Network Stack in AWS
There are a wide range of services and concepts that fall into the AWS Networking Stack - VPC, Subnets, RouteTables, Internet Gateways , NatGateways etc. But when creating an architecture for these services it is important to have a better, secure and reliable networking layer.
In this article , we will discuss an AWS networking architecture designed using best practices. This article assumes you have basic knowledge of the services mentioned above.
Architecture Diagram
Let's discuss this above architecture.
In the Networking layer, it has one VPC (Private network in cloud), 9 subnets, Internet Gateway, and Nat Gateway. It also has components of compute layer, such as load balancer, EC2, Jump Host (Bastion Server) databases etc to explain the architecture.
Subnets
This is a multi-layer-multi-subnets architecture. We have 3 public subnets, 3 Private subnets and 3 Database subnets across 3 availability zones. We require a minimum of 3 subnets in a layer across AZ’s for high availability, i.e, if any one AZ goes down, we have resources in other 2 subnets to maintain high availability.
We have segregated subnets into Public, Private/Application, and Database subnets to segregate components. Public Subnets communicates using Internet Gateway and has connectivity out of network, whereas private and Database subnets connects with Nat Gateway and is secured from direct connection from outside the network
Application servers should be placed in private subnets and databases should be placed in database subnets. In this way, they don't have public IP, only private ip, so they have connections from within the VPC..
A Bastion Server/ jump host is placed in a Public subnet, which has a public IP that serves as an entry point to the network. From bastion, we can connect to the application server.
Databases should only connect with application servers in private subnets.
Internet Gateway
An Internet Gateway (IGW) provides internet connectivity to the resources in VPC. An Internet gateway is attached to a VPC.
Nat Gateway
A Nat Gateway is used by resources in private subnets to connect to the internet. A Nat is assigned with Elastic IP. It has servers as an IP translator and provides resources under it as a secure way to connect with the internet. A Nat gateway is placed in public subnets.
RouteTable
RouteTable governs the flow of traffic across the network. There should be at least 2 route tables - one public and one private.
Public Route table should have a route to the Internet Gateway and Private route table should have a route to NatGateway. Subnets are associated with route tables. Subnets associated with a public route table are public subnets and ones that are associated with a private route table are private subnets.
A default route is already present in all route tables . This allows traffic flow within the network.
NACL (Network-Access-Control-List) - NACL is a subnet level firewall that governs the traffic flow in and out of subnets. NACL is stateless, this means we need to define both inbound and outbound rules in it. NACL adds an extra level of security to the network.
Security Group
There is another concept, Security Groups. Security Groups are instance level firewalls which govern traffic coming to a particular instance. Unlike NACL, Security Groups are stateful, this means we need to allow only one side of traffic, the other side is automatically applied.
All these services are part of the Network layer in AWS. We can create the network architecture, similar to the one in the above diagram to create a secure infrastructure in AWS.