@jialin.huang
FRONT-ENDBACK-ENDNETWORK, HTTPOS, COMPUTERCLOUD, AWS, Docker
To live is to risk it all Otherwise you are just an inert chunk of randomly assembled molecules drifting wherever the Universe blows you

© 2024 jialin00.com

Original content since 2022

back
RSS

AWS VPC — How Network Traffic Travels Through Components

TL;DR

In a VPC, the Internet Gateway serves as the connection to the internet. Route Tables direct traffic within the VPC and to the IGW. Subnets organize resources and are protected by NACLs at the subnet level and Security Groups at the instance level. A public subnet is defined by its Route Table's association with an IGW, allowing internet communication.

VPC Main Components

  1. Internet Gateway (IGW)
  1. Route Table (RT): Determines where traffic should be directed

    Example entries:

    • 0.0.0.0/0 igw-xxxxx: Route all non-local traffic through the Internet Gateway to reach the Internet
    • 10.0.0.0/24 local: Direct traffic within the subnet (default and unchangeable)
  1. Subnets: Associated with route tables and NACLs
  1. Network Access Control List (NACL): Controls inbound and outbound traffic at the subnet level
  1. Security Group (SG): Acts as a firewall for EC2 instances

The VPC router often seen in architecture diagrams is actually an abstraction representing route tables

Abbreviations

  • IGW: Internet Gateway
  • RT: Route Table
  • SG: Security Group
  • NACL: Network Access Control List

SG vs. NACL

aspectSGNACL
stateStateful: means you allow 80 port in, then also for 80 port out.Stateless: Inbound and outbound rules need to be set separately.
choicesCan specify CIDR, IP, or other security groups as sources or destinations.Each subnet can be associated with only one NACL. And only specify CIDR
deal withallow x inbound/outboundallow/deny x inbound/outbound
how it checkEvaluate all the rulesRules are numbered from 1 to 32766 and evaluated in order, starting with the lowest number.

SG is Stateful sounds a bit strange, right? If my inbound port 80 is allowed and the outbound does not have port 80 set, isn’t that contradictory?

if you had a security group that allowed port 80 inbound but not outbound, the server using that security group would be able to act as a web server for web clients, but you would not be able to access the internet on port 80 from inside it.

https://www.reddit.com/r/AWSCertifications/comments/nmifcn/security_groups_purpose_of_inbound_and_outbound/

Typical VPC Setup Scenario

When a VPC is created, it comes with default NACL, Route Table, and Internet Gateway.

Subnets can be

  1. associated with these default components
  1. or with custom RT and NACL.

Subnets cannot directly associate with an IGW; the association is through the RT. (Subnet → RT → IGW)

And Multiple RT can be associated with the same IGW within a VPC.

Public Subnet Definition

A public subnet is defined by its Route Table configuration. It MUST have an entry that routes traffic to an Internet Gateway. This is crucial for allowing resources in the subnet to communicate with the internet, regardless of other components.

External Traffic Flow to EC2 Instances

  1. Internet Gateway (IGW): Entry point for external requests
  1. VPC: IGW routes traffic to appropriate subnets based on VPC network configuration
  1. Subnet: Traffic is filtered by the associated NACL
  1. If traffic passes NACL, it's then checked by the SG of the target resource
  1. Traffic finally reaches the target resource (e.g. instance)

Note: External incoming traffic doesn't pass through the RT. RTs primarily control traffic originating from within the VPC or moving between subnets.

EOF