- If we see the above picture we have normal houses and secure houses
- If thief enter one house in normal houses he can enter other houses as well
- Let say if the same houses have security so they the thief can not enter into the houses
--
- We have lot of Regions in AWS, Like some of the companies have their own data centers and some companies can't afford it
- AWS took this opportunity and created DATA CENTERS Across the world.
- Like some companies requested for 10 EC2 in mumbai region, Other company also requested for the same and other company also same.
- AWS created all the instances in one phsyical server for above 3 companies.
- If hacker hacked 1 instance he can also hack the other instances of other companies as well becuase all the instances are present in one physical server
- So AWS solved the problem using Secured network called VPC
- Now AWS given a documentation to build secure network, Devops enginners will created secure network
- So VPC size can be defined with IP ADDRESS RANGE
- Devops engineers will split the ip to all the projects available
- Their will a GATEWAY to enter into a Network Devops engineers will create it
- Public subnet is the one user can access inside VPC, It connects to internet using INTERNET GATEWAY
- the application access will be done using router route table to load balance and to application or vice versa
- Route table defines how should the application goes to the load balancer
- Internet gateway --> Public subnet --> Request goes to Load balancer (assigned with public subnet) --> target group of the application. Now if the request has to go to the subnet, Load balancer does not know how to go, So for this subnet we will create a Route table. So route table will define and tell to load balancer go in this so that you will reach me.
- Now the instance will not allow directly it will access from which IP you are comming from it will confirm and allow the applicatiion to get access.
- Finally --> If someone from the internet is trying to access tha application in the private subnet. First of the the request has to go through internet gatewway --> public subnet in the vpc (commmon subnet across vpc) --> Load Balancer (It send the request to the private subnet and the applicaiton) --> For load balancer subnet is present but path is given in route table --> Once the request reached in the subnet still we have SECURITY GROUP --> Once the security group allows the ip request will be sent to application.
- Someone in the internete tries to access one application with ip 172.17.0.4/24 (In general he will not use private ip address he uses the load balancer ip)
- To reach So we know Devops engineer created a VPC. In VPC we have internet gateway. The entire VPC has a ip address range. Devops engineer created subnets based on the projects. For each project we have some ip range
- Internet --> VPC internet gateay --> Public subnet (Which can be accessed to public outside the vpc) --> Load balancer (Elastic load balancer) (Target group - access instance to target group)(private subnet - and at the same time the subnet should have the route table) --> To send request to private subnet there should be a proper route --> route will be decided by route table --> security group to accept or reject the request
- Internet gateway --> Public subnet --> Load balancer --> Route tables (routers) --> security groups
- NACL -- automation to security groups
- If the application wants to access the internet to download some pkg's. So we don't want to expose private ip to internet (it is bad practise) for this we have do masking of ip address --> It is called NAT GATEWAY
- NAT gateway --> will change the ip address like public ip of the subnet or router ip to access the internet from the private subnet application instance
- If it is using load balancer to access then it is called SNAT, if it is using router we call it as NAT gateway
- NAT gateway will be created in public subnet
- VPC flow logs will log the every traffic (some features are paid)