When working with AWS, understanding networking is crucial. From allocating IP addresses to securing connections, concepts like CIDR, VPCs, Internet Gateways, and NAT Gateways play a significant role. Let’s break them down in an easy-to-follow manner.
Classless Inter-Domain Routing (CIDR)
CIDR is a method for allocating IP addresses and defining IP ranges. It consists of two components:
- Base IP — The starting point of the range
- Subnet Mask — Defines how many IPs are available
Subnet masks are commonly represented as:
- /8 → 255.0.0.0
- /16 → 255.255.0.0
- /24 → 255.255.255.0
- /32 → 255.255.255.255 (Single IP)
The subnet mask determines how many addresses can be derived from the base IP. For example:
- /32 → 1 IP
- /31 → 2 IPs
- /16 → 65,536 IPs
- /0 → Allows all IPs
Key Considerations:
- CIDR blocks should not overlap.
- The maximum CIDR size in AWS is /16.
VPC (Virtual Private Cloud) in AWS
Every new AWS account comes with a default VPC. If you don’t specify a subnet when launching an instance, it will be placed in the default VPC, which has internet connectivity and assigns public IPv4 addresses to instances.
Essential Notes on VPC:
- VPC CIDR ranges should not overlap with other VPCs.
- A VPC can have a maximum of 5 CIDR blocks.
- AWS reserves 5 IP addresses per subnet, which cannot be assigned to instances:
- Network Address (e.g., 10.0.0.0)
- VPC Router (e.g., 10.0.0.1)
- Amazon DNS (e.g., 10.0.0.2)
- Future use (e.g., 10.0.0.3)
- Broadcast Address (e.g., 10.0.0.255) (not supported in AWS)
Internet Gateway (IGW)
An Internet Gateway allows resources inside a VPC to connect to the Internet. It is:
- Highly available and redundant
- Horizontally scalable
- Created separately from a VPC
Each VPC can only have one IGW attached. To enable internet access, you must also modify route tables accordingly.
Bastion Hosts
A Bastion Host is an EC2 instance in a public subnet that allows SSH access to private instances inside a VPC. The security group for a bastion host should:
- Allow inbound traffic on port 22
- Be restricted to a limited CIDR range for security
NAT Instances (Deprecated) and NAT Gateways
NAT (Network Address Translation) allows private subnet instances to connect to the internet.
NAT Instance (Deprecated)
- Must be launched in a public subnet
- Requires disabling source/destination check
- Needs an Elastic IP
NAT Gateway (Preferred)
- Fully managed by AWS
- Highly available and requires no administration
- Pay-per-hour pricing model
- Must be created in a public subnet
- Does not allow EC2 instances in the same subnet to use it
- Multi-AZ deployment is needed for fault tolerance
Security Groups vs. NACLs
Security Groups and NACLs control network traffic in AWS but function differently:
Security Groups (SG)
- Stateful — If traffic is allowed in, it’s automatically allowed out.
- Applied at the instance level.
Network ACLs (NACLs)
- Stateless — Each request must be explicitly allowed for both inbound and outbound.
- Applied at the subnet level.
- Each subnet can have only one NACL.
- Rules are numbered (1–32766) — Lower numbers have higher priority.
- If no rule matches, the request is denied by default.
- Default NACLs allow all inbound and outbound traffic; new NACLs deny everything initially.
- Useful for blocking specific IP addresses at the subnet level.
Ephemeral Ports
For two endpoints to communicate, they use ports. When a client connects to a service, it expects a response on an ephemeral port.
- Different OSs use different ephemeral port ranges (e.g., 1024–65535).
- When configuring security groups, you must allow ephemeral ports for returning traffic.
- For example, if a database sends a connection to an EC2 instance, you must allow 1024–65535 in the security group to accommodate the random ephemeral port.
TL;DR
- CIDR defines IP ranges using a base IP and subnet mask.
- AWS reserves 5 IPs per subnet that cannot be used.
- Each VPC can have a maximum of 5 CIDR blocks and should not overlap with others.
- Internet Gateway (IGW) enables public internet access but requires proper route table configurations.
- Bastion Hosts allow SSH access to private instances via a public instance.
- NAT Gateway is a managed service for private subnets to access the internet, replacing NAT instances.
- Security Groups (stateful) vs. NACLs (stateless) control traffic at different levels.
- Ephemeral ports are random ports assigned for network connections and must be allowed in security rules.
Networking in AWS can seem complex, but once you understand these basics, managing VPCs, security, and internet access becomes much easier. 🚀