Unlocking the Power of Virtual Private Clouds (VPC): Understanding, Implementing and Optimizing

Myles Munroe once said and I quote "when purpose is not known, abuse is inevitable", that being said I am embarking on this series to attempt to shed light on the concept of virtual private cloud; otherwise widely known by its short form VPC's. This series achieves two things, on one hand, it enables me to solidify my understanding of the concept and two it aims at alleviating the struggles others might be going through trying to understand this concept concretely.

I would ensure to break down the concepts as if they were being explained to children, to achieve this, I have broken this into 3 parts as hinted in the title with this being the first.

Understanding

What exactly are virtual private clouds(VPCs)

It's as the name suggests, it is your network environment that is separate from other resources within that cloud and also not accessible over the internet (private) but still exists on the cloud (virtual). It thereby enhances security since assets within the VPC cannot be directly accessed over the internet. Think of it like a mansion with many rooms which signifies the cloud in general and you have a room in that mansion but has no doors in or out.

VPCs are made up of components

Before we dive into the components that make up VPCs, I'd like to shed some light on an attribute that is crucial to the entire structure of VPCs and its components and that is CIDR(Classless Inter-Domain Routing), It's a way of identifying groups of IP addresses that are all part of the same network.

To dig a little deeper think of an IP address like a phone number. Just like how phone numbers are divided into different area codes and prefixes, CIDR notation allows us to specify how many bits in the IP address identify the network and how many identify the individual device.

Let's break down a sample IP address "192.148.1.0/24" to understand how CIDR notation works:

• The IP address itself is made up of 32 bits, which are represented as four sets of numbers separated by periods (e.g., 192.148.1.0).
• In CIDR notation, the "/24" tells us how many bits in the IP address are used to identify the network. In this case, it's 24 bits.
• The remaining 8 bits are used to identify the individual device on the network.

So, what does that mean in practical terms?

• The first 24 bits of any device's IP address on this network will be the same (i.e., 192.168.1.x). This is what identifies the network itself.
• The last 8 bits will be different for each device (i.e., x.x.x.0 to x.x.x.255). This is what identifies the individual device on the network.

So, in simple terms, CIDR notation is just a way of grouping together a bunch of IP addresses that are part of the same network, based on how they're structured, which is useful for things like routing traffic between different networks or setting up access control rules for devices on the network.

Now that we have established that basis; we can progress on to the components that make up VPCs

Subnet:

Following the analogy of how VPCs can be described as doorless rooms within a mansion, subnets can be looked at as further rooms or demarcations within my doorless room, alternatively, you can think of a subnet as a neighborhood within a city. Just like how a city is made up of many neighborhoods, a computer network can be divided into many subnets.

Let's look at things practically; take an IP address range between 182.168.0.1 to 182.168.0.256. You could divide this network into two subnets by creating a subnet from 182.168.0.1 to 182.168.0.127 and another subnet from 182.168.0.128 to 182.168.0.256.

Devices within each subnet can communicate with each other directly, but devices in one subnet can't communicate directly with devices in another subnet without going through a router.

A router in this case is a device that connects different subnets together, allowing devices in one subnet to communicate with devices in another subnet. An analogy of this would be to think of a router like a traffic cop at an intersection. Just like how a traffic cop controls the flow of cars between different streets, a router controls the flow of data between different subnets, more of this in a bit.

Subnets are overall useful because they allow you to organize your network and control how devices can communicate with each other. They're especially important in large networks with many devices, where it's helpful to break things down into smaller, more manageable chunks.

Above is an illustration of a VPC and two subnets; one public which users from the internet can access and another that is private which users from the internet can't access but other subnets can access, this is a depiction using AWS cloud.

Routing Table:

A routing table is like a map that helps a router find the best path to send data packets between different networks. Again with the analogy of the doorless room, routing tables enable you to find the best path within this room and sub-rooms to get data across alternatively its Just like how you might use a map to find the best route to get from your house to a friend's house, a router uses a routing table to find the best route to get data from one network to another.

A routing table is basically a list of instructions that tells the router where to send data packets depending on their destination address. Each entry in the routing table contains information about a specific network, including its IP address range and the router that connects it to other networks.

When a router receives a data packet, it looks at the destination IP address of the packet and compares it to the entries in its routing table. If there's an entry in the routing table that matches the destination address, the router forwards the packet to the router or network specified in the routing table. If there's no match in the routing table, the router will try to send the packet to its default gateway, which is another router that can help it find the right path.

Let's not forget that a router is a physical or virtual device that connects two or more networks together and forwards data packets between them. It's like a traffic cop at an intersection, directing traffic from one network to another.

Network ACLs:

Now that we understand what VPCs are, how subnets can be seen as subsets of VPCs, how routing tables keep track of the different IP address ranges between the subnets, and how routers can efficiently transfer data to the most appropriate ones,

A Network Access Control List (ACL) is like a bouncer at a party who decides who gets to come in and who doesn't. It's a security feature that controls which traffic is allowed to enter or leave a network.

