🚀 Day 46: Networking in the Cloud – VPCs, Subnets, Gateways, and Peering

This guide explores essential AWS networking concepts—Virtual Private Clouds (VPCs), Subnets, Gateways, and VPC Peering—critical for building secure and scalable cloud architectures. The hands-on focus is on creating an AWS network diagram using Lucidchart, a popular diagramming tool, to visualize a VPC setup with public and private subnets, gateways, and peering. This tutorial provides step-by-step instructions, explanations, and best practices for Cloud/DevOps engineers.

---

🔎 Why Cloud Networking Matters

Networking in the cloud enables secure, isolated, and scalable environments for deploying applications. AWS’s networking framework, centered around VPCs, allows you to design custom virtual networks with fine-grained control over IP ranges, routing, and security. Mastering these components is a core skill for managing cloud infrastructure, ensuring resources are secure, accessible, and optimized for performance.

---

1. AWS Networking Concepts

1.1 Virtual Private Cloud (VPC)

• What: A logically isolated virtual network in AWS where you launch resources (e.g., EC2 instances, RDS databases).

• Key Features:

  • Customizable IP ranges (CIDR blocks, e.g., 10.0.0.0/16).

  • Isolation from other VPCs unless explicitly connected (e.g., via peering or VPN).

  • Control over subnets, routing, and security settings.

• Use Case: Host applications in a private, secure environment with controlled access.

1.2 Subnets

• What: Subdivisions of a VPC’s IP range, used to organize resources within specific Availability Zones (AZs).

• Types:

  • Public Subnet: Has a route to the internet via an Internet Gateway, used for internet-facing resources (e.g., web servers).

  • Private Subnet: No direct internet access, used for secure resources (e.g., databases).

• Example: A VPC with CIDR 10.0.0.0/16 might have a public subnet (10.0.1.0/24) and a private subnet (10.0.2.0/24).

1.3 Gateways

• Internet Gateway (IGW):

  • Connects a VPC to the internet, enabling public subnets to send/receive traffic.

  • Attached to a VPC and referenced in route tables.

• NAT Gateway:

  • Allows private subnets to access the internet for outbound traffic (e.g., software updates) without exposing them to inbound connections.

  • Resides in a public subnet.

• Virtual Private Gateway (VGW):

  • Used for VPN or AWS Direct Connect to link on-premises networks to a VPC.

• Use Case: Control internet access and connectivity between cloud and on-premises environments.

1.4 VPC Peering

• What: A private connection between two VPCs to route traffic using private IP addresses.

• Key Features:

  • Enables resource sharing across VPCs (e.g., between dev and prod environments).

  • Not transitive (VPC A ↔ VPC B and VPC B ↔ VPC C does not imply VPC A ↔ VPC C).

• Use Case: Share data between applications in different VPCs without public internet exposure.

---

2. Hands-On: Creating an AWS Network Diagram in Lucidchart

This hands-on exercise guides you through creating an AWS network diagram in Lucidchart to visualize:

• A VPC with public and private subnets.

• An Internet Gateway and NAT Gateway.

• A second VPC with a peering connection.

• EC2 instances and security groups to represent resources and traffic flow.

Prerequisites

• A Lucidchart account (free tier is sufficient; sign up at Lucidchart).

• Basic knowledge of AWS networking concepts.

• A web browser for Lucidchart’s web-based editor.

Step 1: Set Up Lucidchart

1. Log In or Sign Up:

   • Visit Lucidchart and create or log into your account.

   • The free tier allows up to 60 shapes per diagram, sufficient for this exercise.

2. Create a New Diagram:

   • Click New > Blank Document in the dashboard.

   • Name the diagram (e.g., “AWS VPC Network Diagram”).

   • Optionally, select the AWS Architecture template for pre-configured AWS shapes.

3. Enable AWS Shape Library:

   • In the left sidebar, click the Shapes icon (or press M).

   • Search for AWS Architecture and enable the AWS shape libraries (e.g., AWS 2019 or AWS 2023).

   • Select categories: Compute, Networking & Content Delivery, Security, and General.

Step 2: Build the Diagram

2.1 Add VPC A

• Drag a VPC shape (a rectangular boundary) from the AWS shape library onto the canvas.

• Label it VPC A (10.0.0.0/16) using a text box (click Text tool or press T).

2.2 Add Subnets

• Drag two Subnet shapes into VPC A.

• Label them:

  • Public Subnet (10.0.1.0/24) in Availability Zone us-east-1a.

  • Private Subnet (10.0.2.0/24) in us-east-1a.

• Add a text box for the Availability Zone: us-east-1a.

2.3 Add EC2 Instances

• From the Compute category, drag an EC2 Instance shape into each subnet.

• Label them:

  • Web Server in the Public Subnet.

  • Database Server in the Private Subnet.

2.4 Add Internet Gateway

• Drag an Internet Gateway shape (from Networking & Content Delivery) outside VPC A.

• Label it Internet Gateway.

• Draw an arrow from the Public Subnet to the Internet Gateway:

  • Use the Line tool and select an arrow style.

  • Label the arrow Internet Access.

