What is VPC and subnet (AWS as example)

VPC, full name as virtual private cloud, just as its name described, is a simulated private network environment build by software techniques ( virtual). It’s supported in most of the cloud provider (AWS, GCP, Azure).

Most of the time when you deploy your application to an open cloud environment, you want to keep all your application locates in a private network that only belongs to you and it’s fully under your control, that’s the place VPC comes into the play. It’s the fundamental of the application’s network infrastructure.

By having a VPC, it’s equally to have your own private network on the public cloud environment, it allows you to:

1. Define the public/private area of the network
2. Define the routing of the network

For example, you want to deploy your web application to the cloud, while also wants to restrict the resources the public user can access to achieve the best practice of security in a public cloud environment. Your web application have the following components:

1. A frontend server, which is responsible for returning a HTML page to the user from public internet
2. A backend server, which is responsible for returning useful data to the frontend server to allows it to render dynamic page. Because the data might change over time.
3. A database, which is used to persist the data.

The architecture can look like this:

Your VPC’s CIDR (used to define the IP address range of your private network) block is 10.4.0.0/16, and it has two subnet one defined as public and the other defined as private.

The difference between a public/private subnet is

1. Instance in public subnet will have public IP address, while private subnet only have private IP address (only visible inside the VPC)
2. The route table in public subnet has a routing rule to route all public traffic not going to your defined VPC to internet gateway, which will then route these traffic to public internet.

By defining these two subnets, you can then deploy your server into one of them by your needs. Using the above diagram as example: you want to have a frontend server to response traffic from public client. While keep your backend server and database non accessible by the public internet because you expect the only client of these two components is the application server owned by yourself. Then in this scenario, it makes sense to put the frontend server in public subnet and the backend server and database in the private subnet.

Note: The difference between a public/private subnet here is whether the subnet is attached to an internet gateway. The internet gateway is used to send/receive traffic from public internet. So once you attach a subnet to internet gateway, it’s considered as a public subnet.

Note: There is a NAT gateway in the diagram, its usage is to allow your components in private subnet can access to public internet. For example your backend server needs to make some query to 3rd party services, then you need to setup this NAT gateway. If there is no such needed at all, you can just skip the NAT gateway in your VPC architecture.

Sample code of the VPC can be found here: https://github.com/louis79719/vpc-infra-example

Originally published at https://www.notion.so.