A networking service that you can use to establish boundaries around your AWS resources is Amazon Virtual Private Cloud (Amazon VPC).
Amazon VPC enables you to provision an isolated section of the AWS Cloud.
In this isolated section, you can launch resources in a virtual network that you define.
Within a virtual private cloud (VPC), you can organize your resources into subnets.
A subnet is a section of a VPC that can contain resources such as Amazon EC2 instances. Subnets are chunks of IP addresses in your VPC that allow you to group resources together.
In order to allow traffic from the public internet to flow into and out of your VPC, you must attach what is called an internet gateway, or IGW, to your VPC.
In some cases, we want a private gateway that only allows people in if they are coming from an approved network, not the public internet. A virtual private gateway allows you to create a VPN connection between a private network, like your on-premises data center or internal corporate network to your VPC.
To allow public traffic from the internet to access your VPC, you attach an internet gateway to the VPC.
An internet gateway is a connection between a VPC and the internet. Without an internet gateway, no one can access the resources within your VPC.
To access private resources in a VPC, you can use a virtual private gateway.
A virtual private network (VPN) connection encrypts (or protects) your internet traffic from all the other requests around it. A virtual private gateway enables you to establish a virtual private network (VPN) connection between your VPC and a private network.
AWS Direct Connect is a service that enables you to establish a dedicated private connection between your data center and a VPC.
The private connection that AWS Direct Connect provides helps you to reduce network costs and increase the amount of bandwidth that can travel through your network.
A subnet is a section of a VPC in which you can group resources based on security or operational needs. Subnets can be public or private.
Public subnets contain resources that need to be accessible by the public, such as an online store’s website.
Private subnets contain resources that should be accessible only through your private network, such as a database.
When a customer requests data from an application hosted in the AWS Cloud, this request is sent as a packet. A packet is a unit of data sent over the internet or a network.
It enters into a VPC through an internet gateway. Before a packet can enter into a subnet or exit from a subnet, it checks for permissions.
The VPC component that checks packet permissions for subnets is a network access control list (ACL).
A network access control list (ACL) is a virtual firewall that controls inbound and outbound traffic at the subnet level.
Each AWS account includes a default network ACL.
By default, your account’s default network ACL allows all inbound and outbound traffic.
For custom network ACLs, all inbound and outbound traffic is denied until you add rules to specify which traffic to allow.
All network ACLs have an explicit deny rule.
Network ACLs perform stateless packet filtering.
They remember nothing and check packets that cross the subnet border each way: inbound and outbound.
After a packet has entered a subnet, it must have its permissions evaluated for resources within the subnet, such as Amazon EC2 instances.
The VPC component that checks packet permissions for an Amazon EC2 instance is a security group.
A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.
By default, a security group denies all inbound traffic and allows all outbound traffic.
Security groups perform stateful packet filtering.
They remember previous decisions made for incoming packets.
Route 53 is AWS’s domain name service. DNS translates website names into IP, or Internet Protocol addresses.
DNS resolution is the process of translating a domain name to an IP address.
Amazon Route 53 is a DNS web service.
Assumption: AnyCompany’s application is running on several Amazon EC2 instances. These instances are in an Auto Scaling group that attaches to an Application Load Balancer.
How Route 53 and CloudFront deliver content to customers: