Getting Started with AWS: Networking - VPC

Learning how to create a VPC on AWS

Networking is an important building block in AWS that nearly every AWS Cloud user will use. Learn about Virtual Private Clouds (VPCs) and get step-by-step instructions on how to deploy a VPC in AWS Cloud.

Topics covered in this post:

  • Virtual Private Cloud
  • VPC Order of Operations
  • Public vs Private Subnets
  • How Internet Gateways and Route tables work within a VPC

In the previous post in this series, we looked at foundations of AWS infrastructure. In this post, we start to focus on the AWS services you use as a customer. I highly recommend you have foundational knowledge of IPv4 networks and OSI model before proceeding with this section.

AWS Foundational Services Overview

There are four foundational services offered by AWS:

  • Network
  • Compute
  • Storage
  • Database

These services follow the general building block services which we discussed in this post. These foundational services tend be the first services that AWS customers adopt when beginning to use AWS. In fact, most certification exams focus on the four foundational areas of Network, Compute, Storage and Database.

This post will cover networking, and we'll cover other higher order services like integration in the future.

AWS uses all custom network hardware that it designed and manufactures for its own use. For the more network-savvy readers, in a typical AWS environment, there are tens of thousands of customers deploying servers that use overlapping network ranges with each other. Traditional network hardware simply cannot scale up the number of Virtual Local Area Networks (VLAN) to meet this kind of demand.

Free AWS VPC Training

Go deeper on this topic with an hour of training for no-cost.

Get started

VPC Order of Operations:

  • Step 1: Create the VPC
    • This includes the primary steps of a defining a network name and primary CIDR range.
  • Step 2: Create subnets, using AZs as required
    • All subnets are identical at this stage.
    • The subnets are going to be carved out of the initial IP address range that are created from the primary CIDR range in step 1.
    • A subnet is an AZ-scoped resource.
    • Each subnet can be in one AZ.
    • At this point all subnets are equal, as we don’t differentiate public subnets from private subnets yet, but it's very important to do this in later steps.
  • Step 3: Add an Internet Gateway (IGW) and attach it to the VPC (2 different actions):
    • The IGW is the essentially the traffic boundary from the outside world (aka the internet) into the VPC network.
  • Step 4: Attach the Internet Gateway (IGW) to a Route table.
    • The final bit of magic that is needed to create a route table that forwards traffic towards that IGW as the target.
    • Now we can attach this route table to our respective public subnets. This action is what makes them Public subnets.
    • Now they have the ability to communicate to and from the outside world. We have a minimally functional network which we can use to the deploy resources.
    • But these are not secure and resources can be accessed from public IP addresses. We need to take this design a step further and add private subnets.
  • Step 5: Deploy Private subnets
    • The Private subnets will allow outbound-only access to the outside internet.
    • If we brought our on-premises naming convention, we could say the public networks are more like the DMZ in our on-premises DC. Whereas the private subnets are the private on-premises DC subnets themselves.
  • Step 6: Create a NAT Gateway, with an associated Elastic IP Address (EIP)
    • An Elastic IP address is a reserved public IP address that you can assign to any AWS compute instance (e.g. EC2) in a particular region, until you choose to release it.
    • Here is where we have to spend some money. Basically, we create the NAT gateway which gives our private subnets the ability to send out that outbound traffic. But the NAT gateway has deployment costs (like a dollar for a few hours). There is no free tier for the NAT gateway.
  • Step 7: Connect the NAT gateway with a Route table
    • Once we have the NAT gateway, we create a Route table, that forwards traffic to the NAT gateway as the target (destination) to reach the outside world. We then attach this to the private subnets. 

To summarize, we explained what VPCs are and provided high-level instructions on how to deploy VPCs and create Public and Private networks within the AWS Cloud environment for our Virtual Servers, Load Balancers and Databases. There are a lot of steps to remember and it can be slow-going the first time you deploy a VPC. If you want to practice this and other tasks in a risk-free, real world environment, check out some of Cloud Institute's hands-on Challenge Lab options. 

Get new blogs in your inbox