Networking is hard.<\/p>\n\n\n\n
If you have not come from a traditional IT background, the VPC part of the AWS Certification training is tricky. There is talk of CIDR blocks, subnets and spaghetti mess diagrams.<\/p>\n\n\n\n
Sort of like the London Underground. Which got me thinking. When I moved to London, the Underground system seemed really overwhelming. But it didn’t take too long to figure out. By the end of my four years, I could tell you which door to get on the train so you could avoid the crowds and get out quickly at the other end.<\/p>\n\n\n\n
Turns out there are a lot of similarities between the two. If I could figure out The Tube map with all its zones, stations, platforms and jargon, surely I could figure out VPCs.<\/p>\n\n\n\n
Introduction<\/a>
VPC<\/strong> – London Underground Network<\/a>
Availability Zone<\/strong> – Fare Zone<\/a>
Subnet<\/strong> – Station<\/a>
Route Table<\/strong> – Timetable<\/a>
Network Access Control Lists<\/strong> – Signals<\/a>
VPC Peering<\/strong> – Travelling on other services<\/a><\/p><\/blockquote>\n\n\n\n
\n\n\n\nIntroduction<\/h2>\n\n\n\n
Here is the example network diagram from the AWS documentation<\/a>. This post hopes to break down all the components in this diagram and draw some parallels from the London Underground network.<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
\n\n\n\nVPC<\/strong> – London Underground network<\/h2>\n\n\n\n
To put it simply, a VPC<\/a> is a network within your AWS account that holds your AWS services.<\/p>\n\n\n\n
Think of it as your own data centre. You decide how big it needs to be by assigning a range of IP addresses. This is called a CIDR block<\/a>(Classless Inter-Domain Routing) and it allows us to track and restrict the sort of traffic and users<\/a> access our instances.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
By default a VPC is isolated from other VPCs unless we ‘peer’ them together.<\/p><\/li>
There is a limit of five VPCs per region but this can be increased.<\/p><\/li>
VPCs span all Availability Zones within a Region.<\/p><\/li><\/ul>\n\n\n\n
\n\n\n\nAvailability Zone<\/strong> – Fare Zone<\/h2>\n\n\n\n
Once you have created a VPC you can start adding Subnets<\/a> in each Availability Zone.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
\n\n\n\nSubnet<\/strong> – Station<\/h2>\n\n\n\n
A Subnet is like a Station. It can be public or private. Just like on the London Underground network where there are public stations with public access.<\/p>\n\n\n\n
There are abandoned stations, staff training stations and mail stations. The kind of private stations the public can\u2019t access on a normal day.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
There can be up to 200 Subnets per VPC. If you would like to increase this you will need to request this through AWS Support.<\/p><\/li>
There are currently 270 stations on the London Underground Network, although they probably didn\u2019t have to submit a ticket to get this increased.<\/p><\/li>
You define which Subnets you want to be exposed to the internet by attaching public IP addresses.<\/p><\/li><\/ul>\n\n\n\n
\n\n\n\nRoute Table<\/strong> – Timetable<\/h2>\n\n\n\n
Each Subnet has a Route Table attached. This creates a set of rules to allow traffic to flow within a set of guidelines.<\/p>\n\n\n\n
This means that traffic stays inside the Subnet until a route is created to allow it to travel to the next stop on the network.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
A Route Table tells the traffic which way it needs to go to get to the destination.<\/p><\/li>
The Internet Gateway allows devices on a Public Subnet to connect to the internet.<\/p><\/li>
In contrast a Network Address Translation Gateway (NAT Gateway) facilitates the connection between Private Subnets and the internet.<\/p><\/li>
Similar to how Engineering Stock<\/a> travel after hours from private stations through public stations.<\/p><\/li><\/ul>\n\n\n\n
\n\n\n\nNetwork Access Control Lists<\/strong> – Signals<\/h2>\n\n\n\n
Network Access Control Lists (NACL) allow us to limit traffic to safeguard against mistakes<\/a> and accidents. Using NACLs, like the signals on the London underground, means we can control traffic flow using a set of rules.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
\n\n\n\nVPC Peering<\/strong> – Travelling on different services<\/h2>\n\n\n\n
A VPC peering connection allows traffic to be routed between two VPCs as if they were within the same network.<\/p>\n\n\n\n
Key things to know:<\/p>\n\n\n\n
Transitive peering is not allowed, which means you must have direct access to allow traffic through.<\/p><\/li>
VPCs can be peered with other accounts. The same way you can access National Rail Services from within the London Underground Zones.<\/p><\/li><\/ul>\n\n\n\n
\n\n\n\n<\/figure><\/div>\n\n\n\n This isn’t a perfect analogy but by giving the concepts some context I’m one step closer to getting my head around how a VPC works.<\/p>\n\n\n\n
It’s also given me an excuse to revisit all the fun facts of the London Underground<\/a> which is always good.<\/p>\n\n\n\n
\n\n\n\nUseful Links<\/h2>\n\n\n\n