Sagar Radadiya

AWS With VPC

AWS With VPC

Let's start your journey with AWS, VPC, Network and IP address

Sagar Radadiya's photo
Sagar Radadiya
·

15 min read

  1. How to create an AWS account ?

  2. How to create a server?

  3. Ssh = Linux to Linux

  4. Http = we can access web server over a internet

Instance = server.

1) Create aws account and login 

2) Choose Ec2 service. 

3) Choose name of server 

4) Choose ubuntu 18 AMI, it just like OS 

5) Instance type as t2.micro, it has 1 core CPU and 1 GB Ram

6) Create a New pem file and download, It just link username and passwd

7) Choose default network 

8) Choose the Security group as SSH & HTTP. 

9) Choose EBS Volume as 8GB, it is just like a hard disk. 

10) By choose launch instance , we can create instance 

Apache2 = web server

Are we able to get into the server from a laptop?

1) Install git on your laptop

2) By using git bash , we are able to get into the server.

3) $ sudo -i

4) # apt-get update

5) # apt-get install apache2

6) We can access web server over the internet

AWS_VPC:

Network Basics:

1) What is a network?

2) What is a static network? 3) What is a dynamic network? 4) IP address?

5) Subnet mask?

6) ClassFul network?

7) Classless Network?

8) Router

9) Modem

10) Private IP vs Public IP

11) NAT

12) Subnetting

Network?

IP address?

EX01: Class C : End Users

Total network bits = 8 + 8 + 8 + 8 = 32Bits Default Gateway . . . . . . . . . 192.168.1.1

IPv4 Address. . . . . . . . . . . : 192.168.1.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0 Network occupied 8 + 8 + 8+ 0 = 24 Bits

max= 255

min= 0

0-255=256

NetworkID:192.168.1

HostID:4

How many ips ?

2^(total network bits - occupied bit) -2 = total IPs 2^(32-24)-2 = 254 ips

EX02: Class B : ISP

Total network bits = 8 + 8 + 8 + 8 = 32Bits Default Gateway . . . . . . . . . 192.168.1.1

IPv4 Address. . . . . . . . . . . : 192.168.1.4

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Network occupied 8 + 8 + 0+ 0 = 16 Bits

max= 255

min= 0

0-255=256

NetworkID:192.168

HostID:1.4

How many ips ?

2^(total network bits - occupied bit) -2 = total IPs 2^(32-16)-2 = 65534 ips

EX03: Class A : BB (TCS)

Total network bits = 8 + 8 + 8 + 8 = 32Bits Default Gateway . . . . . . . . . 192.168.1.1

IPv4 Address. . . . . . . . . . . : 192.168.1.4

Subnet Mask . . . . . . . . . . . : 255.0.0.0

Network occupied 8 + 8 + 0+ 0 =8 Bits

max= 255

min= 0

0-255=256

NetworkID:192

HostID:168.1.4

How many ips ?

2^(total network bits - occupied bit) -2 = total IPs 2^(32-8)-2 = 16,777,212 ips

ClassFul network:

1) We can’t change network

2) It’s use oct decimal ( 0 or 8)

I want 510ips?

Classless network:

CIDR: classless inter-domain routing.

1) We can change network

2) It’s use binary format ( 0’s or 1’s)

Total network bits = 11111111 + 11111111 + 11111111 + 11111111 = 32Bits Default Gateway . . . . . . . . . 192.168.1.1

IPv4 Address. . . . . . . . . . . : 192.168.1.4

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Network occupied 11111111 + 11111111 + 11111100 + 00000000 = 22/CIDR How many ips ?

2^(total network bits - occupied bit) -2 = total IPs

2^(32-22)-2 = 1022 ips

Main Network : 192.168.0.0/22

How are sub networks?

2^2 = 4 subnets

Subnet 01: 192.168.0.0/24 = 256 ip

Subnet 02: 192.168.1.0/24 = 256 ip

Subnet 03: 192.168.2.0/24 = 256ip

Subnet 04: 192.168.3.0/24 = 256 ip

Router = network 

modem= internet 

Private IP to Private IP YES

Public IP to Public IP YES

Private IP to Public IP NO

Subnetting:

1) create myVPC with CICD range 192.168.0.0/22

2) Create public subnet with CIDR range 192.168.1.0/24

3) create Private subnet with CIDR range 192.168.2.0/24

4) Create public routing table on myVPC

5) Create Private routing table on muVPC

6) association public subnet with public routing table

7) association private subnet with private routing table

8) create myIGW and attach with myVPC

9) route myIGW with public routing

10) create a public instance and try to login from the laptop.

