Creating and configuring a Virtual Private Cloud (VPC) within AWS can be a simple or difficult process. It all very much depends on the complexity of your requirements. For example, how many subnets and hosts will you require? Will you be using one VPC or peering multiple VPCs together? Do you need to establish connectivity back to your on-premise network? Do you need internet connectivity for your Private instances? These and many more questions need to be asked and answered before you start to design your VPC infrastructure.
As a part of this process, you will need to understand VPC Subnet configurations and VPC routing to ensure you architect your solution correctly and efficiently.
This AWS Virtual Private Cloud: Subnets and Routing course looks and VPC Subnets and VPC Routing in detail, providing examples of both across different configurations and solutions and how to best implement your network design.
- VPC CIDR Blocks - This lecture focuses on the effect of subnetting your VPC CIDR Block
- Why Subnet your VPC - This lecture looks at some of the reasons why you may want to subnet your VPC, by looking at the advantages and benefits
- VPC Subnets - This lecture dives into at what a VPC Subnet looks like within the Management Console and its associated components such as Network Access Control Lists (NACLs)
- Public & Private Subnets - This lecture looks at the differences between both Public and Private subnets within a VPC
- VPC Peering: Subnet Considerations - This lecture focuses on some of the considerations when architecting your subnets in different VPC Peering configurations
- Flow Logs: VPC Subnets - This lecture dives into at what a VPC Subnet looks like within the Management Console and its associated components such as Network Access Control Lists (NACLs)
- Demonstration: Creating a VPC & Subnets - This lecture provides a demonstration on how to set up and configure a VPC with both Public and Private subnets
- Routing Fundamentals & Route Tables - This lecture introduces AWS routing and its Routing tables by breaking down all the components within it
- Routing Priorities - This lecture explains how the routing priorities are defined for overlapping routes within the same route table
- Routing: VPC Peering - This lecture looks are different routing configurations for multiple VPC peering scenarios
- Routing: VPN Connection via a Virtual Private Gateway - This lecture looks at routing configurations for virtual Private Gateways
- Routing: Internet Gateways & NAT Gateways - This lecture looks at the routing configurations for both IGWs and NAT Gateways and the dependencies involved
- Routing: VPC Endpoints - This lecture looks at the automatic routing configuration when creating a VPC Endpoint
Hello and welcome to this lecture, where I shall explain the fundamentals of AWS routing and take a look at the route tables themselves. Routing provides a mechanism to allow network packets to be forwarded to the correct destination. Within a VPC, this is all configured via routing tables associated to your subnets which use virtual routers that are fully managed by AWS.
This means you do not need to provision or configure any routers. When you create a new VPC an implicit router will be linked to your VPC as a part of your VPC creation process. If you remember from a previous lecture regarding VPC subnets, the first host IP address available within each subnet is always reserved to enable routing functionality for that subnet.
In addition to the implicit router linked to your VPC a default route table, known as the Main Route Table, is also created for your VPC. This Main Route Table cannot be deleted, however it can be customized by adding or removing routes to it. When you create a new subnet, this Main Route Table will be implicitly associated to it, unless you specify an alternate custom route table.
Remember, there has to be an associated route table for all subnets and a subnet can only have one route table association at any one time, although multiple subnets can all use the same root table. The Main Route Table will therefore act as the route table for any subnet that does not have a custom route table associated.
Let me now show you what a route table looks like and how to configure it. I'll start by looking at an example of a default Main Route Table from within the Management Console. When any new route table is created it will contain data around five components, these being a summary, routes, subnet associations, route propagation and tags.
The summary pane shows just a few details, unlike the summary pane for the subnets which contained a lot more information.
The route table ID is issued automatically which is prefixed with rtb, which stands for route table. In this example, it's been set to rtb-31bc7256. Similarly with the subnet ID, VPC ID and NACL ID, they're all referenced when using the CLI tools to perform specific programmatic commands.
The explicitly associated with section shows how many subnets are explicitly associated with this route table. Subnets can either be explicitly or implicitly associated to a route table, and we'll cover more on this when I come to subnet associations.
The main defines if this route table is the Main Route Table for the subnet and it will either be set to yes or no.
As we know, the Main Route Table will act as the route table for any subnet that does not have an explicit associated route table. The Main Route Table of a VPC can be updated and customized, but another route table can also take over as the Main Route Table. For example, you may have your Main Route Table set with a specific configuration which acts as an implicit association to many subnets within your VPC.
