VPC Prerequisites - Networking Basics Part 1

Will discuss important networking terms which will help understand Amazon VPC service better: VPC itself, IP subnet, jump hosts, private IP address spaces, NAT and ICMP.

Virtual private cloud (VPC)

A VPC is an on-demand configurable pool of shared computing resources allocated within a public cloud environment. It provides a certain level of isolation between one VPC user and outside (other VPC users as well as other public cloud users), and is achieved normally through allocation of a private IP subnet and a virtual communication construct (such as a VLAN or a set of encrypted communication channels) per user.  This isolation is usually accompanied with a VPN function (per VPC user) that secures, by means of authentication and encryption, the remote access of the organization to its VPC cloud resources.

Thus an organization using this service is in effect working on a 'virtually private' cloud. The infrastructure provider, providing the underlying public cloud infrastructure, and the provider realizing the VPC service over this infrastructure, may be different vendors. Example VPC Implementations: Amazon Virtual Private Cloud allows the Amazon EC2 service to be connected to legacy infrastructure over an IPsec virtual private network connection. Google Cloud Platform (GCP) resources can be provisioned, connected, and isolated in a VPC across all GCP regions.

IP Subnet

A subnetwork or subnet is a logical subdivision of an IP network. Subnetting helps to allocate address space efficiently, to enhance routing efficiency and can be administratively controlled by different entities in larger organizations. Computers that belong to a subnet are addressed with a common, identical, most-significant bit-group in their IP address. This results in logical division of an IP address into two fields, a network or routing prefix and the "rest" field or host identifier.

The routing prefix may be expressed in CIDR notation (see reference). For example, 192.168.1.0/24 is the prefix of the IPV4 network starting at the given address, having 24 bits allocated for the network prefix, and the remaining 8 bits reserved for host addressing. For IPv4, a network may also be characterized by its subnet mask (see reference).  Subnets may be arranged logically in a hierarchical architecture, partitioning an organization's network address space into a tree-like routing structure.

Traffic is exchanged (routed) between subnetworks with special gateways (routers) when the routing prefixes of source and destination addresses differ. A router constitutes the boundary between subnets.

Private IPv4 address spaces

A private network is a network that uses private IP address space following the standards set by RFC 1918. These addresses are commonly used for home, office, and enterprise LANs. Though originally created to prevent IPv4 address exhaustion, it is present for IPv6 also where exhaustion won’t be an issue.

Addresses in the private space are not allocated to any specific organization and anyone may use these addresses without approval from a regional Internet registry. However, IP packets addressed from them cannot be transmitted through the public Internet. If such a private network needs to connect to the Internet, it must do so via a network address translator (NAT) gateway, or a proxy server.

Private IPv4 Ranges:

IP address range: 10.0.0.0 – 10.255.255.255

RFC1918 name: 24-bit block

largest CIDR block: 10.0.0.0/8

subnet mask: 255.0.0.0

host id size: 24 bits         

mask bits: 8 bits

IP address range: 172.16.0.0 – 172.31.255.255

RFC1918 name: 20-bit block

largest CIDR block: 172.16.0.0/12

subnet mask: 255.240.0.0

host id size: 20 bits         

mask bits: 12 bits

IP address range: 192.168.0.0 – 192.168.255.255

RFC1918 name: 16-bit block

largest CIDR block: 192.168.0.0/16

subnet mask: 255.255.0.0

host id size: 16 bits         

mask bits: 16 bits

Note: See reference link for IPv6 range.

Internet Control Message Protocol (ICMP)

ICMP is a supporting protocol in the Internet protocol suite. It is used by network devices, including routers, to send error messages and operational information indicating, for example, that a requested service is not available or that a host or router could not be reached.

Ping command makes use of the ICMP protocol and if we disable it in a machine, we won’t be able to ping the machine (more in lab later).