I would rather talk about the actual compute engine (EC2) but that oddly enough you need a network before you can really create one. Rather than talking about the default VPC I will discuss about the networking a bit right now.
Amazon Web Services VPC
A virtual private cloud (VPC) is essentially all of the networking infrastructure you would need in a virtual environment. When creating a network at home you really don’t need very much.
- Internet gateway
- CIDR block
In a home network this usually boils down to a router that is connected to the internet. The CIDR block is usually one of the non-routable networks. My home network is 192.168.178.0/24.
The process when creating a VPC on Amazon is pretty much the same.
- Create a VPC for a given CIDR block for entire network
- Create one or more subnets for the network
- Create a an internet gateway
- Attach gateway to my VPC
- Add route to from VPC to rest of internet
- Setup any special firewall rules
- Create a security group
Before I cover all of the steps that are necessary for completely setting up a VPC it is important to note that Amazon makes it really easy to set all of this up with much less effort. It is possible to create a default VPC which will create everything that is necessary.
Create a VPC for a given CIDR block for entire network
All of the setup will be associated with samplevpc and the CIDR block 192.168. It is also possible to create a IPv6 network as well, but as IPv6 addresses are pretty horrible to look at I will leave that off. It is enough to know that Amazon does also provide support for that new(ish) standard.
I question why Amazon didn’t add one more check box on the VPC creation dialog box that asked if the VPC should support DNS hostnames. You need this if you want to connect to your EC2 machine (setup later) either with ssh, http or really any protocol. Once you create your VPC you need to edit it to set this option.
Create one or more subnets for the network
This step, can actually be performed as many times as necessary depending on how many different subnets you want. This might be useful if you split up your setup into different logical networks. This might be because you put different applications into different subnets or perhaps to create firewalls to create different layers of permissions.
My same criticism of the VPC creation dialog extends to the creation of subnets. It should have been possible to add a checkbox to the subnet dialog for the assignment of IPv4 addresses.
Create a an internet gateway
Creating the internet gateway is really not much of a process. The only real control you have is the user friendly name for the gateway.
However, once the gateway is created it is not automatically associated with anything.
Attach gateway to my VPC
Just select the VPC from the list that should be associated with this gateway. The process isn’t difficult and as it turns out, you can only associate one internet gateway with a network.
Add route to from VPC to rest of internet
When first looking at the routing everything looks just fine.
The thing that might not be apparent from looking at this figure is that any virtual machine can talk to other virtual machines on its network segment. However, if the destination is to a machine outside of the local network then there is no route to pass that information out.
This small change allows us to both communicate with any virtual machines but also that they can communicate with us as well.
Setup any special firewall rules / ACL
It is possible to set up the access control list which is essentially creating your own firewall. You determine which protocols can come in on which ports from which locations.
Create a security group
Actually the AWS security group is really not that much different from the access control list setup.
It is possible to user either the ACL or the security group for dealing with internal traffic and the other as the firewall to the actual internet.
Summary
All of this setup is required to create your own little network and attach it to the internet. It does seem like a lot of setup but it only takes a few minutes and it does give you the same control as setting up a router at home.
I will be using this network setup with a virtual computer (EC2 ) in my next article.