usually a breeze but we should be careful to choose the appropriate VPC and security group. In some cases, we would be expected to choose a key pair encryption if we would be remotely logging into the instance but this is not needed for this lab.

      In this lab, we will launch instances into the public and private subnets of our created VPC, “MyVPC”.

      

      The two instances were launched with a security group, My-saa-sg which provides both inbound and outbound rules for the instances.

   4. Create an Internet Gateway and attach to the VPC

      An internet gateway is a virtual router that acts as a bridge between a VPC and the internet. It enables resources within a VPC to communicate with the internet, both for sending (egress) and receiving (ingress) traffic. Without an Internet gateway, instances in our subnets cannot be reached or reach other resources outside the subnet. So as part of this exercise, we create an Internet gateway and attach to “MyVPC”

      

      

   5. Create Route Tables - Attaching an Internet gateway by itself is not enough to get a VPC connected to the public internet. This has to be explicitly defined using a route table. A route table is a contains rules that direct how your network traffic is routed between your VPCs and the outside world. The public and private subnets are both in the “MyVPC”. However since we want to make only the public subnet reachable via the public internet , we can define these using two route tables; the public route table and the private route table.

      

      

      From the diagrams above, the public route table has the Internet gateway attached to it while the private route table does not.

      The next logical steps would be to associate the public subnet with the public route table and the private subnet, with the private route table.

   6. Create a NAT Gateway - As it is now, the instance cannot communicate with the outside world as it does not any connection with the Internet gateway. This is perfect with such resources like databases where traffic is closely guarded. However, there comes a time when the resource needs to connect to the Internet for maintenance tasks like patching or updates. In this case, we need a secure way to connect to the outside world.. A Network Address Translation Gateway or NAT Gateway is a managed service provided by Amazon Web Services(AWS) that allows instances in a private subnet within a Virtual Private Cloud(VPC) to connect services outside the VPC. The following are useful information about the NAT;

      > AWS-managed NAT, higher bandwidth, high availability, no administration

      > Pay per hour for usage and bandwidth

      > NATGW is created in a specific Availability Zone, uses an Elastic IP

      > Can't be used by an instance in the same subnet(only from other subnets)

      > Requires an IGW(Private Subnet => NATGW => IGW)

      

      Creating a NAT gateway is pretty straightforward. The following steps suffice;

      (i) From the Amazon VPC control panel, select NAT gateways from the navigation pane.

      (ii) Choose Create NAT gateway.

      (iii)Specify a name for the NAT gateway

      (iv) Next, Select the subnet in which to create the NAT gateway.

      (v)For Connectivity type, leave the default Public selection to create a public NAT gateway or choose Private to create a private NAT gateway. For more information about the difference between a public and private NAT gateway.

      (vi)For Public, Choose an Elastic IP allocation ID to assign an EIP to the NAT gateway or choose Allocate Elastic IP to automatically allocate an EIP for the public NAT gateway. You are limited to associating 2 Elastic IP addresses to your public NAT gateway by default.

      (vii) Choose Create a NAT gateway.

      At the end of the lab, it is always a good practice to clean up. So we will terminate the EC2 instances, release the elastic IP from the NAT gateway and delete the latter as well.

      In another lab, I will focus on the functionality of a NAT gateway. I will show how you can connect to a private subnet from a public subnet with the help of a NAT gateway.

So in rounding off, this lab demonstrates some of the basic functions of a Virtual Private Cloud. I have been able to define what a subnet is, what an availability zone stands for and the importance of security groups and NACLs.

I also showed how to launch a EC2 instance in public and private subnets. Finally, the importance of an Internet gateway and a NAT gateway was highlighted.

I look forward to further labs to illuminate the daily realities of a Solutions Architect.