AWS VPC
VPC is Virtual Private Cloud which is basically an isolated virtual network that lets us build our own environment as we need i.e., we can decide and configure AWS resources and services as we want. We can look at VPC as a dedicated private area within AWS for our project or organization. Within this dedicated private area, we can configure resources what we want and even control access to these resources as we want. We can see VPC as a resemblance to traditional infrastructure we set within our organizations, but with the benefit of AWS scalability. Many term VPC as private cloud inside a cloud. To configure and make a VPC work we have to first understand various features of it, as listed below. These features interconnect to form our VPC.
1. How to establish IP Addressing within our VPC
2. How can we build Subnets in our VPC
3. How can we connect VPC to other networks within our organization and to the internet
4. How can we monitor what’s happening in our VPC
5. What security features we can add to our VPC
This is how it looks in terms of relation between Region, VPC, Availability Zones, Subnets and Instances. taken from https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
Lets take a look into how IP addressing can be set for VPC.
IP Addressing
IP address are necessary for resources within VPC to connect to each other and also helps these resources within VPC to connect to internet. In AWS we use CIDR (Classless Inter-Domain Routing) notation to allocate IP addresses for our resources in VPC.
Now the IP Address can be IPv4 or IPv6 with 32-bit and 128-bit respectively.
IPv4
IPv4 is a group of 4 blocks and each block can have max of three digit number, example such as 172.31.0.0 Each block is represented by 8 bits, so in total 32 bits of IPv4 address.
Now these range also has an added 2 digit number after a slash, for example 172.31.0.0/16. This basically says that the first 16 bits (as each block is represented in 8 bits size) should remain locked and only the last 16 bits can vary. So with our example IPv4 address the lowest IP address can be 172.31.0.0 and the maximum can be 172.31.255.255, as we have used ‘/16’ to lock the first 16 bits.
To understand this range easily you can use https://cidr.xyz/ site, I too did the same for the above IPv4 address
IPv4 addresses can be termed as Private address or Public address. Private IPv4 addresses are not reachable over the internet but can only be used to communicate among the resources within our VPC.
In contrast the public IPv4 lets us connect to the internet, however the recommended way is not to directly open our public IPv4 address to internet, but it should be through an internet gateway. So when we launch an instance inside our subnet inside our VPC we can “Enable” public IP assignment to our instance as shown below.
On creation of this instance we can see the IPv4 public addressed to our instance
IPv6
Now since ranges of IP addresses in IPv4 is running out of space, IPv6 is the next thing in IP Addressing. As said an IPv6 is a 128 bits – 8 blocks – each of 4 hexadecimal digit IP address, example such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334. We can optionally associate IPv6 CIDR block while creation of VPC.
VPC CIDR Block
On creation of VPC we must associate a IPv4 CIDR Block. We can also additionally give IPv4 or an IPv6 CIDR block to the VPC. The allowed block size for the VPC is “/16” (65,536 IP ranges) and “/28” (16 IP ranges). However, there are certain restrictions on the ranges of these CIDR blocks. AWS documentation on below links clarifies it very clearly.
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
Subnet CIDR Block
Subnets created within the VPC also needs CIDR allocation. This allocation of CIDR for subnet can be same as VPC – if we are planning to create a single subnet within VPC OR subset of the VPC CIDR block – if we plan to have multiple subnets within our VPC. Point to note is that in case of multiple subnets in an VPC we cannot overlap the CIDR allocation for these subnets.
So, suppose we have a VPC CIDR allocation of 172.31.0.0/16, we create two subnets within this VPC, subnet A with CIDR allocation as 172.31.1.0/24 and subnet B with CIDR allocation as 172.31.2.0/24. Each of these subnets will have range of 256 IP’s.
IMPORTANT NOTE: Although we say we have a allowed range of 256 IP’s within subnet, based on CIDR allocation, there are 5 IP addresses those we cant allocate for resources created within these subnets. In case of our example of subnet range
172.31.1.0/24 below IP’s will be reserved by AWS
172.31.1.0: Network address.
172.31.1.1: Reserved by AWS for the VPC router.
172.31.1.2: Reserved by AWS.
172.31.1.3: Reserved by AWS for future use.
172.31.1.255: Network broadcast address. We do not support broadcast in a VPC; therefore, we reserve this address.
So, in reality we have 251 available ranges for each subnet
To conclude on VPC IP Addressing, below is the diagram that can help you understand the CIDR allocation more easily.