As a fundamental building block of AWS, the VPC contains several key components, including subnets, gateways, route tables, network ACLs, security groups, and VPC Endpoints.
- Subnets: The subnet or subnetwork is a logical subdivision of an IP network. It’s essentially a range of IP addresses in your VPC that you can assign to your resources, ensuring they can communicate with each other. You can create a subnet per availability zone (AZ) within a region. AWS also supports two types of subnets – public and private. Public subnets have direct access to the internet, whereas private subnets do not, instead, they connect to the internet via a NAT gateway.
- Gateways: These are entry and exit points for the network traffic. There are primarily two types:
- Internet Gateway (IGW): It provides a path for network traffic between your VPC and the internet.
- Virtual Private Gateway (VGW): It provides a path for network traffic between your VPC and your on-premises network over an IPsec VPN connection.
- Route Tables: These contain a set of rules, called routes, used by gateways and subnets to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table; the table controls the traffic routing for the subnet.
- Network Access Control Lists (NACL): This acts like a firewall at the subnet level for controlling inbound and outbound traffic at the subnet level.
- Security Groups: As a virtual firewall for your instance, it controls inbound and outbound traffic for your instances (or EC2 resources).
- VPC Endpoints: This feature enables private connectivity between your VPC and supported AWS services or VPC endpoint services provided by AWS PrivateLink.
VPC Peering
Another fundamental concept to understand is VPC Peering. It is a networking connection between two VPCs that enables you to route traffic between them through private IP addresses. AWS uses existing infrastructure to create a VPC peering connection, and it is neither a gateway nor a VPN connection, and it doesn’t rely on a separate piece of physical hardware.
Conclusion
The components discussed not only help you understand the structure of an AWS VPC but are also related to domains tested in the AWS Certified Cloud Practitioner (CLF-C02) exam. In the following series of articles, we’ll take a deep dive into each of these components, understanding their role in the AWS networking environment to facilitate practical knowledge and help you pass the exam.
Stay tuned as we explore each of these components and relate them to exam objectives, so you have every detail covered for your certification journey. With a clear understanding of AWS VPC, you will have a strong foundation for other AWS services with network-related capabilities and functions.
Remember, practicing these components in the AWS management console is also crucial to gain hands-on understanding, which will be invaluable not just for the exam but for your career in the cloud field as well. So, let’s start exploring AWS VPC and its wonderful components together!
Practice Test
A VPC spans across multiple regions in AWS.
- True
- False
Answer: False
Explanation: A VPC exists within a region and cannot span multiple regions. Each VPC is region-specific.
A network gateway connects an AWS VPC with an on-premises network.
- True
- False
Answer: True
Explanation: Network gateways serve as the connection point between an AWS VPC and an on-premises network. They are responsible for routing traffic between these two networks.
VPCs are isolated from each other on the AWS network.
- True
- False
Answer: True
Explanation: Each VPC in AWS is isolated from all other VPCs by default, providing an extra layer of security and privacy for AWS resources.
Which of the following components are part of a VPC? Select all that apply.
- Subnets
- EC2 instances
- Load balancers
- Security Groups
Answer: Subnets, EC2 instances, Load balancers, Security Groups
Explanation: A VPC comprises of Subnets, EC2 instances, Load balancers and Security Groups. These elements are all part of a typical network setup in an AWS VPC.
Private subnets in a VPC can communicate directly with the internet.
- True
- False
Answer: False
Explanation: Private subnets in a VPC cannot communicate directly with the internet as they do not have a route to the internet gateway.
An internet gateway is used to connect your VPC to a VPN connection.
- True
- False
Answer: False
Explanation: An internet gateway is used to connect your VPC to the internet, not a VPN connection.
Network Access Control Lists (NACLs) act as a firewall at the subnet level in a VPC.
- True
- False
Answer: True
Explanation: NACLs in a VPC are stateless firewalls that operate at the subnet level and provide another layer of security for VPCs.
