In this Tablet Talk, Will runs through the essential aspects of networking in AWS, including Amazon Virtual Private Cloud (VPC), regions, availability zones (AZs), and subnets, as well as how traffic can flow from the internet to your EC2 instances.
- Get a high-level overview of AWS's global infrastructure
- Learn how to keep your AWS environment secure with a VPC
- Understand how regions, availability zones, and subnets work, and how they relate to VPCs
- Understand how to connect your network to the outside with an internet gateway
This high-level course is intended for those who new to networking on AWS and want to get a general overview of it before delving into more detailed courses.
This course is open to anyone who wants to learn about networking on AWS!
Hello and welcome to another Tablet Talk. My name is Will Meadows. And today I want to talk about some, some AWS networking basics. This will also include a little bit of the global infrastructure. I think it's gonna be a nice high level overview of some important concepts that can really help you dive into the topics.
So the first thing I wanna talk about is, as we all know, AWS is a fantastic cloud company of some sort. And they allow you to do certain amounts of tech work in the cloud. And so, I guess a good question is, sort of, how does that happen? Well, inside the AWS cloud, we've got all this space and all this spaces is all AWS area. And in here, there are a bunch of different people. There's you, there's your friend, there's every other company and whatnot under the sun, and all of these people live within the AWS cloud.
Now, one thing you might be worried about when working with AWS is that maybe these other people could see into your little space that you're doing stuff. And that could be, you know, that could be scary, especially if you have regulatory compliance things that you need to be aware of. So, how does AWS, and how do we, deal with this sort of, this peering into other people's business? Well, one of the first things that you should learn, and to think about when dealing with networking and AWS, is the idea of the VPC. And the VPC helps us make our own private part of the AWS cloud, that is mostly there just for our uses.
So what does that look like? Well, the VPC allows us to, again, have our cloud with all of these individuals in it and section it off inside AWS for only their use. So this would be user one, and this would be user two, and this would be user three. And it's really nice that information from this guy can't pierce or break this wall unless you wanted it to, unless you explicitly allowed that person to get in. And this is all within your VPC. And so the first part of really understanding networking is first understanding that our VPCs are a logically isolated zone within the AWS cloud.
And that kind of leads us onto our next question of where does a VPC really live within the cloud? And that kind of takes us to sort of like the next thing. And like, this is the Earth, right? There's some continents or whatever, you're gonna have to deal with it. It's not the best Earth in the world. And within these continents, here's Earth, you got, always label your graphs. And within Earth we have AWS cloud and AWS splits up it's cloud into things called regions in order to globally cover the Earth.
So there might be a region here, we'll call this region one. There might be a region here, call this region two and there might even be a region here, and we'll call this, region three. And when we think about AWS, when we think about the cloud and we think about that thing we just learned, the VPC, everything has to live somewhere. And so if we want to have our section of the cloud, which is a VPC, we have to put it in a region. And so that could either go here, that could go here, or that could go here. And so that's the first bit of networking, is understanding what a VPC is and understanding where a VPC lives. And so your VPC lives inside one of the available regions within the AWS cloud. And so from now on, when I talk about a VPC, I want you to think about that means a region.
That it is your specialized place in the cloud and that lives within a specific region. And I'm gonna again, start drawing out our VPC as boxes because it's easier to represent. And this VPC lives in region one. Okay? That might look like, in the real world, US west one. And there's a bunch of other different regions. There's like 20, 25 or 28 now. I don't know. There's a lot of 'em now.
All right, so now that we know we have our isolated section of the cloud, we know VPCs are isolated such in the cloud, live in a region and there's many regions out there. And so let's take a look at maybe like a bad drawing of the US. All right, and so the interesting thing about regions is they do break up into different pieces. So let's just pretend all of this was one region. It's really not in the actual AWS land but let's pretend this was all region one.
And inside of a region, these also break down into something called availability zones. So here's, let's say, this is an AZ, an availability zone. And here's an availability zone, and here's another one. You'll notice they're all kind of grouped together in the same area but they're separated by some amount of distance and space. And this would be AZ one, AZ two, AZ three. And each region is made up of some number of availability zones, at least two, normally, and sometimes up to three.
Okay, so why do I bring that up? Well, in relationship to our cool box here, let's just get a little bit more space. So in relationship to our cool box, our VPC, we can split it up into multiple areas. And each of these areas are represented by an availability zone. So again, we have our region, and each one of these could be a different AZ, AZ one and AZ two. And what does that allow you to do? Well, not only can you sort of like isolate your stuff from other people, you can isolate your stuff from other of your stuff.
So let's say in here you wanted to have an EC2 instance. You could have another EC2 instance in here. Why would that be good? Well, just in case maybe this availability zone goes down, you could have a second one that could take over the load. And the way we actually do that separation is by creating different subnets within your VPC. Right? And a subnet lives within an availability zone. Boop, boop, boop, boop. And this one goes here. And you'll see our EC2 instance here, is living within that subnet. Well, that's pretty cool.
