AWS SERIES :- 4. Virtual Private Cloud(VPC)

Analogy :- overview of what is VPC and what problem it is solving

let us assume there is a large village in which some people are there who want to live.

Now the problem is that some does not want to build house because they don't want maintenance overhead and also they don't want to follow entire construction process.
Then there comes a builder who acquire entire village and built houses there and started selling them or renting them to the peoples who wanted houses.

This concept is analogous to public cloud and EC2.

Now again there is catch that any one can get house there so there is security and other issues therefore some of the people hesitate to take house in that place.

The builder again came with the solution of gated secure building and society, that is you have to show your identity and get authenticated to enter that society and authorized to enter the house.

This secure society is called virtual private cloud.

Working with VPC

Before going to VPC let us first understand why it was created. So before VPC there was concept of public cloud where multiple applications where deployed to same data centers so there was security issue like if we have to think it as there are multiple companies deployed in same room and one of which has the fault which can be easily cracked by hacker so if the hacker cracked that company then he can easily enter the room and access other companies which are secured in themselves.

So due to this problem large and data sensitive companies were not comfortable to use the public cloud.
To solve this problem virtual private cloud came into picture where a single large public cloud is divided into multiple small virtual private cloud.

Proper Definition:- " A VPC is a virtual network that you create in the cloud. It allows you to have your own private section of the internet, just like having your own network within a larger network. Within this VPC, you can create and manage various resources, such as servers, databases, and storage."

How traffic flows inside VPC

One IP address range is divide into multiple subnets and each assigned to different group of servers and also the security also was taken care.

If a company has multiple services like data management, payments etc each will be deployed to different subnets.

There is one public subnet which will accept the request coming from user through the internet gateway and a load balancer is created on this public subnet which is given with a routing table which directs the request or provides route to the request of the server or subnet which that request want to reach.

Again one more layer of security is present at the destination subnet which has to verify if the request is coming from authorized user or not by the use of its ip address or any other means.

This layer of security in AWS terms is called security groups.
Load balancer we discussed here is called as Elastic Load Balancer (E.L.B) in AWS terms.

We attach the private subnet and target group information with load balancer.

Target group have IP of destination subnet.

NAT Gateways

Until now we have discussed the flow where the request is coming from outside to the application.
Now consider the case what if the application wants to access the internet like application need to download some packages from google.
The application can directly use the internet but it is bad practice to expose the ip address of application to external world so we send the request through either router or the public subnet where the masking of ip takes place and thus our application remains secure.

This masking is known as NAT gateways if done through router and SNAT if done through load balancer.

Important terms VPC concept

  1. VPC :- VPC stands for virtual private cloud it is similar to traditional data centers but it hosted on internet and not need to think about maintenance overhead.

  2. Subnets :- A subnet is a range of IP addresses in your VPC. We can distribute our large range of IP addresses in smaller chucks which are more manageable. A subnet must reside in a single Availability Zone. After you add subnets, you can deploy AWS resources in your VPC.

  3. Internet Gateway:- It is the point or gateway through which any other person or more specifically an other IP address enters the VPC. After Internet gateway there is the Public subnet on which load balancer is created.

  4. IP addressing :- For IP addresses both IPv4 or IPv6 can be used. You can also bring your public IPv4 and IPv6 GUA addresses to AWS and allocate them to resources in your VPC, such as EC2 instances, NAT gateways, and Network Load Balancers.

  5. Network Access Control List :- A Network Access Control List is a firewall that controls inbound and outbound traffic at the subnet level. It operates at the IP address level and can allow or deny traffic based on rules that you define. We can easily specify range of IP addresses which are allowed to access the VPC resources and based on that NACL either allow someone to use resources or deny permission to use. NACLs provide an additional layer of network security for your VPC.

  6. Security Groups:- A security group acts as a virtual firewall for instances (EC2 instances or other resources) within a VPC. It controls inbound and outbound traffic at the instance level. Security groups allow you to define rules that permit or restrict traffic based on protocols, ports, and IP addresses.

  7. Routing :- Routing of the requests is done through the route table present with the load balancer created on the public subnet situated at the entry point of VPC.