Addressing

Physical address = mac address - 48 bit

Logical address :

1. IPv4 and 2. IPv6

IPV4

  1. Public IP

  2. Private IP

IPv4 - Internet Protocol

  1. 32 bit Logical address

  2. 4 Octet

  3. 0-255 [For every octet]

IP Address = Network ID + Host ID

Below four Octet as per below in (0-255) range:

  • 8 bit + 8 bit + 8 bit + 8 bit = 32 bit

192

168

1

0

IP Address Classes:

  1. Class A - 1.0.0.0 to 126.0.0.0 - Large network

  2. Class B - 128.0.0.0 to 191.255.0.0

  3. Class C - 192.0.0.0 to 223.255.255.0 - Small network

  4. Class D - 224 to 239 - use in multicast

  5. Class E - 240 to 255 - use in Research

Note: 127.0.0.0 is reserved for loop Back address - uses check computer NIC (network interface) is working or not - go to cmd and type ‘ping 127.0.0.1’ and check network is working but the problem on the internet

Q.A.

  1. How to check IP is in which class

  2. Check the first octet of IP and based on that class is consider

    1. E.x. 137.20.20.0 - Class C

    2. 201.100.10.0 - Class A

How to find Network ID in IP address based on Classes

Represent Network bit = 1, Host bit = 0

N=Network, H=Host

Class A: 8 bit

N

H

H

H

Class B: 16 bit

N

N

H

H

Class C: 24 bit

N

N

N

H

Q.A.

How to find network ID -> put network as same and put host as 0 (zero)

  1. Find the network ID of 115.2.1.15 IP

    1. Class A and network is 115 other Octet is host in class A so below is the answer

Aws. Network ID = 115.0.0.0

  1. Find the network ID of 194.2.1.15 IP

    1. Aws. Network ID = 194.2.1.0 (Because on Class C first three octet is network)

How to find SubnetMask

  1. 115.10.10.20 find the subnet mask of this IP

  2. 115.10.10.20 = Class A

  3. Class A = first Octet is network and others are a host

  4. 115 = network

  5. First Octet is 8 bit

  6. Convert in binary of above ip - network ID = 115.0.0.0

  7. Binary = 11111111 00000000 00000000 00000000

  8. Decimal of the above binary number is - 255.0.0.0

  9. Class A subnet mask = 255.0.0.0

E.x. 160.23.12.2 find the subnet mask

  1. 160.10.12.2 = Class B

  2. Class B = first 2 octet is network

  3. Network id = 160.10.0.0

  4. The binary form is = 11111111 11111111 00000000 00000000

  5. Decimal of the above binary = 255.255.0.0

Note: Class A = 8 bit (First Octet), Class B=16 bit (First Two Octet), Class C=24 bit (First three Octet) reserved for network.

Reserved Private IP as per below for uses in the organization:

Class A: 10.0. 0.0 to 10.255. 255.255.

Class B: 172.16. 0.0 to 172.31. 0.0

Class C**: 192.168. 0.0 to 192.168. 255.255**

Find the Network ID | Broadcast ID | Number of Host Usable (How many IPs)

E.x.

1. 150.10.20.30

  1. Class B = 150.10.20.30

  2. Network ID = 150.10.0.0

  3. Broadcast ID=150.10.255.255 (host replace with 255 and network octet no need to change)

  4. A number of useful ip addresses?

  5. Host - 0.0 = 16 bit and network = 16 bit for class B

  6. 2^16 (Host bit) - 2 (broadcast and network two ips reserved) = 65,534 IPs

  7. One network how many computer are connected = 2^16 - 2 = 65,534

2. 12.201.201.201

  1. Class A = 12.201.201.201

  2. Network ID = 12.0.0.0

  3. Broadcast ID = 12.255.255.255 = 24 bit - host

  4. No. of host ip address = 2^24 - 2 = 16,777,214 IPs

Subnetting

Why do we need subnetting, what is the purpose of subnetting?

A subnetwork or subnet is a subdivision of an IP network. The practice of dividing a network into two or more networks is called subnetting. Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address

What is the subnet mask?

A subnet mask is a screen of numbers (255.255.255.0) used for routing traffic within a subnet. Once a packet has arrived at an organization's router, it can be routed to its destination network using the subnet number.

