For organizations moving infrastructure or other sensitive services to the cloud, VPCs are a requirement. Here's how to get your VPC setup in seven steps with AWS.
Virtual Private Clouds (VPCs) provide an incredible amount of security and make firewall management much easier. They also preserve bandwidth and increase router, switch, and firewall capacity, all of which makes them a must-have for organizations handling sensitive data or cloud-based assets. Amazon Web Services (AWS) makes setting up a VPC fairly straightforward, given you've done your homework and know which of the four primary design arrangements you'll need. Of those 4, this post will step you through what's needed to set up a VPN with both Public and Private subnets.
Step 1: Design considerations of your VPC
It is very important to plan the design of your VPC up front. Here are a few points to consider before embarking on your VPN creation journey.
• Before actually creating a VPC, careful consideration must be given to the definition of your IP address range. All networks need IP addresses. AWS offers CIDR IPV4 & IPV6 and allows you to choose your own IP addresses. There is a standard for naming IP addresses called RFC1918. It is highly recommended that you adhere to it. Also keep in mind that determining the size in the beginning is very important because it can't change this down the road. A /16 will give you 64,000 IP addresses.
• You need to understand your High Availability (HA) requirements when designing your AWS VPC. Your VPC will reside in one of the AWS regions and each region is further divided into Availability Zones aka data centers. These AZs are not close to each other and have separate networks, power sources, etc. It is intentionally designed this way for protection.
In the example below, the VPC lives in the Dublin Region EU West 1 with the following Availability Zones: eu-west-1a, eu-west-1b and eu-west-1c. In this example, your VPC would be 172.31.0.0/16. In order to take advantage of HA, each AZ would need to be assigned a subnet. In the event of an AZ failure, you would automatically be switched to the next AZ. In the below example, the three subnets are 0.x, 1.x & 2.x. So whenever something is sent to an IP address of 0.x, it would be routed to that particular asset in the eu-west-1a AZ, etc.
• AWS recommends you make your subnet a/24. Typically a/24 will get you 256 IP addresses, but in AWS's case a/24 will only get you 251 IP addresses as AWS reserves the low 4 IP addresses for their own purpose.
About IPv4 CIDR & IPv6 CIDR blocks- Networks do not work without IP addresses. They specify where the information is coming from and where it is going.
CIDR, short for Classless Inter-Domain Routing, adds another layer to IP technology. CIDR is an IP addressing scheme that replaces the older system. A single IP address can be used to designate many unique IP addresses with CIDR. A CIDR IP address looks like a normal IP address except that it ends with a slash followed by a number, called the IP network prefix. CIDR addresses reduce the size of routing tables and make more IP addresses available within organizations.
A CIDR network address looks like this under IPv4: 192.30.250.00/18
The "192.30.250.00" is the network address itself and the "18" says that the first 18 bits are the network part of the address, leaving the last 14 bits for specific host addresses
Default VPC using name "first vpc" has been created
You can create create multiple subnets by specifying the details of each one- identifying name tag, which VPC it's associated with, optional Availability Zone, and its CIDR block specification.
Step 5: Create Private subnet for your database server
After creating your Public and Private subnets, you'll also need to create an additional private subnet for your database server (DB private subnet) following your design architecture.
Step 6: Create Route Tables
Route tables consists of a set of rules, called routes, which are used to decide where network traffic is directed.
Each subnet in your VPC must be associated with a route table; the table controls the routing for the subnet. A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table
Viewing and creating new route tables is also done by navigating to the option on the left of the VPC Dashboard. After highlighting, simply click on the "Create Route Table" in the new panel view.
Main Route Tables- A main route table is created automatically for each VPC. The main route table controls the routing for all subnets that are not explicitly associated with any other route table. You can add, remove, and modify routes in the main route table.
You can explicitly associate a subnet with the main route table, even if it's already implicitly associated. You might do that if you change which table is the main route table, which changes the default for additional new subnets, or any subnets that are not explicitly associated with any other route table
Custom Route Tables- Your VPC can have route tables other than the default table. One way to protect your VPC is to leave the main route table in its original default state (with only the local route), and explicitly associate each new subnet you create with one of the custom route tables you've created. This ensures that you explicitly control how each subnet routes outbound traffic.
Step 7: Route Tables associated to VPC
Your basic VPC setup is now completed!