VPC Introduction – Part 2

VPC Introduction – Part 2

This is the second part of a 4 part introduction to Amazon’s VPC. Part 1 examined the VPC resource itself, as well as the subnet, Route Table and Network ACL resources. Part 2 examines the Internet Gateway resource, the EC2-VPC Security Group resource and Auto Scaling Groups when used in VPC.

Internet Gateway Resource

An Internet Gateway provides connectivity to the Internet. Simply creating an Internet Gateway resource is not enough to provide access to the Internet, however, you’ll also need to do the following:

  1. Create or modify a Route Table to include a route to the Internet. An Internet route is typically defined as follows: Destination: 0.0.0.0/0, Target: <Internet Gateway Resource Number>
  2. Provide a Network ACL that allows outbound and inbound traffic from the Internet.
  3. Associate any subnet that requires Internet access to the previously created/modified Route Table and Network ACL.
  4. Provide each instance that requires Internet access with a Public IP address – the Internet Gateway does not providing Internet access while using Public IP addresses because the Internet Gateway does not function as a NAT router.

Note that using an Internet Gateway and Public IP addresses for instances is only one way to provide Internet connectivity to EC2 instances – part 3 will cover this in greater depth.

EC2-VPC Security Group Resource

EC2-VPC security groups are comprised of inbound and outbound rules and are associated with EC2 instances and other resources such as RDS Security Groups or ElastiCache. Inbound and Outbound rules filter based on IP addressing or security groups and port and both default to “Deny” traffic if not explicitly allowed by a rule. I’ve described the inbound and outbound rules below:

1. Inbound Rules. Inbound rules filter based on a packet’s source IP address or security group and source port. Amazon provides a number of rule templates for you (for ssh and HTTP, for example). Custom rules can also be created – a rule allowing port 81 in from the Internet would look like:

  • Type: “Custom TCP Rule”
  • Protocol: TCP
  • Port Range: 81
  • Source: 0.0.0.0/0

2. Outbound Rules. Outbound rules filter traffic based on a destination packet’s IP address or security group and destination port. An example outbound rule that allows unfettered tcp access to the Internet is below:

  • Type: All TCP Rule
  • Protocol: TCP
  • Port Range: 0 – 65535
  • Destination: Anywhere: 0.0.0.0/0

An example outbound rule that allows only access to HTTP resources on the Internet is below:

  • Type: HTTP
  • Protocol: TCP
  • Port Range: 80
  • Destination: Anywhere: 0.0.0.0/0

notice that we allow port 80 as the destination port but no other ports.

If you are familiar with EC2-Classic, the differences from EC2-Classic Security Groups are in the VPC Security Groups User Guide under “VPC Security Group Differences.”

Auto Scaling Groups and Launch Configurations

Auto Scaling Groups and Launch Configurations in VPC differ only slightly from Auto Scaling Groups and Launch Configurations in EC2-Classic. The two important differences are described below:

  • An Auto Scaling Group must have one or more associated subnets in order to launch instances.
  • A Launch Configuration includes an “IP Address Type” – this allows instances to be automatically given a public IP address.

The image below describes a VPC that provides Internet access to instances in two subnets. The VPC is comprised of a VPC, an Internet Gateway, a Route Table, a Network ACL, two subnets, an EC2-VPC Security Group, an Auto Scaling Group, a Launch Configuration and the instances that make up the Auto Scaling Group.

VPC - Internet Gateway and SG and ASG

2 thoughts on “VPC Introduction – Part 2

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s