An ACL is basically a set of rules that determines which types of traffic are allowed to pass through a network gateway, such as a router or firewall. Each rule in an ACL specifies a particular type of traffic (based on factors like the source and destination IP addresses, ports, and protocols), and whether that traffic should be allowed or blocked.

For example, let's say you have an ACL on your network gateway that says "allow traffic from all devices on the local network to access the Internet, but block traffic from any devices outside the network". This rule would allow traffic from devices on your home or office network to access the Internet (since they're on the "local" network) but would block any traffic from devices outside the network (such as someone trying to access your network from the Internet).

Security Groups:

A security group is similar to a Nacl in the sense that it determines what traffic is allowed to get into an instance in the cloud computing environment, major differences between NACL and security groups are that NACL is on a subnet level while a security group is on an instance level, NACL allows for allow and deny rules while security groups allow for allow rules.

Above is an example of AWS cloud implementation showing at what point routing tables, NACL, security groups and routers are used.

Internet Gateway:

An internet gateway is like a doorway that connects our doorless room(a private network) to the internet. It's a device that allows traffic to flow between a private network (like a home or office network) and the internet.

In order for devices on a private network to access the internet, they need a way to communicate with the outside world. That's where an internet gateway comes in. An internet gateway is typically a physical device, like a router, that connects the private network to the internet.

When a device on the private network wants to access the internet, it sends its request to the internet gateway. The internet gateway then sends the request out to the internet and receives the response back from the internet. The response is then sent back to the device on the private network.

NAT Gateway:

A NAT gateway is like a translator that allows devices on a private network to communicate with the internet. It's a device that allows multiple devices on a private network to share a single public IP address when accessing the internet.

You might be wondering what the difference between a NAT gateway and an internet gateway is

A NAT gateway is a device that allows devices on a private network to communicate with the internet by translating their private IP addresses to a public IP address. It's like a translator that helps devices on a private network speak the same language as the internet, while an internet gateway simply connects private networks to the internet

Above, we can see the flow of data from the internet to the internet gateway, to the routers which then direct where traffic should go, and the routing table which decides if the traffic based on the listed IP addresses can be resolved in that subnet. We can also see how private resources within a private subnet, talk to a nat gateway to the internet and we can see that it's a one-way communication; meaning that the private instance can talk to the internet but the internet cannot talk to the private instances. In our analogy that'll be like creating a door from our doorless room out but not having the door visible from the outside in.

VPC Endpoints:

A VPC endpoint is like a private tunnel that allows devices on a private network to access services on the internet without going through a public gateway. It's a way to connect to services on the internet securely and privately.

When a device on the private network wants to access a service on the internet, as sometimes if often does it sends its request through the VPC endpoint. The VPC endpoint then establishes a private connection to the service on the internet, bypassing the need to go through a public gateway. This means that traffic between the private network and the service on the internet stays within the private network, making it more secure.

VPC Peering:

VPC peering is like a direct connection between two private networks in the cloud. It's a way to connect two private networks so that they can communicate with each other, just as if they were connected by a physical cable.

When you create a VPC in the cloud, it's like creating your own private network. You can control the IP addresses, subnets, and routing rules for your VPC. However, sometimes you may need to connect your VPC to another VPC in the same cloud environment. That's where VPC peering comes in.

VPC peering allows you to connect two VPCs together so that they can communicate with each other as if they were on the same network. This means that devices on one VPC can communicate directly with devices on the other VPC, without having to go through a public gateway or the internet.

In our analogy, it'll be having two doorless rooms communicate with one another without ever creating a door between them.

Above you can see the peering between this VPC and two other VPCs as well as the utilization of VPC endpoints to access cloud watch and S3 over the private internet/network.

Differences between a VPC and a traditional network architecture

A VPC is a virtual network that exists entirely in the cloud, whereas a traditional network architecture is physical and exists in the real world. In a traditional network, you would have physical switches, routers, and cables connecting all the devices together. In a VPC, everything is virtualized and managed through software.

With a traditional network, adding more devices or expanding the network can be a complex and time-consuming process. In a VPC, you can scale your network up or down quickly and easily using cloud-based tools and services.

Traditional network architecture can be expensive to set up and maintain, as it requires a lot of physical hardware and maintenance. In a VPC, you only pay for the resources you use, which can be more cost-effective in the long run.

VPCs are designed to be highly secure and isolated from other networks in the cloud. Traditional network architecture can be more vulnerable to security breaches, as physical devices can be more easily accessed and compromised.

Overall, how it helps your business in a number of areas from security, flexibility, scalability, cost savings, and simplified management but not limited to these. This has been understanding VPCs, I look forward to feedback and look forward to implementing VPCs.