CIDR

By default CIDR values are below:

Class A- 8

Class B-16

Class C-24 : 198.10.10.0/24

Subnet:

According to host's requirement

E.x 197.10.10.0

  1. Class C=197.10.10.0

  2. Network = 197.10.10 and host =0

  3. Convert host into binary - 197 10 10 00000000

  4. 2^n - 2 >=40 (40=max value required ip) - n=1,2,3,4,...

  5. 2^6-2 =64-2 >=40 satisfy value of is n=6

  6. 197 10 10 00000000 - host go to the right to left until 6 bits and remaining 2 bits give to the network

  7. 197 10 10 11000000 (2 bit replace with 1 because network represents 1)

  8. 197 10 10 192 (11000000 decimal value = 128+64=192)

  9. Default subnet mask - 197.10.10.0/24 and Class C= 255.255.255.0

  10. Final value = 255.255.255.192

  11. Subnet = 197.10.10.0/26 (default 24 +2 (added) =26 ) - Subnet id 1

  12. 11000000 - go to the right to left first 1 decimal value is 64

  13. Subnet 2 = 197.10.10.64/26 [go to the right to left first 1 decimal value is 64 ]

  14. Subnet 3 = 197.10.10.128/26 [64+64=128]

  15. Subnet 4 = 197.10.10.192/26 [64+64+64=128]

  16. Broadcast ip of subnet id 1 = 197.10.10.63/26 [64-1 as per subnet 2]

  17. Broadcast ip of subnet 2 = 197.10.10.127/26 [128-1 as per subnet 3 (Next subnet value - 1) ]

Note: In between two router use subnet 30

Subnet mask - 255.255.248.0 and subnet ID- 157.110.248.0

VPC

  1. VPC : A VPC is a virtual network that closely resembles a traditional network that you'd operate in your own data center. After you create a VPC, you can add subnets.

  2. VPC is a virtual network or data center inside the AWS for one client

  3. One region you create Max 5 VPC and 200 subnet in 1 VPC

  4. We can allocate max 5 Elastic IP

  5. Once we create VPC, DHCP, NACL and security group will be automatically created

  6. A VPC is confined to an aws region and does not extend between region

Q.A.

  1. One VPC can not be extend different region zone -> VPC = One region

  2. Same subnet can not be on other availability zone -> subnet = availability zone

VPC Component

  1. Once you create VPC, you cannot change its CIDR block range

  2. If you need a different CIDR size, create a new VPC

  3. Different subnet with a VPC cannot overlap

  4. You can however expand your vpc CIDR by adding new/extra IP address ranges (Expect US gov. cloud and china beijing cloud)

Types Of VPC

  1. Default VPC

  2. Cloud VPC

Default VPC:

Create in each AWS region when an aws account is created

  • Has default CIDR, Security group, NACL and Route table settings

  • Has an Internet Gateway by default

Cloud VPC

Is a VPC an aws account owner creates

  • Aws user creating the custom VPC can decide the CIDR

  • Has its own default security group, Network ACL and route table

  • Does not have an internet gateway by default, one needs to be created if needed

Steps to create VPC:

  1. Create a VPC

  2. Create a subnet

  3. Create Internet gateway

  4. Create Route table

Public Subnet:

-> If a subnet’s traffic is routed to an Internet gateway, the subnet is known as a public subnet.

-> If you want your instance in a public subnet to communicate with the internet Over IPV4, it must have a public IPv4 address or an Elastic IP address.

Private Subnet:

-> If a subnet does not have a route to be an internet gateway, the subnet is known as Private subnet

-> When you create a VPC, you must specify an IPv4 CIDR block for the VPC.
Q.A.

  • -> The Block size is between /16 to /28 netmask

  • -> The first four and Last IP address of subnet cannot be assigned

E.x. Subnet - 10.0.0.0/16

  1. 10.0.0.0 : Network address

  2. 10.0.0.1 : Reserved by AWS for the VPC route

  3. 10.0.0.2 : Reserved by AWS the IP address of DNS Server

  4. 10.0.0.3 : Reserved for future use

  5. 10.0.0.255 : Broadcast address

Note: AWS does not support broadcast in a VPC but reserves the address

Implied Router | Route Table | Internet Gateway

  • It is the central Routing function

  • It Connect the different AZ (Availability Zone) together and connects the VPC to the Internet Gateway

  • You can have 200 route tables per VPC

  • You can have upto 50 routes entries per route table

  • Each subnet must be associated with only one route table at any given time

  • If you do not specify a subnet to route table association, the subnet will be associated with the default VPC route table

  • You can also edit the main route table if you need, but you cannot delete main route table

