28 4월 What is AWS VPC Service?
1. VPN(Virtual Private Network)
- Creating a secure private network that connects computers distributed across multiple locations
- Services that utilize the Internet to connect networks between remote locations and apply encryption technology to provide more reliable and secure communication services
※ Moving all systems served by existing IDC centers to the Cloud is challenging and requires data communication between existing and cloud systems via network connectivity between IDC – Cloud.
※ AWS enables VPN connectivity between on-premise VPN equipment and AWS through VPC and VPC Gateway, which is called a highly secure hybrid cloud environment.
2. VPC(Virtual Private Cloud)
- Assigning logically isolated network space to provide services for AWS resources on virtual networks
- providing complete control over the Amazon VPC’s own virtual networking environment and providing secure and easy access to resources and applications using both IPv4 and IPv6 on the VPC
- Amazon VPC Self Virtual Networking Environment Configuration Example
– Amazon VPC Conceptual Diagram –
- Building a Private Network on AWS
- Connecting a VPN between your company and AWS or implementing virtual networking
- Connecting with existing data centers (hardware virtual private network connection) to create a hybrid environment (available as if expanding enterprise data centers)
- AWS is available as part of your company’s infrastructure and can easily work with internal system software (mail, groupware business systems, file servers, etc.).
- Careful network setup is possible.
- Available in all regions
- VPCs themselves don’t incur costs; pay-as-you-go costs are incurred according to network transmission and reception when connecting to VPNs.
3. Components of VPC
3-1) Private IP, Public IP, Elastic IP
- IP addresses that can only be used inside the VPC (addresses that cannot be reached over the Internet)
- Automatically allocated from a range of instance subnets initiated by VPC
- Available for inter-instance communication on the same network
- Additional private addresses called secondary private IP can be assigned separately from primary private addresses.
- For information on configuring a secondary private IP address for an Amazon EC2 instance, see this link.
- Addresses available for communication between the instance and the Internet (addresses that can be reached over the Internet)
- Options for using public IP addresses when creating EC2
- Not available to manually connect or disconnect public IP addresses from an instance
- New public IP address assigned when instance reboots
- Fixed public IP addresses designed for dynamic computing
- All instances and network interfaces of a VPC can be assigned elastic IPs and can quickly rematch addresses to other instances for instance failover.
- Time-based pricing for the efficient use of flexible IP addresses(Caution!)
- The elastic IP address is not associated with the running instance.
- The elastic IP address is associated with a stopped instance or isolated network interface.
- Available elastic IP addresses are limited to 10 and NAT devices can be used to save it.
3-2) VPC and Subnets
- Dedicated virtual network for users’ AWS accounts
- Logically separated from other virtual networks in the AWS cloud, enabling VPCs to run AWS resources such as Amazon EC2 instances
- The network inside the VPC can also be divided into IP Blocks depending on the purpose of the service (a collection of IP Blocks is called subnet)
- VPC applies to all available areas of the region and can add one or more subnets to each available area.
- Subnets, however, can only be created in a single available area and cannot be expanded to multiple available areas.
3-3) VPC and Subnet Size
- It specifies the range of IP addresses that the VPC will use when creating the VPC, and must be specified in CIDR block format.
- Classless Inter-Domain Routing (CIDR) notation
3-4) Public Subnet and Private Subnet
- Public Subnets: Subnets where network traffic is routed to the Internet gateway (IGW)
- Private Subnets: Subnets Not Routed to Internet Gateways
- An EC2 instance must have a public IP address or a resilient IP address to allow it to communicate with the Internet over IP.
- Web servers that typically perform services over the Internet are created on the public subnet.
- Also, DB servers that require no direct Internet connectivity and high security are created on private subnets.
3-5) Routing Table
- Each subnet must have a routing table attached that specifies the allowed routes for outbound traffic going out of the subnet.
- The created subnet is automatically associated with the default routing table of the VPC, and you can change the contents of the table. (you can modify the subnet associated with the routing table of the VPC if necessary)
- The routing table indicates which path network packets generated within the subnet of the VPC should be taken to the destination address.
- This means that routing tables are required for smooth communication between subnets or between VPCs.
4. Key Services for VPCs
4-1) Security Group and Network ACL
- VPCs provide the ability to allow or block communication based on IP and Port for network communication and traffic, called security groups and network access control lists.
- VPC’s corresponding functionality enables firewall-like functionality on AWS.
- There are differences in these functions, and it is recommended to selectively apply them as needed.
4-2) VPC Peering Connection
- Peering connections provide network connectivity between different VPCs to allow traffic to be routed between two VPCs in private.
- VPC Peering enables communication between instances of different VPCs VPC Peering enables communication between instances of different VPCs.
- Amazon VPC Peering Connection
– Number of Subnets and Hosts by Subnet Mask (255.255.255.0) Bitmask –
- Subnetting and number of subnets and hosts differ according to each subnet mask. → Example on this link
4-3) NAT(Network Address Translation) Gateways
- A service that translates an internal IP address to an external IP address on an internal network that uses a different IP address than is known to the external network
- NAT gateways connect instances within private subnets to the Internet or other AWS services, and configure them not to connect to external networks or the Internet.