MODULE-03

1. VPC
An AWS VPC (Virtual Private Cloud) is a foundational service that lets you create a
logically isolated, private section of the Amazon Web Services (AWS) cloud where
you can launch AWS resources in a virtual network that you define.
Think of the entire AWS cloud as a vast, bustling city. A VPC is like your own private,
gated estate within that city. You have complete control over who can enter, what the
layout of the streets is, and how your estate connects to the outside world. It's the
starting point for building almost any secure application on AWS.

Page 1: Core Concepts and Purpose

The primary purpose of a VPC is to give you a virtual network that closely resembles
a traditional network you would operate in your own data center, providing three
critical benefits: isolation, security, and control.
Why Use a VPC?
 Complete Isolation: Resources launched inside your VPC are completely isolated from
all other AWS customers and even from your other VPCs unless you explicitly connect
them. This prevents unauthorized access and interference.
 Full Network Control: You have command over your virtual networking environment.
You define your own private IP address space, create network segments called
subnets, and control the flow of traffic with route tables.
 Enhanced Security: A VPC is the foundation of a secure cloud architecture. It allows
you to create multi-layered security using both public and private subnets, security
groups, and network access control lists to protect your applications and data.
The Essential Building Blocks of a VPC
Every VPC is constructed from a few fundamental components that work together to
create a functioning network.
1. IP Address Range (CIDR Block): When you create a VPC, you must assign it a range of
private IPv4 addresses in the form of a CIDR (Classless Inter-Domain Routing) block
(e.g., 10.0.0.0/16). All resources launched within this VPC will get a private IP address
from this range.
2. Subnets: A subnet is a smaller segment or partition of your VPC's IP address range.
You create subnets to organize resources based on their function or security
requirements. Subnets are the most critical component for defining your network's
architecture. There are two primary types:
o Public Subnet: A subnet whose traffic is routed to an Internet Gateway,
allowing resources within it (like a web server) to be directly accessible from
the internet.
o Private Subnet: A subnet that does not have a direct route to the internet.
Resources within it (like a database) are shielded from outside access,
enhancing security.
3. Route Tables: A route table acts as the "traffic cop" or "GPS" for your VPC. It contains
a set of rules, called routes, that determine where network traffic from your subnet
is directed. Each subnet must be associated with a route table.
4. Internet Gateway (IGW): This is a highly available VPC component that allows
communication between resources in your public subnets and the internet. It's the
doorway that connects your private estate to the public world.

Page 2: Architecture and Traffic Flow in Detail

Understanding how these components interact is key to designing a functional and
secure VPC. A typical architecture separates publicly accessible resources from
private backend systems.
Public vs. Private Subnets: The Core of VPC Design
The distinction between public and private subnets is what allows for a layered
security approach.
 A web server in a public subnet can receive traffic directly from users on the internet
because its subnet's route table has a route (0.0.0.0/0) pointing to the Internet
Gateway.
 A database server in a private subnet is protected from the internet because its route
table has no route to the Internet Gateway. It can only communicate with other
resources within the VPC, like the web server.
How Private Resources Access the Internet: NAT Gateways
A common challenge is allowing a resource in a private subnet (like a database
server) to connect to the internet for software updates or to access external APIs,
without allowing the internet to initiate a connection back to it. This is solved using a
NAT (Network Address Translation) Gateway.
 A NAT Gateway is a managed AWS service that lives in a public subnet.
 You create a route in the private subnet's route table that directs internet-bound
traffic (0.0.0.0/0) to the NAT Gateway.
 The NAT Gateway then forwards the traffic to the Internet Gateway. When a
response comes back, the NAT Gateway knows to send it back to the original
instance in the private subnet.
This creates a secure, one-way street for outbound traffic, keeping your private
resources safe.

Page 3: Security, Connectivity, and Best Practices

Security is the most critical aspect of VPC management. AWS provides two main
firewall-like features to secure your resources.
The Layers of VPC Security
1. Security Groups (SGs):
o What it is: A firewall for your EC2 instances. It controls inbound and outbound
traffic at the instance level.
o How it works: You define "allow" rules. For example, you can create a rule to
allow HTTP traffic on port 80 from anywhere. By default, all inbound traffic is
denied, and all outbound traffic is allowed.
 o Key Feature: Security Groups are stateful. This means if you allow an inbound
connection, the return traffic for that connection is automatically allowed,
regardless of outbound rules.
2. Network Access Control Lists (NACLs):
o What it is: A firewall for your subnets. It controls inbound and outbound
traffic for an entire subnet, acting as an additional layer of defense.
o How it works: You define both "allow" and "deny" rules. Rules are evaluated
in order by number.
o Key Feature: NACLs are stateless. This means you must explicitly create rules
for both inbound and outbound traffic. If you allow inbound traffic on a
certain port, you must also create a rule to allow the corresponding outbound
return traffic.
 Analogy: A Security Group is like a bouncer at an individual apartment's door. A NACL
is like the security guard at the main entrance to the entire floor.
Connecting Your VPC to Other Networks
 VPC Peering: Connects two VPCs together, allowing them to communicate with each
other using private IP addresses as if they were on the same network.
 VPN Gateway & Site-to-Site VPN: Creates a secure, encrypted tunnel over the public
internet to connect your on-premises data center to your VPC.
 AWS Direct Connect: A dedicated, private physical network connection between your
data center and AWS, offering higher bandwidth and more consistent network
performance than a VPN.
Default vs. Custom VPCs
 Default VPC: AWS creates a default VPC in your account to help you get started
quickly. It comes pre-configured with a public subnet in each Availability Zone.
 Custom VPC: For any production workload, it is a best practice to create a custom
VPC. This gives you full control over the IP address ranges, subnet sizes, and security
configurations, allowing you to build an architecture tailored to your specific needs.
2.API GATEWAY
An API Gateway is a management tool that sits in front of your backend services and acts
as a single entry point for all client requests. 🚪
Think of it like a restaurant's host or maître d'. Instead of customers (clients) wandering into
the kitchen to talk to different chefs (backend services), they all go to the host. The host
takes their requests, directs them to the right table, handles reservations (authentication),
and ensures the kitchen isn't overwhelmed (rate limiting).

What an API Gateway Does

An API Gateway is a reverse proxy that accepts all application programming interface (API)
calls, aggregates the various services required to fulfill them, and returns the appropriate
result.
Key Features and Benefits
 Request Routing: It acts as a single, unified endpoint (api.yourcompany.com) for your
clients. It receives an incoming request and intelligently routes it to the appropriate
backend service (e.g., a microservice, a Lambda function, or a legacy system).
 Authentication and Authorization: It can handle security tasks like verifying API keys,
JSON Web Tokens (JWT), or user credentials, ensuring that only authorized clients
can access your services.
 Rate Limiting and Throttling: It protects your backend services from being
overwhelmed by too many requests. You can set rules to limit how many requests a
client can make in a given period.
 Monitoring and Logging: It provides a centralized place to monitor traffic, log
requests, and analyze API usage patterns, which is invaluable for debugging and
business intelligence.
 Protocol Translation: It can translate protocols, allowing a modern RESTful JSON API
to be a front-end for an older SOAP/XML web service.
 Caching: It can cache responses from your services, which reduces the number of
calls made to your backend and improves performance for your clients.
In a microservices architecture, an API Gateway is an essential component that simplifies
client-side code and provides a robust, secure, and manageable way to expose your backend
services to the world. A popular example is Amazon API Gateway.