Networking within an AWS VPC is the foundational infrastructure that enables the secure and efficient operation of cloud resources. It provides a controlled environment where users can create isolated networks (known as VPCs) and define the rules governing communication between these resources.
Within a VPC, subnets are established. Subnets are like distinct neighborhoods within your VPC, allowing resource organization and segregation. You can control if outside users are able to access your resources by using public and private subnets.
To enable communication between resources in the VPC and the internet, an IGW is attached to the VPC. It serves as the entry and exit point for data, facilitating the secure flow of traffic.
As with public subnets in AWS, the EC2 instances and other services that reside in your private subnets can still require limited connectivity to the internet. This topic is dealt with next.
In AWS, a NAT gateway is a managed network service that provides outbound internet connectivity for resources in a private subnet within a VPC.
When you have instances in a private subnet, they cannot communicate with the internet by default. Even if you have set up an IGW, you want to separate your private instances from direct internet access. This is where a NAT instance or a NAT gateway comes into play.
The primary role of a NAT gateway is to enable instances within a private subnet to access the internet and receive traffic initiated from the internet while blocking incoming traffic not requested by the instances.
A NAT gateway is a stateful service. It keeps track of the connections initiated from the private subnet and ensures that the response traffic from the internet reaches the correct instance in the subnet. A NAT gateway also automatically provides better scalability and better performance than standalone NAT instances because the gateway is a managed service provided by AWS and can automatically scale based on the network traffic demand.
To use a NAT gateway, you must create the NAT gateway in a public subnet and configure the private subnet to route its traffic destined for the internet through the NAT gateway.
As you just learned, placing resources in a private subnet does not mean they are cut off from internet access. In the next section, you will see how to use different techniques to tie multiple VPCs together to form a more extensive network.
As you and your team build your accounts, you will likely have more than one VPC for each account. If you operate in multiple Regions, there will need to be at least one VPC per account per Region. As you segment out your network for different purposes, different VPCs (both public and private) hold various resources, and the traffic routed to those VPCs follows a set of rules that can sometimes become complex. You need to have a way to connect these various VPCs, whether they be in the same account or across disparate accounts.
Acedexam Training Policies
Learning resources
Other resources
Our Training Providers
