VPC Security and Control
VPC Sharing using the AWS Resource Access Manager
AWS Networking Basics
Using AWS Network Firewalls to Secure Your VPCs
Inter-Regional and Intra-Regional Communication Patterns
The course is part of this learning path
In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various networking and VPC services currently available in AWS that are relevant to the ANS-C01 exam.
- Identify and describe the various networking services available in AWS
- Describe how to configure an Amazon Virtual Private Cloud (VPC)
- Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
- Describe options for VPC connectivity, subnets, and routing
- Understand how to share VPC resources using the AWS Resource Access Manager (RAM)
- Identify how to evaluate the configuration of VPC resources using the VPC Reachability Analyzer
The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.
Hello and welcome to this lecture, where I try to answer the question of why we may want to Subnet our VPCs and what the benefits are by doing so.
Starting with logical network division. Creating multiple Subnets allows you to create logical network divisions between your resources. By doing so, you could have a Subnet for database instances, another for application servers, and another for web infrastructure.
By splitting up your Subnets this way, helps to enforce a greater level of security. Logical grouping of similar resources also helps you to maintain an ease of management across your infrastructure.
On this point, I remember being in a meeting with a network engineer many years ago. And someone around the table asked, "Why do we need to Subnet?" He responded with a question. "Does your house have more than one room? " He then continued by saying, "It's a similar thought process, your house has more than one room, as each room serves a different purpose, A kitchen, a lounge, a dining room, etc. Think of these as Subnets. The space in your house, your CIDR block, has been divided into smaller more manageable purpose specific rooms rather than one large room in which you can cook, clean and sleep in, which would soon become very disjointed."
Security. By having multiple Subnets with similar resources grouped together, as per the previous point, it allows for greater security management. By implementing network level virtual firewalls, called network access control lists, or NACLs, it's possible to filter traffic on specific ports from both an ingress and egress point at the Subnet level.
For example, if you had a Subnet that only held my SQL RTS databases within it, you could allow communication between your application service Subnet to talk to your database Subnet on port 1443 for my SQL. And then block and drop all other packets that do not meet this criteria. If you had web servers and application servers within the same Subnet as your RTS instances, you would have to open up a lot of other ports, reducing the level of security within that Subnet.
Having multiple Subnets allows you to create both private and public Subnets. Public Subnets allows the resources within it to access and connect to the internet, and the outside world to connect to those resources, depending on certain security controls. Private Subnets are not directly accessible from the internet. And so private Subnets are protected from the outside world, providing a greater level of security by its very nature.
You may want some of your Subnets to route out to the internet, some to remain private, and some to communicate back to your corporate on premise network over a VPN link. Through the use of routing tables associated to each specific Subnet, you can route traffic as required to cater for these communication paths.
A Subnet can only belong to one route table at any time. Therefore, by creating multiple Subnets, you can restrict some resources in those Subnets to specific routes. If your solution requires a level of high availability, and it most likely will, then it's best practice to deploy services across multiple availability zones within a region.
Here becomes a restriction of VPC Subnets in that a single Subnet cannot span across two availability zones. As a result, this best practice forces you to create an additional Subnet in the second availability zone. So if you want high availability within your environment, you'll need Subnets in at least two availability zones in any region.
As we go through this course, you'll see the benefits that this provides. As you can see, there are many advantages over creating multiple Subnets within your VPC. And as you design, architect and secure your infrastructure, you will quickly see how multiple Subnets enables ease of network management, rooting and security.
In the next lecture, I want to look at what a VPC Subnet actually looks like and what its configurable components are.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.