VPC Security and Control
VPC Sharing using the AWS Resource Access Manager
AWS Networking Basics
Using AWS Network Firewalls to Secure Your VPCs
Inter-Regional and Intra-Regional Communication Patterns
The course is part of this learning path
In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various networking and VPC services currently available in AWS that are relevant to the ANS-C01 exam.
- Identify and describe the various networking services available in AWS
- Describe how to configure an Amazon Virtual Private Cloud (VPC)
- Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
- Describe options for VPC connectivity, subnets, and routing
- Understand how to share VPC resources using the AWS Resource Access Manager (RAM)
- Identify how to evaluate the configuration of VPC resources using the VPC Reachability Analyzer
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture. We'll actually be talking about subnetting and VPC subnets in detail.
Let me start by quickly talking about what is meant by subnetting. Subnetting is the process of splitting a CIDR block into smaller CIDR blocks within the same range by using different subnet masks.
There are many reasons why you would want to do this and I'll come on to these later in this lecture. Subnetting enables you to create smaller networks using a smaller CIDR range from your larger network IP address space. For example let's say you had a CIDR block range of 10.0.0.0/16. Which as itself gives you the following network details.
This is a large IP range to have as a single network as it allows for up to 65,534 hosts. To make better use of this range and to create smaller networks allowing segmentation within your network you could subnet the CIDR block into smaller CIDR ranges using a different subnet mask, such as /17 for each subnet.
This would provide you with two different subnets with CIDR block ranges of 10.0.0.0/17 and black 10.0.128.0/17 providing the same range of host addresses minus the network and broadcast addresses for each subnet of course. You can see this by comparing the HostMin and HostMax entries between the three CIDR blocks.
Should you require more than just the two subnets which is likely than you can obviously split the original CIDR block further giving you more than just the two subnets I listed. For example, if I wanted 16 different subnets than I could subnet the CIDR block 10.0.0.0/16 by using a subnet mask of /20 for each subnet which would provide me with the following subnets.
Again this will provide the same range of host addresses minus the network and broadcast addresses for each subnet. Let's now look at how the subnetting relates to your AWS VPC. When you create a VPC you are required to enter your VPC CIDR block range. This CIDR block range will encompass the entire IP address space that you can use within that VPC.
So you need to be sure that you set the correct mask allowing you to subnet the RP space into different networks should it be required. Whilst at the same time ensuring there are enough host IP addresses for your instances available within each subnet. As a result consideration must be put to your VPC CIDR block.
At this point it's important to point out that the maximum and minimum masks for your VPC CIDR block are /16 to /28. A /16 can provide you with 65,531 usable host addresses as one single subnet. A /28 will provide you with just 11 host addresses as one single subnet. In addition to the network and broadcast address of the subnet which can't be used for host addresses AWS reserves the first three host IP addresses of each subnet for internal AWS usage.
The first host address used is for the VPC router. The second address is reserved for AWS DNS and the third address is reserved for future use. Let's look at this as an example. Sticking with the AWS VPC CIDR block of 10.0.0.0/16 let's imagine we want to create 16 subnets. We would use a /20 mask for each subnet as previously mentioned.
In this scenario one of the 16 subnets would be detailed as follows. For this subnet the AWS reservations would be reserved as 10.0.32.1. And this would be for the VPC router as this is the first host address available in the subnet. 10.0.32.2 would be for the AWS DNS being the second available address. And thirdly 10.0.32.3 which would be reserved for any future use service or feature that may be used by AWS.
Which means your available host addresses for any instances would be from 10.0.32.4 through to 10.0.47.254 giving you a total of 4,091 usable host addresses. When allocating your VPC CIDR block range for your VPC it is mandatory to specify an IPv4 range, but you also choose to associate an IPv6 range to your VPC as well.
However when selecting an IPv6 you are not able to specify the range yourself but AWS will provide a /56 IPv6 CIDR block for you from their pool of IPv6 addresses. Once you have allocated a CIDR block range for your VPC you are then ready to begin creating different subnets within your VPC. If you need help with your IP addressing and subnet calculations there are a number of free IP and subnet calculators available on the internet that will quickly help you define your requirements.
We have now come to the end of this lecture. Next I will focus on why we should consider adding subnets to a VPC.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.