VPC Security and Control
VPC Sharing using the AWS Resource Access Manager
AWS Networking Basics
Using AWS Network Firewalls to Secure Your VPCs
Inter-Regional and Intra-Regional Communication Patterns
The course is part of this learning path
In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various networking and VPC services currently available in AWS that are relevant to the ANS-C01 exam.
- Identify and describe the various networking services available in AWS
- Describe how to configure an Amazon Virtual Private Cloud (VPC)
- Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
- Describe options for VPC connectivity, subnets, and routing
- Understand how to share VPC resources using the AWS Resource Access Manager (RAM)
- Identify how to evaluate the configuration of VPC resources using the VPC Reachability Analyzer
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this demonstration lecture on the creation of a VPC and different subnets. Now we understand the concepts of subnets, why we subnet, and the different types of subnets, public and private, I want to demonstrate how to create a VPC and a couple of the associated subnets.
In this demonstration, I will carry out the following steps:
- I'll create a new VPC with a /16 CIDR Block.
- I'll then create and attach an Internet Gateway to the VPC
- I'll then create and configure two subnets whilst allowing for the possibility of creating up to thirty two in total by using a /21 twenty one mask
- and I'll then configure one subnet as a public subnet.
Let's take a look. Okay, so I've logged into the AWS management console and the first thing I want to do is go to the VPC. So I have a shortcut here and once that is loaded, I then want to look at creating a new VPC. Over on the left-hand side here, we can see my existing virtual private clouds. And it gives me opportunity here to create a new VPC.
So let's create this VPC. I'll give it a name, I'll call it "Networking Demo". And then here we can enter the IPv4 CIDR Block for the VPC and I want to use 10.0.0.0/16 and we're not going to use a IPv6 and keep it at default tenancy and then click create. That has now created our new VPC so now we have the new VPC and want to start creating some subnets.
So let's go down to subnets, click on create subnet. Give it a name, we'll call this "Public Subnet". I'm going to have this within our new VPC that we just created so our networking demo VPC. And the availability zone, I don't mind which AZ that's in so I have no preference but I can select on availabilities in there if I want to.
So now I can enter the CIDR Block for this subnet and as I explained before I started this demo, I'm going to use a different mask than the VPC mask with /16 so I want to allow for up to thirty two potential subnets so I'll use this /21. And so the first available subnet for me to use with the /21 is 10.0.0.0/21.
And then I shall create. And now we can see, we have our public subnet within our networking demo VPC. With this subnet mask of a /21, we can see that we have 2043 host addresses available. I now have a public subnet, but at the moment there's nothing public about it because we don't have an Internet Gateway attached to our VPC, and we don't have a route to Internet Gateway either.
So lets create another subnet, and we'll call that "Private". Let's call that our private subnet. Again, we'll select the right VPC, networking demo, and again no preference for availability zone. For this subnet I'm going to use the last available subnet within that range, which is 10.0.248.0/21, create.
Now I could have used any one of the 32 subnets, but for this demonstration I just thought I'd use the first subnet and the last available subnet. So now we have our private subnet within our networking demo VPC and again we have 2043 addresses available. So now what we need to do, we have our VPC set up, we have two subnets, one named "Public" and one named "Private" but now we need to make that public subnet to act as a public subnet.
For that we'll need to create an Internet Gateway. Go down to Internet Gateways, click on create Internet Gateway. Give this a name, we'll say networking demo, yes, create. And we have our Internet Gateway here and at the moment it's detached, so we need to attach this Internet Gateway to our new VPC. So click on attach to VPC, select the appropriate VPC, which is networking demo and say yes, attach.
Now we have an Internet Gateway attached to our networking demo VPC. Now all I'll want to do is create a new route table for the VPC with a route pointing to the Internet Gateway. If I go across to Route Tables, create Route Table, call this "Public Route Networking" and associate that to the networking VPC, create.
Here we have our new route, Public Route Networking. Go down to routes, we have our route table. We can see that we have this local route and what that does, it allows all subnets within this VPC to communicate with each other. But I want to edit this route table to add another route pointing to anywhere with a 0.0.0.0/0 using our new Internet Gateway that we just created here.
Save that, and I now want to associate this route table to our public subnet. If we click on subnet associations, come across to edit, and select our public subnet, click save. We now have a public subnet within our new VPC, because what we've done, we've created our new VPC, we created two subnets, a public subnet and a private subnet. I then created and attached an Internet Gateway to our VPC. I then created a new route that pointed to the Internet Gateway for Internet traffic and I then associated that route table to our public subnet. Now any instances that I might launch in that public subnet can communicate with the Internet.
However, the private subnet cannot because if we look at our private subnet here and look at the route table we can see that it doesn't have any route to the Internet Gateway. It can only talk internally to the other subnets but not any further, whereas our public subnet that we just associated a new route table with, we can see that it now has a route out to the Internet via the Internet Gateway. And that's it.
Before I finish this lecture on VPC subnets, I just want to highlight a few more points around them.
When architecting and designing your VPC subnets across different availability zones, specifically for resiliency, I recommend you replicate the same configurations in both availability settings. This includes any public and private subnets. This ensures you maintain a mirror image of your network infrastructure should one AZ go down.
You should name your subnet something meaningful during creation, allowing you to quickly identify its use or other distinct information about that sublet. For example, web tier or database tier. Think about the amount of network and hosts required across your VPC, ensuring you have allocated a large enough CIDR Block.
Allow for future capacity growth for the number of subnets that you may need. Do not make the host IP addresses availability in your subnet too small unless you have a very specific reason. For example, by using a /28 mask, if you run out of IP addresses for your instances within the subnet then you can't make the subnet bigger.
The only option would be to make a bigger subnet and then migrate your resources across to the new subnet. This now brings us to the end of this lecture. Coming up next, I will be discussing VPC routing using the information we have just covered from these past few lectures.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.