Last Updated: 2024-11-23

Notes on networks on AWS

VPC

• By default, their VPCs will have a size /16 IPv4 CIDR block (172.31.0.0/16). This provides up to 65,536 private IPv4 addresses. (i.e. the last two 0's each have 8 bits of possible values to take on)

• The main route table in the VPC maps the internet addresses to your VPC (i.e. 172.31.0.0/16)

• it will create an internet gateway and connect to the internet.

Internet Gateway

• The internet gateway will map any elastic IPs to the dynamic internal IPs of your AWS resources. Any other IP addresses will be mapped to the internet gateway (0.0.0.0/32) and eventually to external machines (but for firewalls etc.)

Subnets

• subnets can either be public (has a route to internet gateway) or private (doesn't have such a route).
• Each subnet is limited to one availability zone. Think of it as a subset of the VPC.
• By default AWS will create a size /20 default subnet (20 bit prefix) in each Availability Zone. This provides up to 4,096 addresses per subnet, a few of which are reserved for AWS use. The default in public.

Security Group

• essentially firewalls for traffic
• within the security group, you need to explicitly allow inbound communication For a typical HTTP server deploy, that means over 80 HTTP and 443 HTTPS and port 22 for SSH

Network Control List (ACL)

• A network access control list (ACL) is another (optional) layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. By default, it allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic. But you could theoretically ban certain types of traffic (e.g. TCP traffic in port range 32768-65535).

AWS resource network interface IP addresses in relation to VPC/Subet

• Once an instance is created within the VPC/Subnet/Availability Zone, a primary private IP address from the IPv4 address range of the subnet is assigned to the default network interface (eth0) of the instance