Networking on the Cloud (AWS)

Isreal HoganIsreal Hogan
4 min read

Networking on AWS was a pain in the behind for me when I got started on the cloud, so I can relate to whoever’s reading this. In my effort to simplify it, I was able to break it down into four(4) key components that work together: VPC, Subnets, Route Tables, and Gateways (Internet & NAT).

It’s easier to understand by imagining your AWS environment as a house.

The House (VPC)

Every AWS account comes with a default Virtual Private Cloud. This private "house" is where you host all your cloud resources like servers, databases, and storage buckets; think of these as your furniture, electronics, and decor.

The Rooms (Subnets)

Subnets are the rooms inside the house**.** Some rooms, like the living room, are more open to guests (public subnets). Others, like bedrooms, are more private and require special permission to enter (private subnets).

Front Door (Internet Gateway)

The Internet Gateway is the front door of your house(VPC). You attach this to your VPC (house) to allow communication between your resources and the public internet. It's the main entrance for traffic coming in and out.

Signs (Route Table)

Your House(VPC) is really big and a new guest would need directions navigating it and that’s were the route table comes in. It connects the rooms (subnets) to the front door (Internet Gateway) and to each other. The route table for the living room (public subnet) has a direct path to the front door. The route table for the bedroom (private subnet) does not have a path to the front door, keeping it secure so that public guests can’t access it without proper vetting.

Back Door (NAT Gateway)

This isn't for visitors. It's for the residents (resources in your private subnets) to sneak out to the internet to get updates or information. The key rule is that things can go out through the back door, but no one from the outside is allowed to come in through it. This allows your servers in private subnets to stay safe and hidden while still being able to access the public internet.

So, to tie it all together: The Route Table is like the master blueprint that controls all traffic flow within the house (VPC), using the Internet Gateway (front door) for public access and the NAT Gateway(back door) for secure, outbound-only access from the private rooms.
This one-way traffic keeps your private components secure while still letting them function effectively.

Now that we have established an understanding, let’s look at an instance with the above analogy; Imagine a customer, let's call her Idara, wants to view the product catalog on your company's website, which is hosted on AWS.

1. The Approach (DNS Request)
Idara types your website's address (www.mycompany.com) into her browser. This is like her looking up your house's address on a map.

2. Entering the Property (The VPC)
Her request arrives at the front door of your house (the Internet Gateway). The gateway checks the address and allows her in onto your property (into your VPC).

3. Following the Signs (The Route Table)
Now inside, Idara needs directions. She looks at the set of signs (the Route Table). The sign for "Web Server" points down a hallway directly connected to the front door. This is the public subnet (the living room).

4. Interacting with the Resource (The EC2 Instance)
Idara follows the sign and enters the living room (public subnet). There, she finds a server (an EC2 instance) that holds the public-facing website. She interacts with it, and it shows her the product catalog. This interaction is allowed because the living room is designed for public guests.

5. The Attempt to Go Upstairs (Accessing the Private Subnet)
Curious, Idara wonders, "Where you keep all the customer order data and credit card information,” She tries to open the door to the staircase leading to the private subnets (the bedrooms upstairs).

  • This door is locked. The Route Table signs explicitly state: "No path from the Public Living Room to the Private Bedrooms."

6. The Secure Alternative (The Backend Process)
Unknown to Idara, the web server in the public living room needs to fetch a list of products to show her. It has special permission to use the back door (NAT Gateway).

  • The web server goes out the back door to the internet to get information, but it leaves that door locked behind it.

  • It fetches the latest product list from a secure, third-party supplier and brings that information back inside to show Idara.

  • The database server (an RDS instance) holding all the sensitive customer data remains safely upstairs in a private subnet (the bedroom), completely isolated from Idara’s visit. It only interacts with the web server, which acts as a trusted intermediary.

In summary, the visitor (internet traffic), successfully accessed the public resource she was allowed to use (the web server in the public subnet) but was physically and logically prevented from ever reaching or even seeing the private, secure resources (the database in the private subnet). The house's design (VPC architecture) enforced this security automatically.

1
Subscribe to my newsletter

Read articles from Isreal Hogan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSnetworkingvpcroute tableVPC and Subnetec2Internet GatewayNAT Gatewaynetworking for beginnersaws networking

Written by

Isreal Hogan
Isreal Hogan

A drive for problem solving and new technologies. Here to write about anything and everything about software development.