AWS Classroom series – 01/Mar/2020

Virtual Private Networks in AWS

  • AWS Supports two kinds of VPN’s
    • Point to Site
    • Site to Site
  • AWS has two gateways
    • Gateway in AWS to connect to On-premise network
      • Virtual Private Gateway (Site-to-Site)
      • Transit Gateway (Site-to-multiSite)
    • Gateway on-premise (Generaly hardware VPN Device)
      • Customer Gateway

Static IP Address

  • Private: When you create a EC2 machine we generally get private and public ip (optional). Private IP is always static
  • Public: Public Ip to Network Interface is changed every time EC2 is stopped and started. Public ip is dynamic by default.
  • To create static public IP, AWS offers Elastic IP Address
  • Billing of Elastic IP Address
    • When your Ec2 machine is running bill is zero
    • When you stop EC2 machine then billing starts till your ec2 machine is started again
  • Elastic Ip is Allocated and associated with network interface or Released

Private Subnet Not Connecting to Internet


  • When we create a public subnet it can be connected from/to internet, Where as private subnet is not connected from/to internet.

  • But if we want to connect private machine to internet, we use NAT

  • IN AWS we have two popular ways of creating NAT

    • NAT Instance:
      • EC2 machine with Elastic IP address and NAT instance AMI in public subnet
      • Now add a rout in private rt to route all the traffic to internet to NAT instance
      • Is completely managed by users
    • NAT Gateway
      • NAT as a service
      • Just specify you need a NAT, AWS does the rest
      • Change route table
      • NAT Instance Management is done by AWS Preview
  • Now create NAT Gateway in Public subnet and change the route table of private subnet

  • Exercise:

    • Create a VPC with 2 subnets
    • Make one subnet private and other subnet public
    • create ec2 machines one in public and other in private
    • now try to connect to private ec2 machine using public ec2 mahine and then check for internet connectivity (you will not have it)
    • Now create a NAT Gateway in Public subnet
    • Add a route in private rt to forward all packets apart from vpc’s range to be forwarded to NAT Gateway

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About continuous learner

devops & cloud enthusiastic learner