When an organization starts working with AWS, they create a private cloud. A private cloud that contains IT resources for use by the organization on which it has full control. By default, this private cloud is guaranteed to be private (as the name suggests), secure and isolated from other private clouds.
In AWS terminology, this private cloud is referred as a Virtual Private Cloud, or VPC for short.
» VPC is region specific, which means a VPC cannot span across region boundaries.
» VPC Subnet confines to an availability zone, which means a VPC Subnet cannot span across multiple availability zones.
» An AWS account can have multiple private clouds (VPCs). However, private cloud is Region specific.
» A private cloud (VPC) can have one or more Subnets in it. For a default VPC that AWS creates in a Region, AWS creates one Subnet in each availability zone.
» A Virtual Private Cloud has the following main components:
- CIDR Range
- IP Subnets
- Implicit Router (AWS managed)
- Routing Tables (One or more)
- Internet Gateway (facilitate Internet connectivity)
- Security Groups (equivalent of Firewall that protects the NIC)
- Access Control Lists (acts on Subnet)
- Virtual Private Gateway (facilitate VPN tunnel to company premise)
» When a VPC is created by the Admin user, the CIDR block can be chosen by the user and an Internet Gateway also needs to be created by them as it doesn’t have the Gateway by default.
» Implicit Router is created by AWS when the VPC is created to facilitate communication between all Subnets of the VPC and between VPC and Internet.
» Each subnet has exactly one Routing Table.
» Subnets can share Routing Table i.e. Multiple subnets can choose to use the same Routing Table or maybe only one Routing Table.
» There is one default (or main) Routing Table per private cloud (VPC)
» Each Routing Table, upon creation, contains a routing rule that enables internal communication between all subnets of the VPC. This rule cannot be deleted or modified
» User/Cloud Admin can create custom Routing Table apart from AWS provided
» When there is only one Routing Table, it is the default Routing Table.
» The “default” Routing Table role can be changed and given to Admin create Routing Table as well. The “default” Routing Table can be updated but can’t be removed.
» Every Routing Table (main or custom) can have a maximum of 50 routing rules
» There maybe a maximum of 200 Routing Tables possible at any given time.
» Any Subnet that doesn’t have a Routing Table, will use the default Routing Table
» The Implicit Router uses Routing Table associated with Subnet whose traffic it is routing, based on the forwarding rules defined in it.
In RFC 1918, the Internet Assigned Numbers Authority has reserved 3 ranges of IP Addresses based on size for private networks-
- 10.0.0.0 to 10.255.255.255 (10/8 allocates 8 most significant bits for network number), let’s call this range ‘large‘
- 172.16.0.0 to 172.31.255.255 (172.16/12 allocates 12 most significant bits for network number), let’s call this range ‘medium‘
- 192.168.0.0 to 192.168.255.255 (192.168/16 allocates 16 most significant bits for network number), let’s call this range ‘small‘
» AWS treats the ranges defined by RFC 1918 in a special manner. Additionally, AWS adds another IP Address range, 198.19.0.0 to 198.19.255.255 to this (let’s call this range ‘s’).
» AWS uses a system of IP Address management called CIDR (Classless Inter Domain Routing), where Admin users can define any range of IP Addresses (free from classification e.g. A, B or C) irrespective of private or public IP Addresses
» A private cloud can use CIDR blocks with network number between 16 and 28, i.e. x.x.x.x/16 to x.x.x.x/28
» Every private cloud (VPC) defines one or more CIDR blocks (which defines the set of IP Addresses resources in the cloud will use). Resources are grouped in Subnets and every Subnet follows the IP Addressing defined by one of the CIDR block.
» The CIDR block of a VPC, once defined cannot change.
» A primary CIDR block is the one, the private cloud is created with. This CIDR block cannot be deleted, but secondary CIDR blocks can be added (AWS enabled it in Aug-2017).
» When an Admin creates a private cloud, (s)he can use one of the IP Address ranges defined (above) in RFC 1918 for the primary CIDR range, e.g. range ‘medium’. However, if a secondary CIDR block needs to be added, the IP Address ranges can be either from the same range as primary CIDR block, i.e. range ‘medium’, or from any other range excluding the other three special ranges (i.e. ranges excluding ‘s’, ‘large’ and ‘small’ but can include public addresses)
» When adding a secondary CIDR block, the CIDR block size must be smaller than already defined routes (of the same IP range) in any of the Routing Tables, e.g. If an existing routing entry is like 170.32.0.0/16 in a Routing Table, than a new secondary CIDR block, can only be created with 170.32.0.0/17 or smaller, or use any other range.
» There are no two CIDR blocks in a private cloud, that can have overlapping ranges, e.g. if one of the CIDR block defines IP range as 10.0.0.0/16 then another cannot be defined with a range 10.0.0.0/18.
» In each Subnet, the first 4 and the last IP Address is reserved by AWS, e.g. in a Subnet 192.168.0.0/28, these 5 IP Addresses are reserved by AWS and cannot be used by resources in the Subnets: 192.168.0.0 (Network Address), 192.168.0.1 (Implicit Router), 192.168.0.2 (DNS Server), 192.168.0.3 (AWS Reserved) and 192.168.0.15 (Boardcast Address)
.
Vipul Pathak 
Leave a comment