Post

AWS - VPC - Subnet

Posted
By Grace L
5 min read

Subnet

  • a range of IP addresses in a VPC.
  • A subsection, segments, or partitions of a network. Divided by CIDR range.
  • Subnets can only belong to a single Availability Zone.
    • can’t span across Availability Zones.
  • Subnets are generally classified as public or private.
    • Public subnets have direct access to the internet
    • private subnet do not.

  • Subnets should be used to define which parts of the network are accessible to the internet, and which parts are not.

    • Rather than defining subnets based on application or functional tier—such as web, application, data, etc.
    • it’s recommended that organize subnets based on internet accessibility.
    • to define clear, subnet-level isolation between public and private resources.

IP addressing

  • When create VPC, specify its set of IP addresses with Classless Inter-Domain Routing (CIDR) notation
    • IP addresses enable resources in VPC to communicate with each other and with resources over the internet.
    • After create a VPC, cannot change the address range
    • CIDR notation: a simplified way to show a specific range of IP addresses.
      • example: 10.0.0.0/16.
  • IPv4 CIDR block:
    • large as /16 (2^16, or 65,536 addresses)
    • small as /28 (2^4, or 16 addresses)
  • IPv6 CIDR block:
    • associate an IPv6 CIDR block with your VPC and subnets, and assign IPv6 addresses from that block to the resources in your VPC.
    • IPv6 CIDR blocks have a different block size limit.
  • The CIDR block of a subnet = the CIDR block for a VPC.
    • the VPC and the subnet are the same size (a single subnet in the VPC).
  • the CIDR block of a subnet can be a subset < the CIDR block for the VPC.
    • This structure enables multiple subnets.
    • create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap.
      • You cannot have duplicate IP addresses in the same VPC.

AWS reserves these IP addresses:

  • 5 IP addresses are automatically reserved on every network range.
  • 10.0.0.0 : Network address
  • 10.0.0.1 : VPC local router (internal communications)
  • 10.0.0.2 : Domain Name System (DNS) resolution
  • 10.0.0.3 : Future use
  • 10.0.0.255 : Network broadcast address

Subnet sizes:

Recommended: consider larger subnets over smaller ones, such as /24 and larger.

Choose larger range of IP ranges than smaller range
  • simplifies workload placement
    • place a workload among 10 small subnets is more complicated than place the same workload with one large subnet.
  • less likely to waste or run out of IP addresses
    • subnet runs out of available IP addresses, can’t add more IP addresses to that subnet.
    • For example, if you have 251 IP addresses in a subnet that’s using only 25 of them, you can’t share the unused 226 IP addresses with another subnet that’s running out.
    • Consider where you will be five years down the road because this will save you a lot of time.
    • no necessary to limit Address Resolution Protocol, ARP, broadcast domains because this is solved by the VPC

Subnet types:

To divide subnets.

  • Subnets should be used to define internet accessibility
    • so might not good to have more than one public and one private subnet per Availability Zone.
    • subnets
  • resources in subnet:
    • all resources that require direct access internet

      would go into the public subnet

      • (public-facing load balancers, NAT instances, bastion hosts, etc)
    • all other instances

      would go into your private subnet

    • Exception: resources that require absolutely no access to the internet, either directly or indirectly.
      • These resources would go into a separate private subnet.
  • use subnets to create layers of separation between “tiers” of resources
    • such as put backend application instances and data resources in separate private subnets
    • requires accurately predict hosts number needed in each subnet,
      • more likely run out of IP addresses more quickly,
      • or leave too many IP addresses unused when they could be used elsewhere.
  • plan architecture
    • anticipate how many hosts the VPC need, how many hosts can be placed in private subnets.
    • anticipate how many public / private IP addresses the VPC needs,
    • reduce the risk of overcomplicating the infrastructure and waste / run out of IP addresses.
  • use other resources to create segregation between resources within a subnet
    • segregation
      • Subnets can provide a very basic element of segregation between resources by NACL rules
      • security groups

        can provide even more fine-grained level of traffic control between resources

  • Allocate substantially more IP address for private subnets than for public subnets
    • Screen Shot 2020-06-21 at 19.53.57
    • The majority of resources on AWS can be hosted in private subnets
    • use public subnets for controlled access

      to and from the internet as necessary.

    • always need more private IP addresses than public IP addresses
      • because the more resources expose to the internet, the more vulnerable you become.
      • protect IP resources by placing them in a private subnet.

public subnet

  • routed to an internet gateway
    • include a routing table entry to an internet gateway
    • internet gateway
      • The subnet route table has an attached Internet Gateway.
      • to support inbound or outbound access to the public Internet.
  • “Auto-assign public IPv4 address” set to “Yes”.
    • every instance in VPC gets a public IP address automatically
    • can also request a public IP address to be assigned when create the instance by modifying the subnet’s auto-assign public IP address properties.

private subnet

  • does not have a route to an internet gateway
    • do not have a routing table entry to an internet gateway
  • Not directly accessible from the Public subnets
    • If you private subnet requires internet access
      • for example: to download security patches for applications,
      • use a "jump box"
      • to support the restricted, outbound-only public internet access.
      • A “jump box”: NAT, proxy, or bastion host
  • private
    • web-tier instances:
      • private subnets that are behind a load balancer placed in a public subnet.
      • If require web application instances to be attached to Elastic IP addresses directly, even though you can also attach an Elastic IP address to a load balancer. In those cases, web application instances would need to be in a public subnet.
    • Data store instances
    • Batch processing instances
    • Backend instances

VPN-only subnet

  • doesn’t have a route to the internet gateway
  • but has traffic routed to a virtual private gateway for a VPN connection

.

01AWS, Network
AWS Network VPC
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.