Establishing Internet Connectivity and Secure Access in an AWS VPC

Introduction to VPC and Subnet Isolation

Overview of VPC and Subnet Isolation
- A Virtual Private Cloud (VPC) creates an isolated network environment within AWS.
- Subnets within a VPC can be categorized as public or private, depending on their connectivity to the Internet.
- By default, VPCs and subnets are isolated, meaning no inbound or outbound traffic is allowed without additional configuration.
- Resources deployed in public subnets are not accessible via the Internet unless specific configurations are applied.
Challenges with Isolated Networks
- Resources in public subnets cannot establish connections to the Internet or receive incoming traffic without additional components.
- Applications and databases in private subnets remain inaccessible from the Internet, ensuring security but limiting functionality.
- To enable Internet connectivity for specific use cases, additional AWS services like Internet gateways and NAT gateways are required.
Use Case Scenario for the VPC
- The architecture includes an EC2 instance and an RDS database deployed in private subnets for enhanced security.
- Applications running on EC2 instances occasionally need Internet access for updates, patches, and upgrades.
- External users need to interact with the application through a load balancer, which requires controlled Internet connectivity.

What is an Internet Gateway?
- An Internet gateway is a VPC component that enables resources in public subnets to connect to the Internet.
- It supports both inbound and outbound traffic, acting as a “door” to the Internet for the VPC.
- Internet gateways are attached to VPCs in a one-to-one relationship, ensuring controlled access.
Analogy: A House Without a Door
- A VPC without an Internet gateway is like a house without a door—resources can move within the VPC but cannot connect to the outside world.
- Attaching an Internet gateway is akin to installing a door, allowing traffic to flow in and out of the VPC.
Steps to Create and Attach an Internet Gateway
- Navigate to the AWS Management Console and access the VPC dashboard.
- Select “Internet Gateways” from the navigation panel and create a new Internet gateway.
- Name the Internet gateway (e.g., “Project 1 Gateway”) and attach it to the desired VPC.
- Confirm the attachment to enable Internet connectivity for public subnets.
Limitations of Internet Gateways
- Internet gateways only provide connectivity for public subnets.
- Resources in private subnets remain isolated and cannot directly access the Internet through the Internet gateway.

Introduction to NAT Gateways
- NAT (Network Address Translation) gateways enable resources in private subnets to initiate outbound connections to the Internet.
- They prevent inbound traffic from the Internet, ensuring the security of private subnet resources.
- NAT gateways act as controlled doorways, allowing outgoing traffic while protecting internal resources.
Use Case for NAT Gateways
- EC2 instances in private subnets require Internet access for downloading updates, patches, and application upgrades.
- NAT gateways provide this functionality without exposing the EC2 instances directly to the public Internet.
Steps to Create NAT Gateways
- Access the VPC dashboard and select “NAT Gateways” from the navigation panel.
- Create a NAT gateway for each availability zone (AZ) to ensure high availability and fault tolerance.
- Assign each NAT gateway to a public subnet and allocate an Elastic IP address for static IP configuration.
- Repeat the process for additional NAT gateways in other public subnets.
Best Practices for NAT Gateways
- Deploy one NAT gateway per availability zone to avoid single points of failure.
- Use Elastic IP addresses to ensure consistent and reliable Internet connectivity.
- Monitor NAT gateway usage to optimize costs and performance.

Role of Application Load Balancers (ALBs)
- ALBs distribute incoming application traffic across multiple backend targets, such as EC2 instances.
- They serve as the entry point for external users, ensuring application availability and responsiveness.
- ALBs allow external connectivity without exposing backend resources directly to the Internet.
Use Case for ALBs in the Architecture
- External users submit requests to the application running on EC2 instances in private subnets.
- The ALB handles these requests and forwards them to the appropriate EC2 instances, maintaining security and performance.
Benefits of Using ALBs
- ALBs improve application scalability by distributing traffic across multiple instances.
- They enhance fault tolerance by operating across multiple availability zones.
- ALBs provide a secure interface for external users while keeping backend resources private.
Limitations of ALBs in the Current Scenario
- The focus of this lesson is on networking aspects, so the ALB configuration is not covered in detail.
- ALBs require additional setup and integration with other AWS services for full functionality.

Recap of Key Concepts
- Internet gateways enable Internet connectivity for public subnets, acting as a “door” to the Internet.
- NAT gateways facilitate outbound connections for private subnet resources while maintaining security.
- Application load balancers distribute incoming traffic and provide a secure interface for external users.
Remaining Steps in the Architecture
- Configure route tables to direct traffic through the appropriate gateways.
- Define security rules to secure the VPC and its resources.
- Test the architecture to ensure that Internet connectivity and access control are functioning as expected.
Final Thoughts
- By the end of the series, the VPC will have secure Internet connectivity and robust access control.
- The architecture will support both application updates and external user requests while maintaining the security of private subnet resources.