Wednesday, 15 September 2021

AWS Networking - Part I: Virtual Private Cloud (VPC) Introduction

AWS Virtual Private Cloud (VPC) is a virtual network for Amazon Elastic Cloud Compute instances (EC2) within AWS Region. AWS Regions, in turn, belongs to the global AWS Cloud environment. Each AWS Region consists of three or more physical data centers, Availability Zones (AZ). At the time of writing, Seoul and Tokyo have four, and Northern Virginia has six AZs. All other regions have three AZs. VPC spans over regional AZs but not between AWS Regions. In other words, VPCs are region-specific virtual networks. 

A VPC has to have a CIDR (Classless Interdomain Routing) IP block attached to it. The VPC CIDR defines the IP range that we can use when creating subnets to VPC. CIDR range is VPC specific and can overlap with other VPC’s CIRD range. If there should be VPC-to-VPC inter-connection, VPC CIDR IP ranges have to be unique per VPC. 

We can allocate subnets for EC2 instances from the VPC’s CIDR range. Subnets are AZ-specific, and they can’t be span from one AZ to another. Subnets are classified either as Public Subnets or Private Subnets. Public Subnet has a route to Internet GW (Internet Gateway) in its Routing Table (RT). EC2 instances launched in a Public Subnet have to have a public IPv4 address in order to have an Internet connection. Note that IPv6 addresses are always assigned from the public address space. EC2 launched in a Private Subnet doesn’t need a public IPv4 address, they can have an Internet connection through the NAT GW. To allow Internet connection to EC2 instances in Private Subnet, we need to add a route to NAT GW into the Private Subnet Routing Table. We can allow a stateful egress-only Internet connection for EC2 instances with IPv6 addresses in Private Subnet by using Egress-Only Internet GW. This way EC2 instance has an Internet connection but hosts on the internet can’t initiate a connection to EC2. IP connectivity between EC2 instances within VPC is established between private IP address even if one of the EC2s is attached to Public Subnet and has a Public IP address. VPC has a main Routing Table that is used with subnets which we don’t define subnet-specific RT.

Each VPC also has a default Network Access Control List (NACL). The default NACL is bind to all subnets in VPC by default. NACL is stateless by nature, traffic to and from the subnet has to be allowed in both inbound and outbound directions. The default NACL allows all ingress/egress traffic.

Figure 1-1 illustrates our example VPC and its relationship to AWS Availability Zones, AWS Regions, and AWS Account. When we create VPC, we first have to log on to our AWS account. Next, we select an AWS Region, in our case Europe (London) eu-west-2. Then we choose Availability Zones for subnets. In our case, network is a Public Subnet in the AZ eu-west-2c, and network is a Private Subnet in the AZ eu-west-2a. As the last step, we create subnet-specific Routing Tables where we can later add subnet-specific routes.

Figure 1-1: Virtual Private Cloud (VPC) Basic Building Blocks.

The Structure of Availability Zone 

Figure 1-2 is an overview of an AWS Region. The physical design of network devices within the Availability Zone is based on a routed 3-tier Clos topology. The primary task of Underlay Network infrastructure is to provide fast and resilient IP connections between Hosts, Mapping services, Gateways like Internet GW, and Endpoints like S3 Endpoint.

There is a software router within each host. The virtual router’s vNIC uses the physical NIC of a host as an uplink to switching fabric. Virtual routers are responsible for the encapsulation/decapsulation process (add/remove VPC header) of data traffic. The underlying network infrastructure is unaware of VPCs, and switches make a forwarding decision for encapsulated data packets based on the destination IP address in the outer tunnel IP header. The Control-Plane solution for EC2 instance reachability information relies on Mapping services. Each host registers its locally running EC2 instances to Mapping Service. The mapping message includes information about EC2’s IP/MAC addresses and its VPC in addition (identifier) to the IP address of a physical host (location). The Mapping Service publishes the information when requested by hosts. Hosts, in turn, caches the mapping information to minimize the latency.

Figure 1-2: Overview of Availability Zones.

The next post explains how we can create VPC using an AWS console.