Topics covered in this post:

• Virtual Private Cloud
• VPC Order of Operations
• Public vs Private Subnets
• How Internet Gateways and Route tables work within a VPC

In the previous post in this series, we looked at foundations of AWS infrastructure. In this post, we start to focus on the AWS services you use as a customer. I highly recommend you have foundational knowledge of IPv4 networks and OSI model before proceeding with this section.

AWS Foundational Services Overview

There are four foundational services offered by AWS:

• Network
• Compute
• Storage
• Database

These services follow the general building block services which we discussed in this post. These foundational services tend be the first services that AWS customers adopt when beginning to use AWS. In fact, most certification exams focus on the four foundational areas of Network, Compute, Storage and Database.

This post will cover networking, and we'll cover other higher order services like integration in the future.

AWS uses all custom network hardware that it designed and manufactures for its own use. For the more network-savvy readers, in a typical AWS environment, there are tens of thousands of customers deploying servers that use overlapping network ranges with each other. Traditional network hardware simply cannot scale up the number of Virtual Local Area Networks (VLAN) to meet this kind of demand. So AWS came up with their own Network Hardware implementation to to scale that kind of cloud implementation.

What Is A Virtual Private Cloud (VPC)?

We start with VPC which is clearly an acronym. It stands for Virtual Private Cloud. VPC is a region-scoped, entirely virtualized private network that you can create and manage on your own. This includes picking your own Classless InterDomain Routing (CIDR) range, to defining your own subnets, route tables, and firewalls and so forth.

(Note: Anytime you hear that a service is region-scoped, it means it's not only highly available and fault-tolerant, it will also exhibit a high degree of self-healing where AWS manages all of that on your behalf.)

Most AWS customers will create VPC networks and deploy some AWS resources in them.

You may ask if you could use AWS and never have to create a VPC? Absolutely yes. There are a lot of serverless offerings you could use to deploy your infrastructure and you would never need to create a network, but those options are limited. In the end, most cloud scenarios will require creating and deploying VPCs.

With a VPC you have full control over the security. Not all the way down to the hardware of course, which AWS manages, but you're in charge of areas like data sovereignty and compliance. This matters when it comes to selecting which region is ultimately scoped or chosen for your particular VPC. Except for the hardware, the VPC you provision is yours to do as you wish.

Something else to consider when selecting the appropriate region for your VPC is that geography affects latency. So, the further the distance, the greater the latency. As a good practice, it is best to select the Region that is close to your business operations or users.

There are also a lot of connectivity options to consider with the VPC in order to get your network traffic in and out of the VPC network.

How to Create a VPC in AWS

How do you create your first VPC? It is actually quite simple:

1. Name your network
2. Select an appropriate CIDR Range which adheres to RFC 1918 approved private IP address ranges. CIDR is basically the notation of what IP addresses are available for your particular private network

Now we have an empty VPC and can't yet deploy a load-balancer, virtual application servers or databases, which is typical 3-tier on-premises architecture. We need VPCs to launch our virtual machines, but need a few more steps to make this VPC operational. Again, this is just a high-level overview. For more information, please check out our advanced AWS Networking training certification or this no-cost AWS Essentials course.

Think of VPC as matching your on-premises networking address scheme for your on-premise data center. We are just doing this in the AWS Cloud environment now.

Topics covered in this post:

• AWS Data Center
• AWS Availability Zone (collection of AWS Data Centers)
• AWS Regions (collection of AWS Availability Zones)
• AWS Local Zones

Author's note: I recommend anyone who works on AWS or wants to build AWS fluency have foundational knowledge of IPv4 Networking and the OSI model. This will make it easier to understand these Getting Started Guides for AWS and other cloud vendor content. And for a refresher, read the previous blog in this series: Getting Started with AWS: Design & Building Blocks

AWS Data Center Overview

It's important to understand AWS's Global Infrastructure because that is where all foundational AWS services like network, compute, storage and databases reside.

Let’s start with the atomic unit AWS' infrawstucture, the individual Data Center (DC) — not to be confused with DC Comics! A DC is comprised of anywhere from 40,000 to 80,000 servers and no services run in this layer. This is the same for any other large cloud provider, so AWS is no different in this case. There are things AWS does in their data centers that makes them unique: The way they secure them and make them redundant in terms of redundant network, internet, power access and HVAC.

But none of that matters. Why? Because it's the cloud and AWS is already taking care of this.

What matters is understanding the terms of your Service Level Agreement (SLA). This is the fine print which AWS tells you what kind of uptime and availability to expect for their services and what hardware and technology they use to achieve that.

The hardware also doesn't matter to us as the consumers of cloud computing, but let's answer some common questions:

What hardware does AWS use? I don't know for sure but strongly suspect AWS uses some commodity server and storage hardware that most of us are probably familiar with.

What kind of virtualization is AWS using? Two different kinds. They use a heavily modified version of Xen Hypervisor that’s slowly being phased out. They also use a technology called the ‘Nitro’ hypervisor, which AWS developed internally. If you're wondering if AWS uses VMware or something like that, the answer is no. AWS has some pretty deep partnerships with VMware, so if you are a VMware shop, there are some great integration points in AWS. But the coolest and newest stuff you can do with EC2 runs on Nitro hypervisor.

AWS Availability Zone Overview

Now let's expand beyond the DC to the next AWS infrastructure layer, the Availability Zone (AZ).

An availability zone is a highly-available building block. When we deploy a resource that is scoped at the AZ level, the resource is won't be very redundant and won't have much high availability built into it. But we can deploy lots of resources in more than one AZ to achieve higher availability. An availability zone is one or more data centers that are co-located — meaning a short walking distance. Imagine a college campus with many different buildings. Each of those buildings could be a different DC, but part of the same AZ. And if you want to create a virtual machine, it is scoped at the AZ level.

