VPC Design Principles
Virtual Private Cloud(VPC) creation is the first step in building your infrastructure in AWS Cloud. AWS gave the flexibility to create VPC based on RFC4632 . Major Components of VPC : VPC CIDR, Subnets, Route Table, ACL and Security Groups. The VPC creation is a straightforward method just grab a CIDR based on RFC4632 but subnetting the VPC can consider the following principles.
Creation of Subnets:
Primary reasons to create Subnets
- You need hosts to be routed successfully.(Private facing or Public facing)
- Want to distribute Workload across multiple AZ’s( Availability Zones) for fault tolerance.
- Create Subnets for hosts that require additional layer of Security using ACL ( Access Control List)
Subnet the network into smaller networks which can be considered as Public Subnets, Private or VPN only subnets. These networks are supernets and not the actual subnets we create. Then subnet each supernet into smaller networks which you fit your hosts into it.
Note* : AWS reserves 5 IPs when you create a subnets. So more subnets you create more ips you will lose. For example for subnet 10.0.0.0/27 following IP’s are resolved
- 10.0.0.0 network address
- 10.0.0.1 Virtual Router address
- 10.0.0.2 DNS address
- 10.0.0.3 Reserved by AWS for future use.
- 10.0.0.31 Broadcast address
All the hosts within VPC can be routed to other hosts in the VPC using an implicit virtual router . A Default Virtual Router would be created when you create the subnet. For example a subnet with CIDR 10.0.0.0/27 will have Virtual Router with IP 10.0.0.1 ( Subnet CIDR + 1). This Router will utilize the route table entries of the subnet associated with.
Each Subnet should be associated with a Route Table for traffic to flow.If a subnet is not associated to any route table, it will use the default Main Route Table. Route Table can be associated with multiple subnets.
- Create Route Tables for Subnets that need different Routing requirements(Public facing or Private facing).
- Create Route Table for subnets that require more specific routing. For example a subnet may be needed to allow traffic only from a pool of IP address.
Access Control List(ACL)
ACL Provide security at Subnet Level. You can control what traffic to flow in and out of a subnet. ACL are stateful, i.e you have to define both ingress and outgress traffic in the rule list.
You can find more at ACL Overview
Create ACL if you want restrict any traffic to flow to the hosts in the subnets.
Network Address Translator (NAT)
A NAT is used to provide Outbound internet to the hosts inside Private Subnets. Route Tables for Private Subnets has to updated with logical id of NAT to provide Outbound Internet Connectivity to hosts inside private Subnet.
Based on the above principles ,a Concrete Example for Creating VPC in Practice is below
- Subnet the VPC CIDR to Public facing or Private facing Subnets.
- All Private facing subnets would be associated with a single Route Table, and ACL. The same would be applied for VPN Subnets and Public Subnets with different Route Tables and ACL
- Create a Subnet if more security is needed at subnet level using ACL and associate the subnet to Route Table.
The following figure shows the summary of VPC Design in AWS