In this blog, we’ll explore the core services that underpin AWS networking. We’ll cover VPCs, subnets, route tables, internet gateways, NAT gateways, and transit gateways, along with two key security options: security groups and network access control lists (NACLs). 

 

Let’s dive in. 

 

Understanding AWS Virtual Private Cloud (VPC) 

 

Virtual Private Cloud’s or VPC’s are simply containers that provide isolation for your AWS Objects such as EC2 Instances.  These virtual datacentres in the cloud are regional, and they do not stretch across the global AWS infrastructure.  When a new account is created in AWS they are delivered with the default VPC that has a number of subnets configured, these are great if you are testing in AWS but for production this VPC would be removed and you would create your own.  Communication between VPC’s can be achieved through VPC peering,  this allows services in different VPCs to communicate with each other,  and while this is a great solution when you have a small number of VPC’s, as your environment grows this type of connectivity will become hard to manage,  it also has limitations such as VPC peering not allowing transitive routing through a VPC,  for example If you have 3 VPC’s A, B and C,  and A is peered to B, and B is peered to C,  if you have a service in VPC A that needs to talk to a service in VPC C,  the traffic would be unable to route via VPC B,  you would need to peer A and C for this to work. 

 

Subnets, Route tables, Internet Gateways and Nat Gateways 

 

Subnets 

 

Subnets are created inside a VPC and are aligned to an Availability Zone (AZ) in the region the VPC is located.  Subnets can only be created inside the range that is defined at the VPC creation for example,  if the IP range defined at the VPC level is 10.0.0.0/22 then only subnets that fall under this range can be created,  so as an example 10.0.4.0/24 would not be an allowed subnet in this VPC.  Any AWS service that utilises an Elastic Network Interface (ENI) will need a subnet available to operate, for example EC2 instances have ENI’s to communicate so when creating an EC2 Instance you will be asked to select which Subnet/AZ it should be created in.  Best practice in AWS would be to create subnets for each availability zone, as well as having separation for public and private subnets. 

 

Route Tables 

 

At the time of VPC creation,  there is a default route table created,  and all subnets that are created in the VPC are automatically associated with this Route Table,  however you do not have to use the default table,  best practice design would encourage multiple route tables to be created and subnets associated appropriately.  Creating multiple Route tables allows for separation of traffic within the VPC, this could be Prod/Non-Prod/Test, or it could be Public and Private, no one way is correct and is always a discussion during design to ensure a suitable strategy that is best for that environment.  Routes are added to Route Tables to direct traffic appropriately, this could be a default route to the Internet, a summarised route to On-Premises resources, or it could be a route to services in another AWS VPC via a peering connection.   

 

Internet Gateways 

 

Getting access to the internet form a VPC requires an Internet Gateway, Internet Gateways are attached to VPC’s and enable that VPC with Internet access (with an associated Route). There are two types of internet gateway, the first is the normal Internet gateway that is redundant, scalable and highly available, and all of those elements are managed by AWS for us.  The second is the Egress Only Internet Gateway, this is specifically for IPv6 traffic, it allows IPv6 subnets access out to the internet but blocks inbound traffic which makes it ideal for Private Subnets, again this service is redundant scalable and highly available and managed by AWS. 

 

NAT Gateways 

 

NAT Gateways are a managed service from AWS that scale with your traffic needs.  Private subnets have no access to the internet but there are times when servers need to reach out for updates, contact third party services etc,  to enable this NAT Gateways can be deployed into the Public subnets and this will enable private subnets to access services on the internet.  This service allows outbound only connections and doesn’t permit external services to contact instances on the private subnets via the NAT Gateway.  To ensure resiliency multiple NAT gateways should be deployed across a number of Availability Zones to protect against AZ failures. 

 

Transit Gateways 

 

AWS Transit Gateway is a highly scalable and centralised network hub that simplifies connectivity between Amazon Virtual Private Clouds (VPCs), on-premises networks, and even other AWS accounts. Instead of creating complex peering relationships between each VPC, the Transit Gateway acts as a central router, allowing all connected networks to communicate through a single gateway. It supports both IP routing and multicast, and it integrates with AWS Direct Connect and VPNs for hybrid cloud architectures. By using route tables within the Transit Gateway, you can control how traffic flows between connected networks, improving manageability, scalability, and security in large-scale environments.  Just like a traditional Network Router, you can create Transit Gateway Route Tables (like Virtual Routing and Forwarding VFR’s on traditional routers) that helps to separate traffic and routing paths for different environments, customers, application, however you decide to sperate your traffic.  

 

Security Groups and NACLs 

 

Security Groups 

 

Security Groups are a group of access rules that you attach to an Elastic Network Interface or ENI they are there to protect services and govern what traffic can access those services through the rule base that is defined in the rule base,  security groups essentially provide access control at the Network Interface.  ENI’s are created for services such as EC2 Instances, Lambda functions, Amazon RDS etc and are hosted in your VPC subnets.  Security Groups only permit traffic they do not deny and they are stateful, this means that when they permit traffic through that meets the allowed rules in the group, the return traffic is automatically allowed and doesn’t require a reverse rule.  Security Groups form part of a multi layered security approach within AWS. 

 

NACLs 

 

Network Access Control Lists are a little different to security groups,  firstly they are not stateful,  this means that you need to have rules defined for return traffic you are expecting to be returned,  normally this will be the ephemeral ports (1025-65535), secondly NACL’s allow you to define ‘deny’ statements in the rule base which provides another level of control.  By default when a VPC is create a default NACL is created and all subnets are associated to it, so naturally when designing and creating an AWS environment it is important to create new NACLs and design where they will be needed and which subnets will be associated with them.  NACL’s operate at the subnet level and block or permit traffic that is due to ingress or egress the subnet, this allows for a larger level of control ensuring that unwanted traffic is unable to get to the ENI of your services and again adding to that multi layered security approach in AWS. 

 

Combined Overview 

 

Below is a diagram that illustrates all of the above combined to show how they combine to provide a useable environment.