AWS VPC is basically a Nightclub

Sanket S GanorkarSanket S Ganorkar
7 min read

Table of contents

You must have heard about the nightclubs and some of you might have visited it too . I will be taking this as an example to debug one of the confusing concept of AWS from the cloud domain i.e VPC.

Virtual Private Cloud ( The perimeter of the club )

As the name suggests , it’s something which is related to some personal stuff , like making a own territory. Think of it as the premises of a club , the club owner has his/her land where the club has been built. Now it is in the owner’s hand , what things must go out , what stays in , who’s allowed where , how many rooms , the entry / exit gates etc. The owner here is the AWS user ( root or IAM with permission ) who has built the VPC . It’s the user’s decision how the VPC should be made and what to do with it.

Subnets ( Rooms )

Rooms can be of 2 types , private and another one as public . Private one can be thought of as VIP lounge or manager’s cabin , where the entry of normal public is restricted. Similar to how private subnet of VPC works . The owner ( user ) decides whom to allow and whom not to. On the other hand , public subnets are like the bar area , the dance floor which is equal for everyone , with no restrictions where you can dance and bang on.

During the creation of AWS VPC , we specify a range of IP address and a subnet behaves as public or private , it totally depends on route table it’s using and whether it is connected to internet gateway or not.

Internet Gateway ( The main entrance )

Without this , the people ( traffic ) can’t enter our club ( vpc ). After our creation of vpc and subnets ( for example , we decide to make one as public and another as private ) , in order to make any subnet as public , we need to attach an internet gateway to the VPC , i.e. to allow the traffic to enter. During the construction of our club , we decide to keep one gate as main entrance ( internet gateway ) from where the folks ( traffic ) will enter our club. In technical language , it connects our subnet to the internet.

Till now we have understood , what vpc , subnets , the internet gateway actually mean and their use. To understand few more important concepts , we will add 2 instance in our vpc. Instances can be thought of as servers , for now. I will breakdown it , in my later blogs.

Route table ( Instructions for the staff )

Since we are having our established network , now we want packets to come inside the network as data flow. But from where the packets will come and go , that all , is listed in the route table. It’s like giving the staff of the club instructions whom to allow and deny , and to where. Since we will be attaching these tables to the subnet , so they are also of 2 types , public and private.

For the public subnet ( 0.0.0.0/0 ) , if someone wants to reach it , then direct them to the internet gateway. Whereas for private subnet , there is no route to the internet.

Security Group ( Bouncer )

Just as bouncer controls who can enter the club or any other place in the club , similarly , these are the components of a VPC who check permissions of packets for an instance. It can be thought of a virtual wall which controls the traffic coming inside ( inbound ) and going outside ( outbound ) the instance.

They have only allow rules , but no deny rules i.e. they check while allowing a packet to come inside , there are no restriction on leaving the resource. They are stateful in nature , meaning they remember its previous decisions made for the incoming packets.

Image source :- AWS Documentation

Network Access Control Lists ( CCTV cameras )

They work at the entrance level of the club i.e. at the subnet level of VPC. They are stateless in nature and everytime they need to check the packets that cross the subnet border. Have both inbound and outbound rules.

Site-to-Site VPN ( Regular customer from another city )

Imagine some regular customer from anywhere around the world wants to visit our club , but with a condition . His / Her intrusion must be completely secret and that too with security , yes , the same situation when some underground / mafia person visits a club. Same is the case in networking , when we want to access some resource over the internet which is not available in our region or banned , we can use VPN to access it.

AWS Site-to-Site VPN

Features :-

  • Creates a secret tunnel for remote users to access their resources. Internet is used for this , but the data is hidden and protected.

  • AWS handles the infrastructure and underlying important things and it also auto-scales as per the requirement.

We will take a technical example only , to get a deeper understanding of this topic. Let us say we want to visit a website , but we want to perform it secretly. With the use of VPN , let’s see how this works.

  1. Our browser sends a search request. For example , “ best budget phones 2025”.

  2. The VPN client ( the app installed on our phone ) encrypts this request. This encryption wraps the original request inside a secure packet. Destination of the packet is the VPN server ( e.g in the Spain ).

  3. This encrypted data is sent over the internet via our ISP ( Internet Service Provider ) , say Airtel.

  4. The ISP can see that we are sending some data to some server , but it wont be able to see what’s inside as the data packet is encrypted.

  5. Now the VPN server receives the packet , decrypts it , now it reads the original request and then it forwards it to the original website ( eg. Google ).

  6. Google processes it and sends a response to VPN server. It then again encrypts the message and sends it to our ISP and here , the destination address is our device’s , which the ISP sees.

  7. ISP still cannot read it — it only forwards the packet. When the data is received by the VPN client the VPN app , it decrypts it and displays the final content on our browser.

    NOTE ) Make sure the VPN which you are using is trusted and secured one. As they are able to see your search history and other activity.

AWS Route 53

This is a DNS ( Domain Name system ) provided by the AWS. Think of it like Google maps or a GPS , whose work is to tell the browser to go where. It translates the domain name ( say armouriq.com ) into the IP address of the website , as browsers are able to read this only , not the domain names ( they are for the purpose of humans only ). We can buy , register and manage domains from route 53. It is globally distributed , meaning it has servers around the world , which makes it load the resources fast and with low latency.

If you are new to the cloud , try learning with analogies , it sticks better in the mind. I will be back with another blog soon , on another confusing or an important topic. Till then , if this analogy helped you understand the concept , share with your peers or drop your thoughts in comment. Let’s keep learning AWS in a fun way 🚀.

Feel free to connect with me on LinkedIn .

#AWS #CloudComputing #VPC #Networking #CloudBeginners #100DaysOfCloud #TechBlog #DevCommunity #AWSCommunity #Hashnode

0
Subscribe to my newsletter

Read articles from Sanket S Ganorkar directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSvpcCloudCloud ComputingDevopsBeginner Developerslearning

Written by

Sanket S Ganorkar
Sanket S Ganorkar