Cloud Networks
Networking in AWS: VPC, Subnets, and Security Groups Explained
Introduction
Networking is the backbone of cloud infrastructure, and in AWS, it is primarily managed through Amazon Virtual Private Cloud (VPC). A well-designed VPC allows you to control network access, segment resources, and enhance security. In this blog, we will explore VPCs, subnets, and security groups, their significance, and best practices.
What is a VPC?
A Virtual Private Cloud (VPC) in AWS is an isolated network where you can launch and manage AWS resources securely. Think of it as your own private data center in the cloud.
Key Features of VPC:
Isolation: Each VPC is logically isolated from other VPCs.
Customizable IP Addressing: You define an IP address range using CIDR notation (e.g.,
10.0.0.0/16).Internet and Private Access: You can enable or disable internet access using an Internet Gateway (IGW).
Security Controls: You can use security groups and network ACLs to control traffic flow.
Understanding Subnets
A Subnet is a segment of a VPC’s IP address range where AWS resources are placed. Each subnet resides in one Availability Zone (AZ).
Types of Subnets:
Public Subnet: Has direct internet access through an Internet Gateway (IGW).
Private Subnet: No direct internet access; uses a NAT Gateway for outbound traffic.
Isolated Subnet: No internet access at all; used for highly secure applications.
How Subnets Work:
You define the subnet’s CIDR block within the VPC range.
Public subnets must have a route table pointing to an Internet Gateway.
Private subnets typically route outbound traffic through a NAT Gateway.
Example VPC with Subnets:
| Subnet Type | CIDR Range | Internet Access |
| Public Subnet | 10.0.1.0/24 | Yes (via IGW) |
| Private Subnet | 10.0.2.0/24 | Outbound only (via NAT) |
| Isolated Subnet | 10.0.3.0/24 | No Internet Access |
Security Groups and Network ACLs
AWS provides multiple layers of security for your VPC:
Security Groups
Security Groups act as virtual firewalls for EC2 instances and other resources. They control inbound and outbound traffic at the instance level.
Key Features:
Stateful: If an inbound rule allows traffic, the outbound response is automatically allowed.
Applied to instances, not subnets.
Default deny-all rule for inbound traffic unless explicitly allowed.
Example Security Group Rules:
| Protocol | Port Range | Source | Description |
| TCP | 22 (SSH) | My IP | Allow SSH access |
| TCP | 80 (HTTP) | 0.0.0.0/0 | Allow public web access |
| TCP | 443 (HTTPS) | 0.0.0.0/0 | Allow secure web access |
Network ACLs (NACLs)
NACLs operate at the subnet level and provide an additional layer of security. Unlike security groups, NACLs are stateless, meaning both inbound and outbound rules must be defined separately.
Key Features:
Stateless: Responses must have explicit outbound rules.
Applied at the subnet level.
Default allow-all rule (can be modified).
Example NACL Rules:
| Rule # | Type | Protocol | Port Range | Source | Action |
| 100 | HTTP | TCP | 80 | 0.0.0.0/0 | ALLOW |
| 200 | SSH | TCP | 22 | 192.168.1.0/24 | ALLOW |
| 300 | All | ALL | ALL | 0.0.0.0/0 | DENY |
Best Practices for AWS Networking
Use Multiple Subnets for High Availability: Distribute resources across different AZs.
Restrict Internet Access for Private Subnets: Use NAT Gateways for controlled outbound traffic.
Follow Least Privilege Principle in Security Groups: Allow only necessary ports and IPs.
Enable VPC Flow Logs: Monitor and troubleshoot network traffic.
Use Separate Security Groups for Different Resources: Avoid overly permissive rules.
Conclusion
Understanding AWS VPC, subnets, and security groups is essential for designing secure and scalable cloud applications. By implementing proper networking strategies, you can enhance security, optimize performance, and maintain high availability in your AWS environment.
Would you like a hands-on guide on setting up a VPC in AWS? Let me know in the comments!