What is Amazon VPC?
These are the few components involved in any Amazon VPC
There would be one default VPC provided by AWS, which cannot be deleted. Default one can have 5 VPCs per region. One point to be remembered that VPC is an entire Region wise.
When you create a VPC it creates Routing Table by default and that routing table is for internal communication of all instances in all subnets under that VPC.
One VPC can have more than 1 subnet based on the Availability Zones.
1 Availability Zone = 1 subnet
You can configure only one internet gateway per VPC to communicate with the internet.
If some user has deployed an instance, and he is not able to communicate with the internet
Possible situations for that would be
1. Either the SG associated with that instance does not allow any outbound connection to HTTP or HTTPS.
2. Maybe the instance does not have any public IP or any elastic IP associated with that.
3. Most important — > The instance is a part of the subnet which does not have any Internet Gateway associated.
4. Or the route table does not have destination IP as 0.0.0.0/0 for the Internet Gateway.
Most important checks to see is “ Subnet “ and it’s “route table “
Subnet = This will let you know if the instance is on a Private subnet (without any Internet Gateway attached to Routing Table) or Public Subnet.
Route Table = This basically maintains two records Destination and Target. Here Destination means where the traffic should reach.
Target means where the traffic starts.
How Amazon VPC works?
Let’s take an example of a VPC which was created on a Region with two Availability Zone(AZ_1, AZ_2)
- Create a VPC
- Navigation : Under Networking Section > Select VPC > Select Your VPCs > Create VPC
- Give a CIDR (Classless Inter-Domain Routing) Generally give something with /16 networks so that you can get a broad network range.
- Click on Yes create.
Once it is created, you can observe that it gets a route table by default.
But that route table would not have any subnet associated. It will show 0 subnets.
This default route table is for communication among all the instances in all subnets. Now we should create subnets, as we have only two Availability Zones so we can have two Subnets.
How to Create Subnets :
- Click on “Subnets”
- Click on “Create Subnet”
There are 3 very important things to keep in mind while creating Subnets.
- You need to select the VPC that you created (from the drop-down)
- Make sure you are selecting the appropriate Availability Zone.
- CIDR — Choose a subnet where your instance would be.
You can create as many subnets as the Availability Zones available in that region.
Once all the Subnets are created, We have to decide while subnet should be public facing, it means whose instances can connect to the internet.
Let say its “subnet_a”. You have to create a Route Table for that and then you need to associate Internet Gateway as Target and 0.0.0.0/0 as Destination.
And “Subnet_b” should not communicate with the internet.
Next is creating an “Internet Gateway“. One concept for Internet Gateway: It is for the entire VPC, so when you create an Internet Gateway don’t forget to associate that with your VPC.
Once the route table is created, associate “Subnet_a” with the “Routing table” with Internet Gateway as Target and 0.0.0.0/0 as Destination.
Now if you launch an instance on that “subnet_a” that would definitely connect to the internet.
But the instanced on “Subnet_b” cannot communicate with the Internet but can communicate with instances on “Subnet_a”
If you want your instances on “Subnet_b” also to communicate with the internet, you may take advantage of “NAT“.
Points to remember for NAT:
1. Create an SG with inbound with custom IP as CIDR for “Subnet_b”
2. You need to launch a NAT (Go to community AMI and select NAT AMI only) instance only on the Public subnet (Subnet_a)
3. Don’t give it any Public IP, It needs to have an Elastic IP Associated with it.
4. Most Important — Disable Source / Destination check for NAT instance (Action > Networking >Check Source/Destination)
5. Create a route table with the target as NAT Instance and destination as 0.0.0.0/0
Then if you want to check if the instance has any Internet access.
1. ssh to any instance on “Subnet_a” — Public Subnet (Considering Linux instance)
2. From that instance ssh to the instance on “Subnet_b” (Make sure you are copying the .pem file to your 1st instance)
3. Once you log in, you can check the internet connection by running an update command
4. yum – y update