Understand what a VPC is and its components.
- [Trainer] You've decided to adopt AWS as your infrastructure as a service partner. You've already spend time laying out how your people will securely access AWS. Now, let's explore what a virtual private cloud, or VPC, is, and how you can use VPC's to build your data center in AWS. We know that AWS provides infrastructure services on a global scale and that AWS subdivides the world into regions. Each region contains at least two availability zones, or AZ's.
Each AZ is made up of multiple, completely independent data centers. So, what is a virtual private cloud? Simply put, a VPC is a logically isolated portion of the AWS cloud contained within a single AWS region. When you create a VPC, you specify it's IP range. You also get to decide whether or not the servers you deploy within a VPC are accessible to the public. You also can choose whether or not those servers communicate with each other. It is also important to note that you can connect a VPC to local, private data centers.
Let's see where a VPC fits in the grand scheme of things. Let's say you want to operate services within three different availability zones in a given region. You may manage some web servers, application servers, and database servers. In addition, you may make use of some AWS managed relational database services. Just as you would with an on-premises data center, you want to be able to control network access to these servers. For instance, you would want to allow your web servers to be accessible by anyone in the world.
Simultaneously, you want to ensure that your application and database servers remain private. A VPC is a network container in which you can place all of these components complete with all the tools you need to granularly define network access. Let's take a closer look at the VPC components you need to let your web servers be publicly accessible while keeping your app and database servers private. To set this up, you need a VPC with two subnets. The first subnet would contain private application and database servers.
And the second would contain your public facing web servers. In order to let servers within these subnets communicate with each other, you'll need to configure a router. Just like a physical router you may have worked with, a router in AWS directs traffic between subnets. To get to the internet, you will need to configure an internet gateway. And internet gateway is a highly available VPC component that connects a VPC to the internet. In order to be able to patch the servers in your private subnet, they will need to initiate a connection to the internet.
On premises, you are probably accustomed to configuring network address translation, or NAT. AWS makes this a little easier by offering a NAT Gateway. A NAT Gateway is a highly available service for allowing private subnets to access the internet. Of course, to make this all work, you will need to configure the route tables for each of your subnets appropriately. The route table in your public subnet needs to be point to the internet gateway. Similarly, the route table in your private subnet needs to point to the NAT Gateway in your public subnet.
Finally, you can setup a VPC endpoint for S3. This is useful if you want communication between the services within your VPC to access S3 privately without traversing the public internet. That was kind of dense, so how about a quick recap? At this point, you should be aware that a VPC represents a logically, private data center in AWS. You should also identify that an internet gateway is what you attach to a VPC so the systems within the VPC can access the internet.
You should also recognize the need to update the route tables inside you VPC to point to an internet gateway for internet access. Finally, you should understand that in order for servers in a private subnet to access the internet, you need to configure a NAT Gateway.
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
This course includes trademarks owned by Amazon Web Services. This course has not been prepared, approved, or endorsed by Amazon Web Services.
- Exploring Virtual Private Cloud (VPC)
- Configuring subnets, route tables, and gateways
- Working with access control lists (ACLs)
- Maintaining network security
- Implementing VPC peering and peer routing
- Using Route 53
- Managing a private DNS