How AWS Cloud handles internet access for your servers

When you deploy applications on AWS, your servers—known as instances—are hosted on the cloud. These instances are basically virtual machines that run your applications, databases, or any other software you need. But how do you control who can access them? How do you ensure some instances can connect to the internet while others remain safely hidden? That’s where Internet Gateways comes in.

In this article, I’ll walk you through how your servers are deployed on AWS, and how access to the internet is managed. We will explore topics like, Virtual Private Cloud (VPC), public and private Subnets and Internet Gateways.

What is a VPC : your private network on AWS Cloud ?

An instance is simply a virtual server you create on AWS. Whenever you launch an instance on AWS, it’s placed in a Subnet inside a Virtual Private Cloud (VPC). But what are those terms ??

A VPC, for Virtual Private Cloud, is your private network in AWS Cloud, isolated from other networks. It is a virtual network that closely resembles a traditional network that you'd operate in your own data center. No one outside your VPC can access it unless you allow them to, and you can create multiple VPCs in a given region.

A Virtual Private Cloud allows you to control network settings for your resources in a secure, isolated environment. You can decide which instances (servers) can access the internet, which ones can only communicate within the network (VPC), and how each instance interacts with other resources.?

Here are some characteristics of your VPC :?

1. Network Isolation: Your VPC is completely isolated from other AWS customers, ensuring your resources are private.
2. Customizable Network: You control the IP address range, subnets, routing, and gateways in your VPC.
3. Expandable: You can create multiple subnets, gateways, and security rules to organize and scale your network as needed.

Subnets : How your Virtual Private Cloud is organized

A Virtual Private Cloud (VPC) is divided into subnets. Each time you deploy an instance, it will be placed inside a subdivision of a VPC named subnet. A subnet is simply a way to divide your VPC into smaller, manageable parts. This helps you organize your resources and control their access.

Each subnet is created inside a specific availability zone. Availability zones are isolated or separated data centers located within specific regions. There can be multiple subnets inside a single availability zone, but not the other way around. By spreading subnets across multiple AZs, you make your infrastructure more resilient—if one Availability Zone goes down, others remain unaffected.

Security wise, you can use network access control lists and security groups to manage traffic (allow or block) between subnets or between a subnet and the internet.

Subnets are generally categorized as public or private:

• Public subnets: Designed for instances that need direct access to the internet.
• Private subnets: Used for instances that should remain isolated and inaccessible from the public internet.

In summary : an instance lives inside a subnet, which in turn exists inside a VPC. This structure gives you full control over how resources connect and communicate.?

Inside your VPC, there’s a VPC router that handles traffic between subnets and ensures data flows correctly within the VPC.?

Enabling internet access to instances in a public subnet : Internet Gateway

Instances located in public subnets can send or receive traffic to and from the internet through an Internet Gateway. It serves as a bridge between your VPC’s public subnets, and the public internet. Without an Internet Gateway, your instances cannot send or receive traffic to and from the internet.

Why Use an Internet Gateway?

• To manage outbound and inbound traffic: internet gateway allows your instances in public subnets (or other resources) to communicate with the internet. For example, a web server who has to receive traffic from users located around the world.
• To handle scalability: The Internet Gateway scales automatically with your VPC traffic. You don’t need to worry about performance bottlenecks.

You can assign a public IPv4 address to your instances located in your public subnets. One important thing to remember is that for IPv4 public addresses, your instances are never aware of their own “public” IPv4 address. They are only aware of their private (internal) IP address defined within the VPC and subnet they belong to.?

The internet gateway logically provides the one-to-one NAT on behalf of your instance :?

• An instance sends a packet (data) with its private IP as the source address.
• When the packet reaches the Internet Gateway, it replaces the private IP with the instance's public IP.
• The packet is routed to the external destination.
• When the response comes back, the Internet Gateway reverses the process, translating the public IP back to the private IP and sending it to the instance.

This translation ensures that your instances can communicate with the internet while still being part of your private network.?

Conclusion

VPCs, subnets, and Internet Gateways form the backbone of AWS networking. VPCs give you a private space to organize your resources. Subnets divide that space into public and private sections. Internet Gateways provide direct internet access for public resources.