In AWS VPC, Security Groups are stateful, i.e., if you send a request from your instance, the response is automatically allowed to flow in.
- True
- False
Answer: True
Explanation: Security Groups in AWS are stateful. This means that if you allow an outbound request, the inbound response is automatically allowed.
Peering connection in VPC allows instances in different VPCs to communicate.
- True
- False
Answer: True
Explanation: VPC peering is a networking connection between two VPCs that enables you to route traffic between them through private IPv4 addresses or IPv6 addresses.
VPCs can have more than one route table.
- True
- False
Answer: True
Explanation: Each VPC comes with a main route table, but you can create additional custom route tables for more complex routing scenarios.
NAT Gateway in a VPC enables instances in a private subnet to access the internet.
- True
- False
Answer: True
Explanation: NAT Gateway enables instances in a private subnet to access the internet but prevents the internet from initiating a connection with those instances.
You can’t attach a Security Group to an Elastic IP.
- True
- False
Answer: True
Explanation: An Elastic IP is not an entity that you can attach a Security Group to. The Security Group is associated with resources such as instances or load balancers, not IPs.
The default VPC in AWS has one default subnet in each Availability Zone.
- True
- False
Answer: True
Explanation: The default VPC includes a default subnet in each Availability Zone to allow you to start deploying instances right away if you don’t need to customize your network setup.
VPC Flow Logs enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
- True
- False
Answer: True
Explanation: VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.
CloudWatch cannot be utilized to monitor VPC Flow Logs data.
- True
- False
Answer: False
Explanation: AWS CloudWatch can be used to monitor and store your VPC Flow Logs data for analysis and troubleshooting.
Interview Questions
1. What is a Subnet in the AWS VPC environment?
In the AWS VPC environment, a subnet is a range of IP addresses in your VPC. You can launch AWS resources into a selected subnet.
2. What is a Gateway in the context of an AWS VPC?
A Gateway in an AWS VPC connects the VPC to the internet, to a main corporate network, or to other AWS services.
3. What purpose does the Route Table serve in a VPC?
A route table contains a set of rules, called routes, used to determine where network traffic is directed. Each subnet in your VPC must be associated with a route table.
4. What is an Internet Gateway in a VPC?
An internet gateway is a horizontally scalable, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.
5. What is a NAT Gateway in a VPC?
A NAT gateway is an AWS managed service that controls NAT (Network Address Translation) for instances in a private subnet to access the internet or other AWS services, but prevents the internet from initiating connections with the instances.
6. What function does the Network Access Control List (NACL) perform in a VPC?
A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
7. What is VPC Peering in AWS?
VPC Peering in AWS is a networking connection between two VPCs that enables you to route traffic between them privately.
8. Can a VPC span across multiple Regions in AWS?
No, a VPC cannot span multiple regions. It is confined to a single region but can span multiple Availability Zones within that region.
9. What is the primary security control mechanism at the subnet level in AWS VPC?
Security Groups act as the primary security control mechanism at the subnet level in AWS VPC.
10. What is the function of Elastic IP in AWS VPC?
An Elastic IP address is a static, public IPv4 address, which is reachable from the internet. If your instance does not have a public IPv4 address, you can associate an Elastic IP address with your instance to enable communication with the internet.
11. What is an Endpoint in AWS VPC?
In AWS VPC, an endpoint is a virtual device that enables instances in the VPC to connect to AWS services without needing an internet gateway or NAT.
12. What is achieved by subnetting in a VPC?
Subnetting in a VPC allows the segmentation of a VPC’s IP address range into smaller network sections, which provides improved network security and efficiency.
13. What is the purpose of a Virtual Private Gateway in a VPC?
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection to your own network. It allows communication between your VPC and your own on-premise network.
14. Can a VPC connect directly to the internet?
Yes, but only through an Internet Gateway. An Internet Gateway enables your VPC to connect to the internet.
15. Can a VPC have more than one Internet Gateway?
No, a VPC can be associated with only one Internet Gateway at a time.