As I was studying for my AWS certification (which I didn’t end up getting, only the Azure certification), I decided to learn about networking. I didn’t get the chance to take networking in university, so this was a good opportunity to learn. I found that it was challenging and interesting.

How IP Addresses work


Your computer sends request to DNS server (Domain Name resolution) to get IP address of website. Then can communicate to website. IP Addresses are four eight-bit numbers (0-255).


VPC


VPCs are virtual private networks. They have hosts that are assigned IP addresses 0.0.0.0 to 255.255.255.255. This is a logical network (not in the real internet). Use 10.*.*.* or some other special IP address ranges to make sure the IPs are available for that private network.

VPCs are divided into non-overlapping subnets. Each host in the VPC has an IP address, and which subnet it belongs to depends on the beginning bits of its IP address and this thing called a subnet mask. If its IP is for example 10.1.0.1/16, this means that it belongs to the VPC of all hosts that start with 10.1 (the first 16 bits of this host's IP address). The subnet mask in this case is implicitly 255.255.0.0 which is applied to the IP address to get the 10.1. The 16 is just shorthand notation for the subnet mask (mask away everything except the first 16 bits). With this configuration, the last two 8-bit numbers are allowed to be anything, so in this case the subnet supports 255*255 hosts.

Actually, the example was slightly inaccurate. In VPC, we have multiple subnets, so to distinguish subnets we steal some of the bits from the host portion of the IP address. The part before (common to all addresses on the VPC) is called a CIDR block. The CIDR block in the example above is 10, then the subnet mask is 8 (confusingly), possible subnets are 10.0-10.255, and the last two numbers can be anything again. The IP address of the VPC as a whole is 10.0.0.0/8, and the IP address of two example subnets are 10.0.0.0/16 and 10.1.0.0/16. Both VPCs and subnets have CIDR blocks and both have subnet masks (this is the part that is confusing).

Hosts should be able to talk to each other directly inside VPCs. The route table describes how to navigate subnets inside a VPC. An internet gateway is something the route table connects with to route traffic from special public hosts.

Don't overlap CIDR blocks across different VPCs!

Building a VPC


Let's build a VPC. The overall address of the VPC is 10.0.0.0/16, and we have two private subnets 10.0.2.0/24 and 10.0.3.0/24 and two public subnets 10.0.0.0/24 and 10.0.1.0/24. The public subnets have a route table that has a route that connects to an interet gateway, and also automatically get assigned public IPv4 addresses.

The public subnets have the MAIN route table routes 10.0.0.0/16 locally and 0.0.0.0/0 (anything else) to the internet.

The private route table needs a NAT gateway to connect to the internet. The NAT gateway is created inside one of the public subnets but our private subnets route to it. Allocate elastic IP.

Also create a security group for your VPC. For outbound rules, all traffic to any destination. For inbound rules, for now all traffic to any destination.