Connectivity Within The VPC
Start course
3h 46m

Domain One of The AWS Solution Architect Associate exam guide SAA-C03 requires us to be able to Design a multi-tier architecture solution so that is our topic for this section.
We cover the need to know aspects of how to design Multi-Tier solutions using AWS services. 

Want more? Try a lab playground or do a Lab Challenge!

Learning Objectives

  • Learn some of the essential services for creating multi-tier architect on AWS, including the Simple Queue Service (SQS) and the Simple Notification Service (SNS)
  • Understand data streaming and how Amazon Kinesis can be used to stream data
  • Learn how to design a multi-tier solution on AWS, and the important aspects to take into consideration when doing so
  • Learn how to design cost-optimized AWS architectures
  • Understand how to leverage AWS services to migrate applications and databases to the AWS Cloud

- [Man] So how do instances in our VPC access the internet? 

Well, the first way is that we can assign a public IP address to that machine. So first we assign a public IP address or an Elastic IP address or EIP to the instances that we want to have internet access. 

That gives those instances the ability to send and receive traffic from the internet, i.e. for web service, we want to have that ability. So how do instances without public IP addresses access to the internet? Instances without a public IP address can route their traffic through what we call a NAT Gateway or a NAT Instance. Now, NAT stands for Network Address Translation. And essentially, NAT instances or services, traverse IP ranges, internet protocol number ranges. And so allow instances and private or public subnets to access the internet via Network Address Translation. So if a machine is in a subnet and it doesn't have an EIP address, then it's not going to be visible through the internet gateway. But if we use a NAT gateway, we can have that machine topped outbound to the internet via this Network Address Translation. So the NAT Gateway or NAT Instance allows outbound communication, but it doesn't allow machines on the internet outside of the VPC to initiate a connection to that privately addressed instance. Okay, so let's look at another concept of connectivity, which is highly available NAT Gateways instead of NAT Instances. Remember, NAT stands for Network Address Translation and NAT Gateways offer major advantages in terms of deployment, availability and maintenance. 

So rather than running a NAT Instance, which is basically a machine that we have provisioned and managed and we set up that routing rule, which allows machines in a public or private subnet who do not have an Elastic IP address, who do not have an internet address to connect outbound through the NAT instance through the internet gateway, outbound to the internet. So they are basically a hopping host to get out through the internet. So remember that in terms of highly available NAT Gateways are way more available because they're a managed service. So they scale very well and designed to deal with burst activity, et cetera. Now, another form of connectivity we can have to our VPC is using a VPN. So if you have a hardware VPN connection or direct connection, instances can route their internet traffic down the virtual private gateway to your own internet connection. Now, note the difference there. There's the internet gateway and there's the virtual private gateway. So a VPN connection uses a virtual private gateway. Your internet in and outbound traffic uses the Internet Gateway. You can also have services within your VPC access the internet via your existing egress points using a VPN connection. Now, a couple of things to remember with VPC design is that always makes sure you leave spare capacity for additional subnets. So always make sure that your IP addressing contains additional capacity so that you can scale it.

About the Author
Learning Paths

Andrew is fanatical about helping business teams gain the maximum ROI possible from adopting, using, and optimizing Public Cloud Services. Having built  70+ Cloud Academy courses, Andrew has helped over 50,000 students master cloud computing by sharing the skills and experiences he gained during 20+  years leading digital teams in code and consulting. Before joining Cloud Academy, Andrew worked for AWS and for AWS technology partners Ooyala and Adobe.