AWS Virtual Private Cloud, Subnets, Network Access Controls

Virtual Private Clouds, Subnets, and Network access controls are yet another important service needed for the proper functioning of the AWS engines and services.

Virtual Private Network

Amazon's VPC or Virtual Private Network Enables users to make private cloud where instances can be isolated from outside network and other internal instances. This can be understood by a simple example suppose you run a hotel and the waiter comes to you for ordering the food. But if someone enters the hotel and gives the order to the chef without waiting for the waiter then this can lead to some problems. This can be resolved by making gateways. And also we make our infrastructure in such a way that the network of chefs is private and no other person other than a waiter or some listed persons can enter the chef's network.

So in a VPC, the instances are isolated from outside the network. So what if some data needs to be bought from the outside world or if there is some other private subnet from which we need to share information. In this case, a Virtual private gateway comes into the picture. Take the hotel example only suppose ypur hotel is only for VIPs so if any ordinary person wants to enter the hotel we should not allow them so there should be some gatekeepers who check the identity of the persons. So the hotel in this case is similar to the VPC and the VIPs are similar to the authenticated users. The  Gateway only allows the packets if they are from a verified user. There is also a service called AWS Direct Connect which provides a dedicated connection between the data centers and the VPC because even if there is a gateway the path is not safe so Direct Connect makes a private high bandwidth data exchange path between the network and datacenter.

Networking Access Controls and Subnets

So as we discussed above when some persons are trying to contact the chefs directly without talking to the waiters and this problem needs to resolve. Another way is to make a private subnet, especially for the chefs so there are 2 subnets one for the waiters and one for the chef. whenever there is some inbound traffic that needs to be sent to the waiter's network. So we are isolating networks based upon. the needs. There can be 2 types of subnets private and public subnets. Private cannot be accessed by everyone only authenticated users can access it. Here sometimes private and the public can also communicate with each other sometimes. So whenever some data needs to be delivered first it enters the Virtual private gateway and then the permissions of the data are verified like from where it has been send who is the sender where it is trying to reach this is done with the help of Network Access Control List (ACL).

Network Access Control Lists (ACLs)

A Network Access Control List is a Firewall that checks all the incoming and outgoing traffic from the subnet. This provides subnet-level security. This is like the gatekeeper of the hotel as we discussed earlier. Suppose a packet wants to enter the subnet first it comes to the ACL then the packet information is checked with the data of the ACL if it is eligible and has all required rights then it enters the subnet. Suppose a packet from an unauthorized user arrives at the ACL then it will not allow the packet to enter the subnet and denies it. When we are making a VPC we need to configure the ACL also.

By default, an ACL allows all the incoming and outgoing traffic. In a Custom network, we deny all the incoming and outgoing traffic we can specifically add or remove the configurations. 

An Acl is known as a Stateless Packet Filters  Stateless means because when a packet arrives at the ACL and it is verified and allowed to enter the packet into the subnet and next to another packet comes at ACL at this point the ACL doesn't know about the information about the last packet which allowed to the subnet. Its job is only to check the packet's information is authenticated or not. But there might be some other case as we discussed in the starting if someone trying to communicate with the chef. So there are other Restrictions inside a subnet which are known as Security Groups.

Security Groups.

There are groups of instances that allow only specific traffic. It provides instance-level security. By default security groups deny all the incoming and outgoing traffic. We can also add our own configurations or rules to it. So whenever we are creating an instance we need to take care of which subnet it needs to be deployed and which group it needs to be given. So if there gatekeeper is like the ACL then for each seat in the hotel there is a guard if the guard allows you to sit in the seat then only you can sit. So even if the ACL allows you to enter the subnet the Security group also should allow you to enter the subnet. Security Groups perform Stateful. They remember the information and configurations of the previous which are allowed or denied by it.