However, you want to change the routing of the Main Route Table without causing disruption and potential issues. So how would you achieve this? To start with, you would leave your Main Route Table serving implicit associations to those subnets using it. Next you would create a custom route table. You would then add the relevant routes that you need for the new Main Route Table to this newly created custom route table. Next you would explicitly associate that route table to a single subnet. And this subnet would then be using the new route table and not the Main Route Table. After this you would then test and confirm the routing would work as expected. And then from within the Management Console select route tables from the VPC Dashboard, select the newly created custom route table and then click on Set as Main Route Table and confirm the message.
This would then successfully act as the new Main Route Table for your VPC. You could then delete the old route table if it was no longer required.
Remember, you always have to have a Main Route Table within your VPC, but it doesn't always have to be the same one that was created when the VPC was.
Lastly within the summary the VPC section simply shows which VPC this route table resides in, which is defined by the VPC ID and tag name.
Let's now take a look at the routes tab. The routing pane shows the actual routing decisions that are made and this is where the routing of the network is defined. The table itself is comprised of four columns.
Destination, the destination field shows the CIDR block ranges for any network that you need to route to, outside of your current subnet.
Target, the target field provides the gateway to allow you to get to that destination. For example, if you wanted to route back to your own on-premise network, you could have a destination field of 192.168.0.0/16 with a target pointing to your virtual gateway, your VGW. This virtual private gateway is the gateway between your AWS VPC and a VPN connection back to your corporate network.
The status field will show you the status of your routes within the table, for example, Active. Propagated, the propagated field will define which routes within the route table are propagated. I will cover more on route propagation later in this lecture. So, to reiterate, the destination points to the network you need to route to and the target provides the gateway for doing so.
You may have noticed that from this example Main Route Table that it comes with a pre-configured route. This route will have a destination value the same as your VPC CIDR block, with a target set to local. This is an important route and one that exists for every route table that is created. What this route does is to allow all subnets within your VPC to route to each other.
It provides a path from every subnet to every other subnet. The route does not have to be created manually, it is automatically created when you create any route table and it cannot be deleted. As by default and by design, AWS allow routes to and from all of your subnets within your VPC.
Now just because you have this local route that enables a known route and pathway between all subnets does not mean that a subnet that does not have an Internet gateway attached can access the Internet by knowing the route to a subnet that does.
The subnet has to have its own route to a gateway to be able to use it. If you have a lot of rules within your route table you can perform some basic level filtering by using the drop down list above the routes in the table. Here you can filter on all rules within the table, just IPv4 rules or just IPv6 rules.
To modify the routes within the table you must edit the route table using the Edit button. Here you can then add another route by entering the destination and target fields. The status and propagation fields are automatically determined. You can also remove any routes that you no longer need by selecting the cross in the remove field, but notice that you cannot delete the local route.
Like I mentioned previously, when a subnet is created it has to have an associated route table, and by default the Main Route Table will be associated implicitly to that subnet. If then a custom route table is associated to that subnet, replacing the implicit association of the Main Route Table, then that route table will become an explicit association to that subnet.
From this example we can see that there are no explicit subnet associations to this route table, as it states: 'You do not have any subnet associations'. And you'll generally find that when looking at the Main Route Table, simply because of the implicit nature that the Main Route Table has. We can also see any subnets that do not have any explicit associations, which are listed at the bottom of the route table.
If we compare this example to another route table that is not the Main Route Table, we can see a difference. This route table does have explicit subnet associations and these are listed as subnet B and subnet S. This means that these two subnets are not using the Main Route Table, instead they are explicitly connected to this route table.
However, again, like the Main Route Table, we can see the subnets that are implicitly associated to the Main Route Table, and you will always see any subnets associated to the Main Route Table and all root table subnet associations. The IPv4 CIDR and IPv6 CIDR fields will simply show the corresponding CIDR blocks for each subnet listed.
The route propagation pane allows you to enable propagation against any virtual private gateways that you have attached to your VPC. Once you enable route propagation with a selected virtual private gateway then routes representing your VPN connection will be added to your route table automatically and will be identifiable by being listed as Yes in the propagated field of the routing table.
Lastly, the tags tab provides the same function as it did with subnets, it allows you to add any custom key value pairs to help with the tagging of your route table. In this example, I added a name of Main Route Table.
That brings us to the end of this lecture. Next I want to talk to you about routing priorities and how these are managed.
Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.
To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.
Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.
He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.
In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.
Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.