2.5 Add NAT Gateway

• Drag a NAT Gateway shape into the Public Subnet (NAT Gateways reside in public subnets).

• Label it NAT Gateway.

• Draw an arrow from the Private Subnet to the NAT Gateway, labeled Outbound Internet.

2.6 Add Route Tables

• Drag two Route Table shapes into VPC A.

• Label them:

  • Public Route Table: 0.0.0.0/0 → igw-xxxx (routes to Internet Gateway).

  • Private Route Table: 0.0.0.0/0 → nat-xxxx (routes to NAT Gateway).

• Draw connectors from each subnet to its respective route table.

2.7 Add VPC B with Peering

• Drag another VPC shape and label it VPC B (10.1.0.0/16).

• Add a Subnet labeled Private Subnet (10.1.1.0/24) in us-east-1a.

• Add an EC2 Instance labeled App Server.

• Drag a VPC Peering Connection shape (double-headed arrow) between VPC A and VPC B, labeled VPC Peering (pcx-xxxx).

• Add route table entries:

  • For VPC A Route Tables: 10.1.0.0/16 → pcx-xxxx.

  • For VPC B Route Table: 10.0.0.0/16 → pcx-xxxx.

2.8 Add Security Groups

• Drag Security Group shapes around each EC2 instance.

• Label them:

  • Web SG (Public Subnet, VPC A): Allow HTTP (80), HTTPS (443), SSH (22).

  • DB SG (Private Subnet, VPC A): Allow MySQL (3306) from Web SG.

  • App SG (Private Subnet, VPC B): Allow port 8080 from Web SG.

• Draw arrows to show traffic flow (e.g., Web SG → DB SG for MySQL).

2.9 Add the Internet

• Drag a Cloud shape (from General or AWS General) to represent the internet.

• Connect the Internet Gateway to the Cloud with an arrow labeled Public Internet.

Step 3: Enhance the Diagram

• Organize Layout:

  • Use Arrange > Align to align shapes neatly.

  • Group related components (e.g., VPC A and its subnets) for clarity.

• Add Colors:

  • Use green for public subnets, blue for private subnets, and red for the peering connection.

• Add Notes:

  • Use text boxes to explain components (e.g., “NAT Gateway enables outbound traffic for private subnet”).

• Use Layers (Optional):

  • Create separate layers for VPC A, VPC B, and the internet (click Layers in the right panel).

Step 4: Save and Export

• Save: Click File > Save or use auto-save.

• Export: Click File > Download As and select PNG, PDF, or JPEG.

• Share: Use Share > Generate Link or invite collaborators.

Step 5: Diagram Overview

The final diagram includes:

• VPC A (10.0.0.0/16):

  • Public Subnet (10.0.1.0/24) with Web Server and NAT Gateway.

  • Private Subnet (10.0.2.0/24) with Database Server.

  • Internet Gateway and Route Tables.

• VPC B (10.1.0.0/16):

  • Private Subnet (10.1.1.0/24) with App Server.

• VPC Peering: Connecting VPC A and VPC B.

• Security Groups: Controlling traffic (e.g., HTTP, MySQL, custom ports).

• Internet: Connected via the Internet Gateway.

Best Practices

• Use Official AWS Icons: Ensure consistency with AWS architecture icons.

• Label Clearly: Include CIDR blocks, resource names, and port numbers.

• Show Traffic Flow: Use arrows to depict data paths (e.g., public subnet to internet, private subnet to NAT Gateway).

• Keep It Simple: Focus on key components to avoid clutter.

• Document Assumptions: Add notes (e.g., “Private subnets are not internet-accessible”).

• Follow AWS Best Practices:

  • Use public subnets for internet-facing resources (e.g., web servers).

  • Use private subnets for secure resources (e.g., databases).

  • Implement Security Groups and Network ACLs for access control.

Troubleshooting

• Shape Library Missing: Ensure AWS libraries are enabled in the Shapes panel.

• Free Tier Limits: Simplify the diagram if you hit the 60-shape limit (free tier).

• Alignment Issues: Use Lucidchart’s grid or alignment tools.

• Export Quality: Choose high-resolution formats (e.g., PNG at 300 DPI).

Cloud-Specific Notes

• Security Groups: Use granular rules (e.g., allow SSH only from trusted IPs or bastion hosts).

• Network ACLs: Add stateless filtering at the subnet level for additional security.

• High Availability: Deploy subnets across multiple Availability Zones (e.g., us-east-1a, us-east-1b).

• Alternatives: Consider AWS Transit Gateway for complex multi-VPC setups or AWS Direct Connect for on-premises connectivity.

Additional Resources

• AWS VPC Documentation

• Lucidchart AWS Architecture Guide

• AWS Well-Architected Framework

• AWS Networking Fundamentals

For further assistance, consult AWS documentation or your cloud architect.

---

👨‍💻 Author

Ritesh Singh
🌐 LinkedIn | 📝 Hashnode | GitHub

#100DaysOfDevOps #CICD #GitHubActions #DevOps #Beginner #100DaysOfDevOps #Networking #Security #Linux #CloudComputing #Firewalls #DNS #DHCP #NAT