Now we come to the final part of this series: networking. Unlike traditional network, cloud network runs virtually. For example, AWS has Amazon Virtual Private Cloud (VPC). Thanks to VPC, networking becomes much more simplified than before. We do not need to manage our own switch and router because AWS will help us manage.
Amazon Virtual Private Cloud (VPC)
Simply speaking, VPC provision a private, isolated virtual network on the AWS cloud. It completely controls over our virtual network environment.
First of all, we should know a subnet defines a range of IP addresses in our VPC. We can launch AWS resources into a subnet that we select. A private subnet should be used for resources that won’t be accessible over the internet while a public subnet should be used for resources that will be accessed over the internet.
Each subnet must reside entirely within one Availability Zone (AZ) and cannot span zones.
IPs and CIDR
From the above figure, we see 192.168.20.2/28. There are 4 clusters in this IP. Each cluster is ranging from 0 – 255. Therefore, each cluster contains 8 bits. Since there are 4 clusters, the total number of bits = 4*8 = 32. In this example, the last number, subnet bit, is 28 (/28), this means we fix the first 28 bits and the remaining bits are available for hosts. In other words, the hosts can use IP ranging from 192.168.20.1 to 192.168.20.14.
We take one more example. This time the last number is 32 (/32), which means we need to specific all this IP address. In other words, it points to 10.88.135.144 itself, no any range here.
Now we take the final example. This time the last number is 24 (/24), which means we care about the first 24 bits or the first 3 clusters. Thus, the remaining IPs are available for hosts. In other words, the hosts can use IP ranging from 10.88.135.1 to 10.88.135.254.
On the other hand, we can simply to calculate the available IPs by using the formula 2^(32-x) where x is the subnet bit (/x).
The above figure shows the whole concept of VPC. Imagine that we are planning a city building. We have to classify different areas, this is for industry, that is for housing and so on. Also, we need a route table, the roads, to let people passing through other places. In addition, we have network ACLs and security group for traffic control.
The above figure shows the real example of VPC. As mentioned before, we usually have public subnet and private subnet. In 3-tier model, we will put web server on public subnet while app server and database will put on private subnet. Of course, some people may only allow VPN access for database, it depends.
Before the traffic is coming into the server, we will use ACL to filter out a range of IPs. After that, security group will do detail checking to ensure the source IP, destination IP and port is correct.
Above shows some methods to let us have VPN connection to AWS.
In fact, we could separate our subnet across AZ as above figure shows. If we put all the things in the single AZ, then there is a risk when an AZ is completely down. Thus, when we think of high availability, we always think of different zones even different regions. But not all the services can communicate over different regions, so we may need some extra works when considering different regions.
In this article, we talk about what VPC is. By using VPC, we no longer pay much afford on switch and router. But what we need is to planning our server location. We need to think of whether the servers should put on public or private subnet.