AWS: VPC, Subnets, NACLs, Security Groups, IGWs, Route Tables, Etc

858 views Asked by At

I've watched hours upon hours of tutorials and have read until my eyes were about to bleed, but I just cannot seem to grasp how Amazon VPCs are working. I've created and deleted entire VPC environments with EC2 instances various times following tutorials, but as soon as I go to create one w/out the tutorial, I'm lost.

I'm trying to come up with an analogy to help me to better understand. What I have so far is something like this:

A VPC is like a Club. At the front of the club, you have an Entrance, the IGW. Inside the Club, you have different areas; the General Area which would be the public subnet and the Management Area which is the private subnet.

Within the General Area you would have a Dance Floor/Bar which would equate to an EC2 Instance and a Receiving Bay where management can receive deliveries and whatnot from the outside world, the NAT.

Then in the Management Area you'd have an Office, another EC2 Instance, and your Inventory which is like your RDS.

I think that's a somewhat accurate analogy so far, but once I start to try and work in the SGs, NACLs, RTs, etc, I realize that I'm just not grasping it all.

Can anyone help me with finishing this analogy or supply a better analogy? I'm at my wits' end.

1

There are 1 answers

0
John Rotenstein On

Rather than using analogies, let's use the network you already have at home.

Within your home, you probably have a Router and various devices connected to the router. They might be directly connected via ethernet cables (eg a PC), or they might be connected via wifi (eg tablets, phones, Alexa). Your home network is like a VPC. Your various devices connect to the network and all of the devices can talk to each other.

You also have some sort of box that connects your router to the Internet. This might be a cable modem, or a fibre router or (in the old days) a telephone connection. These boxes connect your network (VPC) to the Internet and are similar in function to an Internet Gateway. Without these boxes, your network would not be able to communicate with the Internet. Similarly, without an Internet Gateway, a VPC cannot communicate with the Internet.

Some home routers allow you to broadcast a Guest network in addition to your normal network. This is a network where you can give guests a password, but they can't access your whole network -- this is good for security, since they can't snoop around your network to try and steal your data. This is similar in concept to having a separate subnet -- there are two networks, but routing rules (NACLs) block the traffic between them to improve security.

A home router typically blocks incoming access to your devices. This means that people on the Internet cannot access your computer, printer, devices, etc. This is good, since there are many bots on the Internet always trying to hack into devices on your network. However, the home router allows outbound requests from your devices to the Internet (eg a website) and it is smart enough to allow the responses to come back into the network. This is equivalent to a Security Group, which has rules that determine what Inbound and Outbound requests are permitted. Security Groups are stateful, which means they automatically allow return traffic even if it is not specifically listed. The difference is that the router is acting as the Security Group, whereas in an Amazon VPC it is possible to assign a Security Group to each individual resource (like having a router on each resource).

That doesn't cover all the capabilities of an Amazon VPC, but it should give you an idea of how the network actually behaves.