  • However you can make a custom route table manually become the main route table then you can delete the former main, as it is no longer a main route table

  • You can associate multiple subnets with the same route table

Internet Gateway

  • An internet gateway is a virtual router that connect a VPC to the internet

  • Default VPC is already attached with internet gateway and for custom VPC you need to connect to internet manually

  • If you create new VPC then you must attach the internet gateway in order to access the internet

  • Ensure that your subnet’ route table point to the internet gateway

  • It perform NAT between your private and public IPv4 address

  • Internet gateway supports both IPv4 and IPv6

**NAT GateWay - (**Network address translation) -

-> Main uses : Private to public and public to private

-> NAT gateway you can Use only Elastic IP and NAT instance you can use public IP or Elastic IP, any one for NAT instance

-> NAT Gateway is always in on Public subnet

You can use a Network address translation gateway to enable instance in a private subnet to connect to the internet or other AWS service, but prevent the internet from initiating a connection with the instance

  • You are charged for creating and using a NAT gateway in your account NAT gateway hourly usage and data processing rates apply Amazon EC2 changes for data traffic.

  • To create NAT gateway, you must specify the public subnet in which the NAT gateway should reside

  • You must also specify an Elastic IP address to associate with NAT gateway when you create it

  • No need to assign public IP address to your private instance

  • Private subnet - request to NAT with IP and port and NAT Send IGW to internet but Outside network person never send request to private subnet

  • After you have created a NAT gateway you must update the route table associated with one or more of your private subnet to point internet bound traffic to the NAT gateway this enables instance in your private subnet to communicate with the internet

  • Deleting a NAT gateway disassociates its elastic IP address but does not release the address from your account

  • You need to release Elastic IP manually to go to your account - action - release otherwise bill will be generated if you not release

Security Groups

  • It is virtual firewall that works at ENI level (ENI means e.x. Virtual hardware, network interface card, virtual form RAM)

  • Upto 5 security groups per EC2 instance interface can be applied

  • Can only have permit rules, cannot have denied rule

  • Stateful (Inbound (go to inside port allow) and Outbound (go to outside port) allow), Retain traffic of allowed inbound traffic is allowed even if there are no rules to allow it

Q.A.

  1. Security group applied on the Subnet and EC instance level, availability zone

  2. NACL applied on the VPC level,

  3. Security group only allows rule available not denied rule option

  4. NACL both options available allow and denied the rule

Network ACL (work at subnet level**)**

  • It is a function performed on an implied router

  • Its function at the subnet level (Work at subnet level)

  • Applied security on Router level

  • NACL is an optional layer of your VPC that acts as a firewall for controlling traffic out of one more subnet

  • Your VPC automatically comes with a modifiable default network ACL by default, it allows all inbound and Outbound IPv4 traffic and if applicable IPv6 traffic

  • You can create a custom network, ACL and associate it with a subnet by default each custom network ACL denies all inbound and outbound traffic until you add rules

  • Default NACL = by default allow all the traffic

  • Custom NACL = by default denied all the traffic

  • Rule 50, Rule 100, Rule 150 -> First priority will be low number rule only

  • Network ACL associated with multiple subnets

  • However, subnet can be associated with only one network ACL at a time

  • Each subnet in your VPC must be associated with network ACL

  • If you don’t explicitly associate a subnet with network ACL, the subnet is automatically associated with the default network ACL

  • Highest number rule is 32766

  • Recommend making the rule number multiply with 100 . e.x. Rule 100, Rule 200, Rule 300

  • NACL is stateless - (you need to allow both level inbound and outbound)

  • You can have permit allow and deny rule in a NACL

Difference between Security group and NACL

Security Group

NACL

Operate at instance level

1. Operate at subnet level

Support allow rule only 

2. It supports allow as well as deny rules

Stateful, Return traffic is automatically allowed 

3.Stateless, Return traffic must be explicitly allowed by rules 

Applies to an instance only

4. Applies to all instances in the subnet

VPC Peering

A VPC peering connection is a networking connection between two VPC that enables using a private IPv4 address or IPv6 address

  • Instances in either VPC can communicate with each other as if they are within the same network

  • You can create a VPC peering connection between your own VPC or with a VPC in another AWS account. The VPC can be a different region

  • Transitive peering

  • -> VPC-A peer with VPC-B and VPC-B peer with VPC-C but VPC-A cannot automatically peer with VPC-C it’s called transitive peering

vpcvpc peeringvpcroutesVPC EndpointsAWS