  8. Gateways and Endpoints :- A gateway connects your VPC to another network. For example, use an internet gateway to connect your VPC to the internet. Use a VPC endpoint to connect to AWS services privately, without the use of an internet gateway or NAT device.

  9. Peering Connection :- Use a VPC peering connection to route traffic between the resources in two VPCs.

  10. Traffic Mirroring :- Copy network traffic from network interfaces and send it to security and monitoring appliances for deep packet inspection.

  11. Transit Gateway :- Use a transit gateway, which acts as a central hub, to route traffic between your VPCs, VPN connections, and AWS Direct Connect connections.

  12. VPC flow logs :- A flow log captures information about the IP traffic going to and from network interfaces in your VPC.

  13. VPC connections:- Connect your VPCs to your on-premises networks using AWS Virtual Private Network (AWS VPN).

Security Groups and NACL

Security Groups works at the instance level.

Inbound Traffic:- Traffic flowing inside your application(form the user to the application) hosted on AWS or any other place is called inbound traffic. The user wants to access the Application then he will have to access inbound traffic (ip address of that user should have been allowed by inbound rules).

Outbound Traffic:- Traffic flowing outside your application (from the application to the outside world or internet) hosted on AWS or any other platform is called outbound traffic.

In AWS we can edit inbound and outbound traffic rules insides the security groups.

NACL :- Network Access control list :-

NACL is applied at the subnet level. It acts as a first layer of defence.

There are the cases where due to some reasons the developer of the application using the instances to develop the app will allow the traffic to the application from all the IP addresses which is a security lapse.
But we have one more option where we can cover up this lapse that is called NACL. NACL is used at subnet layer under which the instances are created now using NACL we can specify which IP addresses we have denied the access.

NACL is used is organizations to define there organizational network traffic.

If any thing is applied at subnet level it is by default applied to all instances in that subnet.

Major difference between security groups and the NACL is that NACL posses an extra functionality of denial that is we can deny access to some of the requests which we don't want but the Security group does not have capability to deny it only have the capacity to allow.

Important :- Important point with respect to NACL that we have consider is that NACL goes in the specific order. For example you have added a inbound rule with priority 200 that Port 8000 access is not allowed to anyone also you have defined an inbound rule with priority number 100 that all traffics from all the IP address are allowed then 8000 will also be accessed because NACL checks 100 first which have allowed access.

If we change the order of inbound rule here that is we change 100 with 200 and 200 with 100 then the access of 8000 will be blocked.

Security Groups: Security Groups act as virtual firewalls for Amazon EC2 instances (virtual servers) at the instance level. They control inbound and outbound traffic by allowing or denying specific protocols, ports, and IP addresses. Each EC2 instance can be associated with one or more security groups, and each security group consists of inbound and outbound rules. Inbound rules determine the traffic that is allowed to reach the EC2 instance, whereas outbound rules control the traffic leaving the instance. Security Groups can be configured using IP addresses, CIDR blocks, security group IDs, or DNS names to specify the source or destination of the traffic. They operate at the instance level and evaluate the rules before allowing traffic to reach the instance. Security Groups are stateful, meaning that if an inbound rule allows traffic, the corresponding outbound traffic is automatically allowed, and vice versa. Changes made to security group rules take effect immediately.

Network Access Control Lists (NACLs): NACLs are an additional layer of security that operates at the subnet level. They act as stateless traffic filters for inbound and outbound traffic at the subnet boundary. Unlike Security Groups, NACLs are associated with subnets, and each subnet can have only one NACL. However, multiple subnets can share the same NACL. NACLs consist of a numbered list of rules (numbered in ascending order) that are evaluated in order from lowest to highest. Each rule in the NACL includes a rule number, protocol, rule action (allow or deny), source or destination IP address range, port range, and ICMP (Internet Control Message Protocol) type. NACL rules can be configured to allow or deny specific types of traffic based on the defined criteria. They are stateless, which means that if an inbound rule allows traffic, the corresponding outbound traffic must be explicitly allowed using a separate outbound rule. Changes made to NACL rules may take some time to propagate to all the resources using the associated subnet.