We won’t cover all of these in this blog, but these design principles highlight the differences between being your own data center and relying on any cloud hosting provider, AWS or otherwise.

Let’s dive in.

Principle #1: Stop guessing your capacity needs

I recall an enterprise I worked with that spent 8 months out of the year dedicating most of the IT to capacity planning.

They asked all kinds of questions:

• How many servers do we need?
• How are we going to save money?
• Where are we going to be needed?
• What is our change window for doing the physical installation (racking and stacking) of equipment in our on-prem data center?
• How are we handling functional testing and load testing?
• And the list goes on and on.

Guess what? When you operate in the cloud, you no longer worry about these questions because AWS takes care of all of it! Imagine all the time your IT team will save without this responsibility.

Principle #2: Test systems at production scale

You can always spin up temporary resources for testing for your Quality Assurance tests to match your production scale, then scale down or remove them when you no longer need them, which is typically after testing is complete. That way you only pay for the resources consumed, rather than any ideal capacity.

Principles #3 and #4: Automate for architectural experimentation and Allow for evolutionary infrastructure

These two principles may be the most important of the six. When you automate and evolve, you open the door to innovation.

When you have your own on premises data center, your team’s time is spent managing hardware. But with AWS, their time and minds are free to be more creative. AWS Cloud gives rise to a completely new way of thinking about IT architectures.

A simple example would we take our simple existing two on-premises data center model.

Source: AWS

Which can then be evolved in a matter of minutes into several data centers or AWS likes to call as Availability Zones (AZs) which are organized into 24 Regions worldwide. Each AZ has redundant resources and uses separate facilities for power and operates in a different geographic vicinity from the next AZ thereby providing instant resiliency to your workloads in the cloud.

AWS global infrastructure. Source: AWS

Principles #5 and #6: Drive architectures using data and Improve through game days

Combined, these two principles take on security from AWS.

Many years ago in an AWS presentation, I came across five words that should describe every company’s security posture: Keep people away from data.

It was refreshing that someone from AWS coined this simple phrase so that we can highlight an important security principle to somebody who is not IT security savvy. The further you can keep people away from data, the better it will be for your organization.

• The cloud is an on-demand, elastic IT infrastructure that enables companies to lower costs and innovate faster.
• With over 200 services, Amazon Web Services (AWS) provides a service for almost everything a company needs.
• You can achieve a better security posture with AWS than your on premises IT environment ever can.

With 32% global market share, Amazon Web Services (AWS) is the most popular cloud platform for business. And for good reason – with global data centers, high availability and security built in at every point, AWS has given companies a more affordable way to experiment and innovate.

One of the things I appreciate most about AWS Cloud is the extra resilience and abilities for your IT infrastructure. It’s always good to be thinking: What’s Plan B? What if our site goes down? What happens to our business continuity?

And AWS has the services to answer these questions and much more. So, let’s make sure you can get started on the right path with AWS in 2022.

Cloud Basics: What is cloud?

First, let’s start with some basics.

When I first start teaching an AWS course, I always ask my students: What is the cloud? When you ask a group of technical people for their opinions on a topic like Cloud, you’re going to have a lot of different answers because everybody has their individual frame of reference. Everybody has their own perspective. Eventually, after the answers pour in, we notice a few topic clusters around Cloud, including AWS, security and pay-as-you-go consumption models. Let’s dive into these topics below.

What is the Cloud? (TL;DR: It’s someone else’s computer.)

If cloud is basically someone else’s computer, this should immediately trigger questions about security:

• What is happening with my workloads and intellectual property?
• Who has access to our data in the cloud?
• How do we secure it?

The good news is AWS also considers security above everything and has security baked into every level of its infrastructure and services. We’ll dive deeper into security later in this blog.

When you move to cloud, you manage fewer services than you than you do on premises IT.

What is AWS?

AWS defines itself as follows:

Amazon Web Services (AWS) is the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. Millions of customers – including the fastest-growing startups, largest enterprises, and leading government agencies – are using AWS to lower costs, become more agile, and innovate faster.

This sounds like a whole lot of buzzwords. Let’s unpack what’s in the bold text. 

So, what is a Cloud Platform?

• An on-demand and elastic IT infrastructure
• Pay as you go invoicing
• Network accessible

The term on-demand requires a big change in mindset. “On-demand” changes everything that you can do with your technology platform. It moves us away from a capital-intensive model to a ‘pay as you go model. This means your infrastructure is scalable.

As you grow (or shrink), you can scale your services up or down as needed and only pay for what you use. No longer does a company have to invest in a full stack of expensive infrastructure up front and be forced to stick with it if mistakes were made in over or under provisioning capacity. Cloud provides an on-demand infrastructure that you pay for as you go, thus freeing your business to be more agile and experimental in your deployments.

AWS offers over 200 fully featured services, which means there’s a service for almost everything a business needs. This is a positive benefit for businesses. If there is something you need to do with a technology, AWS likely has an answer so you don’t have to build from scratch.

Mind you, 200 fully featured services can be overwhelming. Despite being an AWS instructor and fan, I don’t feel it addresses new customers very well in terms of guiding them towards the services that they need. Side note: if you are new to AWS, please check out the official AWS community or even Cloud Institute as your go-to resource for AWS.

Having data centers globally is also a big deal. Most companies don’t have the ability to implement data centers across the globe on their own. Despite all the disaster recovery and business continuity (BFCP) plans, a single enterprise will never exceed the geographical footprint of AWS – we are talking about hundreds of geographic regions around the world, each with thousands and possibly millions of servers.

This means your business continues to operate even if there are disruptions due to bad weather, loss of power, or by rehoming your services to another geographic region.

Lastly, lower costs … innovate faster. I’ll break this one down in the next section.