The Journey of Network Requests In and Out of an Amazon VPC
TL;DR: In this article, we will discover the essential networking components of an Amazon VPC, how we can combine them to create a dual-stack (IPv4 + IPv6) network in AWS, and which flows the different requests follow.
The Building Blocks
VPC
Amazon Virtual Private Cloud (Amazon VPC) is the service to create isolated network environments in an AWS account. Different AWS resources can be launched into a virtual network previously defined. A VPC is deployed in one AWS region.
During the VPC creation, we must specify an IPv4 CIDR block for the VPC with a size between a /16 netmask (65,536 IP addresses) and a /28 netmask (16 IP addresses). Additional IPv4 CIDR blocks can be associated with the VPC once created.
It’s HIGHLY suggested to use a CIDR block from the private IPv4 address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) avoiding 172.17.0.0/16 which can conflict with some specific services like Cloud9.
Subnet
A subnet is a range of IP addresses of a VPC that we are bounding to a specific availability zone of the region. Like the VPC, the subnet size can vary from a /28 netmask up to a /16 netmask. More subnets can be created in the same VPC. In this case, their CIDR blocks cannot overlap.
The first four IP addresses and the last IP address in each subnet CIDR block are not available for our usage because AWS reserves them for multiple needs, like the router and the DNS server.
We can categorize the subnet into two significant types: publics and privates. A subnet has three requirements to be considered public:
- Internet Gateway: it must exist inside the parent VPC. It allows communication between resources in your VPC and the Internet.
- Route table: it must contain an entry to route the public internet traffic towards the Internet Gateway.
- Public IPs: it must assign public IPs to the resources inside.
Internet Gateway
An internet gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between a VPC and the Internet. It supports IPv4 and IPv6 traffic.
It is also available the Egress-only Internet Gateway, which allows outbound communication over IPv6 from instances in the VPC to the Internet and prevents the Internet from initiating an IPv6 connection with the instances.
The Internet Gateways are bound to a VPC. Their redundancy is at the entire region level.
NAT Gateway
A NAT Gateway is a Network Address Translation (NAT) service. It enables instances in private subnets to reach services outside a VPC without allowing external services to initiate a connection with those instances.
To create a public NAT Gateway, it must reside in a public subnet and needs an association with a public IP (called elastic IP). Private subnets need a route to the NAT Gateway in their routing table.
The NAT Gateways are deployed in a specific subnet. Their redundancy is at a particular availability zone level.
The Architecture
Let’s combine all these components, designing a simple two-tier VPC with public and private subnets. For simplicity, we do not represent the multiple availability zones or consider other networking components like firewalls (Network ACLs and Security Groups).
The Elastic Network Interfaces (ENI) represent potential resources deployed in the subnets and how they interact with the network traffic.
The Journey of Network Requests
IPv4 Inbound Traffic
IPv4 Internet-originated incoming requests can reach only instances created in a public subnet, with a public IP associated with their network interface. The traffic flows through the Internet Gateway and directly contacts the instance’s ENI.
IPv4 Outbound Traffic
IPv4 requests to the Internet coming from the instances inside the VPC follow two different paths:
- Requests from the public subnets will flow to the Internet towards the Internet Gateway.
- Requests from the private instances will be directed to the NAT Gateway and only then forwarded to the Internet Gateway.
IPv6 Inbound Traffic
As the inbound IPv4 requests, the IPv6 ones flow through the Internet Gateway to public instances. No Internet-initiated IPv6 connections can reach the instances in private subnets.
IPv6 Outbound Traffic
The public instances send IPv6 requests to the Internet leveraging the Internet Gateway.
As IPv6 addresses are globally unique and public by default, the instances in private subnets are sending IPv6 requests leveraging the Egress-only Internet Gateway, blocking the requests from the Internet.
Summary
The following image summarizes all the possible traffic flows in our reference architecture. For simplicity, the return flow of the response is not represented in any diagrams. Still, you can consider every component as a stateful element, and the response returns from the same path used for the request.
Ready to explore more about AWS? Follow me for more insightful articles, and stay connected for future updates. Let’s continue our journey toward building innovative and efficient solutions on the Cloud!
More content at PlainEnglish.io. Sign up for our free weekly newsletter. Follow us on Twitter, LinkedIn, YouTube, and Discord. Interested in Growth Hacking? Check out Circuit.
