-
Office:
-
Cloud:
Amazon Virtual Private Cloud (Amazon VPC) is a network service that allows you to create an isolated virtual network in the Amazon cloud. With Amazon VPC, you can create a custom network with subnets, routing, route tables, internet gateways, and other features, providing full control over your cloud network infrastructure.
-
Private Subnet:
Imagine there's an EC2 instance that accesses a database and returns some information to another EC2 instance. It doesn't make sense to expose it to the internet, so it's placed in a private subnet.
-
Public Subnet:
The public subnet instance is connected to the internet and can receive both incoming and outgoing data. It's typically a web server instance that can receive or make requests, often through a Gateway.
- Connectivity and Security:
-
VPC allows you to establish Virtual Private Network (VPN) connections to connect to a private subnet within your cloud infrastructure:
-
If you need additional security and faster resource interaction without going through the internet, you can use AWS Direct Connect, which provides dedicated, isolated connections:
-
- Access Control Lists:
At the subnet level, to ensure secure data traffic within a VPC, it's beneficial to use a configuration called Network ACLs (Access Control List). Network ACL is a subnet-level access control list that acts as a firewall within the VPC (Virtual Private Cloud):
Network ACLs are stateless, meaning they don't store state information. They have rules for both inbound and outbound data. For example, if a data packet enters a database and is allowed based on the configured rules, it doesn't necessarily mean that the outbound traffic will also be allowed; that too will be checked against the defined rules (and can be configured).
- Security Groups:
At the EC2 instance level, using resources like security groups, the behavior becomes stateful, meaning that if traffic can enter, it can also leave. Entry is only blocked if it doesn't pass the rules. This is the default configuration but can be adjusted:
- Customization: You can customize your VPC by defining subnets, route tables, internet gateways, and other network resources according to your needs.
- Elasticity: Amazon VPC is highly scalable, allowing you to add network resources as your infrastructure grows.
- Subnets: Subnets in Amazon VPC are logical divisions of your virtual network where you can run resources and apply security settings.
- Route Tables: VPC route tables determine how network traffic is routed between subnets, gateways, and other network resources.
- Internet Gateway: An Internet Gateway allows resources in your subnets to access the internet in a controlled manner.
- Security Groups: Security groups are sets of firewall rules that control inbound and outbound network traffic for resources in the VPC.
- Network ACLs: Network Access Control Lists are subnet-level security rules that control network traffic between subnets.
- VPN (Virtual Private Network): A VPN allows you to establish a secure connection between your local network and your cloud VPC, extending your network infrastructure.
- Carefully plan the structure of your VPC, including defining subnets and route tables to meet your application's needs.
- Use security groups to control inbound and outbound network traffic for resources in your VPC.
- Implement Network Access Control Lists (Network ACLs) to add additional layers of subnet-level security.
- Use Internet Gateways only when necessary and apply access control policies to ensure security.
- Set up secure VPN connections to connect your local network to your VPC, extending your network infrastructure securely.
- Monitor network traffic and configure alerts to detect suspicious activities or performance issues.
- Maintain clear documentation of your VPC configuration and network resources to facilitate management and issue resolution.