How about we just do a quick review? And then we'll move on. So to start off with, we have AWS. It is a cloud-based service. Other people, like you, this is you, might be living and working inside AWS. In order to separate your accounts, so that way they can't talk to each other, we use something called a VPC. It's a virtual private cloud, that's what that acronym stands for. Probably should have mentioned that earlier. And everyone has their own VPC. Your VPCs like to live within a region. And that could be over here, that could be over here, or that could be over here, somewhere on the globe.
Each region, then again, separates into multiple availability zones. AZ one, AZ two, AZ three. And these availability zones make up that region. There will be at least two availability zones per region, generally, and sometimes there'll even be three. Your VPC can also be split up into multiple sections by doing something called subnetting and a subnet is placed inside of an AZ. Here's AZ one, and we can have another subnet over here, in AZ two.
I think it's also a good time to mention you can also split subnets within the same availability zone. So let's just say, this is all one availability zone here. You could have a subnet up here and a subnet down here, in two logically distinct groups. Alrighty, now that we have all that sort of background, I can start really digging into some of the interesting tidbits for networking.
So let's again, draw us a VPC. We're going to put it here. It's our VPC. And we might separate this up into two subnets, here and here. This one is an AZ one. This one is an AZ two. Inside of here, we might have an EC2 instance on either side. Now, these EC2 instances, they're just servers doing something. Let's say, these ones send out a random cat picture to you when you check into the website.
How do we get network traffic to go from inside one isolated thing, two isolated thing, three isolated thing, 'cause the EC2 instance is its own deal, out to the public internet? Woo. Out to the public internet. How do we get traffic from inside to outside, through all of these layers of networking and isolation? Well, our first step is to create an internet gateway. This thing right here, an IG, internet gateway.
The internet gateway allows us to pass traffic through our VPC, both inwards and outwards. It is basically the first step into getting any kind of connectivity working at all. And now that we have the option, the internet can now push traffic into here and go find something within the AWS cloud and your VPC, and all that specific routing is handled by AWS. But how do we get it from, let's say, the barrier of the VPC, as it were, all the way to this EC2 instance? Someone's typing in www.iwantacatpicture.com and how do we get it all the way into our instance?
Well, one of the first things we have to do is we have to tell this EC2 instance how to get traffic out towards the internet gateway. And each subnet has something called a route table, a route table, on it that is like a phone book or a lookup table of how to send network traffic around the VPC or specifically within the subnet. And so, for this subnet, we might have two routes on the route table. We might have a local route, which says, anything that is supposed to stay within the subnet, stays within the subnet.
So if I had another EC2 instance here, that'd want to talk to this EC2 instance, and it knew its IP address, it would be part of that local part of the table. And in order to get the traffic to say, go out of the subnet and to maybe exit through the internet gateway, you could have a, let's say, an external route that points to the internet gateway. Your local traffic stays internal and your external traffic will hop out to the internet gateway. And so that's one of the very basics of, how do I get connectivity inwards and outwards? The first step to get it out is to make sure we have internet gateway. The second step is to make sure we have a route, on a route table, on a subnet, like this guy, pointing towards that internet gateway.
Now that gets us traffic going out of our VPC, out to the internet. How do we make sure the traffic can come back into it? Let's say, for that person who wanted to check out a cool cat picture. Well, you have to make sure that this puppy right here, this EC2 instance, has a public IP address. And as long as you have a public IP address and you have an external connection to the internet gateway, and somebody knows that public IP address or domain name associated with it, they can send traffic inwards and outwards.
here are two other gotchas that we need to pay attention here because maybe you do have all this set up already but traffic is not able to go through. The things that you'd want to look out for, at this point, is that you have a security group attached to this EC2 instance that allows traffic to go out, probably on port 80. And that's probably HTTP. You could also do HTTPS. And the final thing you'd want to check, if you still didn't have access to the instance you were looking for, is that maybe the subnet had a NACL, a network ACL, and you had to make sure that it wasn't blocking the traffic, no blocking, blocking bad. And that right there would get you basic level connectivity into AWS, into your VPC, into your subnets that live within an availability zone, to talk to an EC2 instance.
Now this is just scratching the surface of all of the information that you need to know for networking. But I wanted to sort of bring you in here and show you how digestible it actually can be, if you take it bite by bite and a little bit at a time. If you're interested in learning more about that whole subnetting process, and subnets in general, I made a Tablet Talk already, speaking about that. And you can find it over here. And if you'd like to learn more about the extended process of how networking works, we have an entire learning path sort of set up to talk about this entire subject. I just wanted to create this video to help draw you in and show you things at a very high level.
Well, I hope you've enjoyed yourself learning about this topic, learning a little bit about an intro to networking. I'd like to encourage you to go explore those videos, those learning paths. And if you have any questions, go ahead and send me an email. My name's Will at firstname.lastname@example.org. And I'll answer any fun networking stuff you may have, or not fun stuff. I even do that too. All right, guys, thank you so much, bye.
William Meadows is a passionately curious human currently living in the Bay Area in California. His career has included working with lasers, teaching teenagers how to code, and creating classes about cloud technology that are taught all over the world. His dedication to completing goals and helping others is what brings meaning to his life. In his free time, he enjoys reading Reddit, playing video games, and writing books.