Here is an interesting story that helps you to understand the AWS VPC and Subnets easily.
Think of AWS as a vibrant city filled with digital services and data. Amazon VPC is like your own gated community in this vibrant city. VPC is Amazon’s virtual network environment. A VPC has subnets, which are like districts within a private city. Do you want some services to be public, such as a cafe? Use a ‘public subnet.’ Need a secure, quiet corner for sensitive data? This is a ‘private subnet.‘ With AWS VPC and subnets, you can design your digital world to meet usability, security, and performance requirements.
- Understanding the AWS Virtual Private Cloud
- IP Address and CIDR Blocks
- Deep Dive into Subnets
- Conclusion
- Frequently Asked Questions
Understanding the AWS Virtual Private Cloud
With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you’ve defined. It enables you to have complete control over your network settings, such as IP address ranges, subnets, route tables, and network gateways.
Check out our blog on VPC
IP Address and CIDR Blocks
IP Address Range
IP addresses in your VPC enable communication between resources, as well as with resources on the internet. CIDR notation represents an IP address and its network mask.
There are two parts to an IP address:
- Network addresses contain numerical digits indicating the network’s unique identifier
- Host addresses indicate the network identifier for a host or device
CIDR Blocks
An IP address CIDR block is a collection of IP addresses with the same network prefix and number of bits. It consists of more IP addresses and a small suffix.
Classful Addresses
IPv4 addresses are 32 bits long. The numerical value for every string of numbers separated by a period is 0 to 255, where 0 is the lowest value, and 255 is the highest value. An IPv4 address could be purchased in three classes by an organization.
Class A: IPv4 Class A addresses have eight network prefix bits. Consider 48.0.0.2, in which 48 is the network address and 0.0.2 is the host address.
Class B: IPv4 Class B addresses have 16 network prefix bits. Consider the example of 192.16.0.2, where 192.16 is the network address and 0.2 is the host address.
Class C: Class C IPv4 addresses have 24 network prefix bits. Consider the example of 192.168.2.1, where 192.168.2 is the network address and 1 is the host address.
Classless Addresses: CIDR addresses use variable length subnet masking (VLSM). Subnet masks return IP addresses by converting host addresses into zeroes. Subnets of different sizes can be created using a VLSM sequence. IP addresses and hosts can be flexible in each subnet.
As an example, 192.168.1.0/24 is an IPv4 CIDR address with 192.168.1 as the first 24 bits and 192.0.2 as the Network address.
Deep Dive into Subnets
Subnets allow for effective IP address distribution. These are segments of a larger network that often reside within a private network. You can manage IP address ranges more easily by dividing them up into smaller, easier-to-manage blocks. Subnets are restricted to one Availability Zone. You can protect your applications from single Availability Zone failure by launching AWS resources in different Availability Zones. When you create a subnet, you specify its IP addresses, depending on the configuration of the VPC:
- When configuring your VPC’s IP addresses, it’s important to note whether you are working with IPv4-only, dual-stack, or IPv6-only subnets.
- In an IPv4-only subnet, communication must be done over IPv4 as there is no IPv6 CIDR block available.
- Dual-stack subnets have both IPv4 and IPv6 CIDR blocks, allowing for communication over both protocols.
- Finally, in an IPv6-only subnet, communication must be done over IPv6 as there is no IPv4 CIDR block available. Make sure to properly configure your VPC to avoid any potential connectivity issues.
Subnet Masks
A subnet mask is a 32-bit address that divides an IP address into network and host bits. The network bits identify the network, while the host bits identify the device on that network. This allows for the creation of smaller networks within a larger network, known as subnets.
Subnet mask representation
When a new device connects to a network, it is assigned an IPv4 address which is a 32-bit numeric address separated into four numbers by periods. Each group of numbers within a block is called an octet, and its value ranges from 0 to 255. Without the subnet mask, the network and host portions of such IP addresses become indistinguishable
Let’s look at an example, Consider the IP address for my device: 192.168.112.121 –> 11000000.10101000. 01110000. 01111001
The subnet mask for the IP network above: 255.255.255.0 –> 11111111. 11111111. 11111111. 00000000
Using this example, a household home network has a subnet mask of 255.255.255.0. This means that within the defined network, there are 254 IP addresses that are usable. To put it simply, you can connect up to 254 internet-enabled devices such as phones, computers, IoT gadgets, and many others to the home network, and can access the internet using them.
Subnet Types
When configuring your subnet’s routing, the type of subnet you end up with will depend on your choices. For instance:
When creating subnets in your VPC, it’s crucial to consider their internet connectivity.
- A public subnet enables resources to access the internet directly via an internet gateway.
- A private subnet requires a NAT device for internet access.
- A VPN-only subnet has a route to a Site-to-Site VPN connection, but no access to the internet gateway.
- An isolated subnet has no external connectivity and can only be reached within the VPC.
Subnet Routing
Each subnet is associated with a route table that specifies allowed outbound traffic routes. All subnets are initially associated with the VPC’s main route table, but you can change this association and the contents of the main route table.
Subnet Settings
Every subnet possesses an alterable attribute that decides if a network interface created within it gets assigned a public IPv4 address and, if applicable, an IPv6 address. This includes the primary network interface (eth0) that is generated when you initiate an instance in that subnet. Nevertheless, it is imperative to note that this setting can be overridden for a specific instance during launch.
To configure the auto-assign IP settings for a new network interface in a subnet, there are two ways.
- You can enable the Auto-assign IP settings option. This will allow you to request a public IPv4 or IPv6 address automatically.
- You can configure the Resource-based Name (RBN) settings to specify the hostname type for EC2 instances in the subnet and configure how DNS queries are handled for A and AAAA records. For more information on hostname types for EC2 instances.
AWS VPC and Subnet Security
To protect your AWS VPC and Subnet resources, it is recommended that you use private subnets. We can use a bastion host or NAT device to provide internet access to resources, such as EC2 instances, in a private subnet.
- To increase security for the resources in your VPC, AWS offers security groups and network ACLs.
- Security groups permit inbound and outbound traffic for associated resources, while network ACLs allow or deny traffic at the subnet level.
- Keep in mind that using private subnets with a bastion host or NAT device is necessary to grant internet access to EC2 instances in private subnets.
Conclusion: AWS VPC and Subnets
AWS VPC and subnets provide a secure and efficient foundation for organizing cloud resources. Understanding VPC concepts enables designing networks aligned with specific needs while offering the cloud’s scalability and isolation advantages.
FAQs
How many subnets can I create per VPC?
Currently you can create 200 subnets per VPC. If you would like to create more you need to contact the AWS Support Centre
Can I use all the IP addresses that I assign to a subnet?
No. Amazon reserves the first four (4) IP addresses and the last one (1) IP address of every subnet for IP networking purposes
Can instances in a private subnet access the internet?
Instances in a private subnet cannot access the internet directly through an Internet Gateway. However, they can still access the internet by using a Network Address Translation (NAT) Gateway or a NAT instance located in a public subnet.
Related Links/References
- AWS Certified Solutions Architect Associate SAA-CO3
- Overview of Amazon Web Services & Concepts
- Amazon Virtual Private Cloud (AWS VPC) Benefits & Components
- AWS Networking Fundamentals – A Brief Introduction for Beginners
- AWS VPC
- AWS Subnets
Next Task For You
Begin your journey towards an AWS Cloud by joining our FREE Informative Class on Amazon Cloud Free Class by clicking on the below image.
Leave a Reply