Virtual Private Networks in AWS
- AWS Supports two kinds of VPN’s
- Point to Site
- Site to Site
- AWS has two gateways
- Gateway in AWS to connect to On-premise network
- Virtual Private Gateway (Site-to-Site)
- Transit Gateway (Site-to-multiSite)
- Gateway on-premise (Generaly hardware VPN Device)
- Customer Gateway
- Gateway in AWS to connect to On-premise network
Static IP Address
- Private: When you create a EC2 machine we generally get private and public ip (optional). Private IP is always static
- Public: Public Ip to Network Interface is changed every time EC2 is stopped and started. Public ip is dynamic by default.
- To create static public IP, AWS offers Elastic IP Address
- Billing of Elastic IP Address
- When your Ec2 machine is running bill is zero
- When you stop EC2 machine then billing starts till your ec2 machine is started again
- Elastic Ip is Allocated and associated with network interface or Released
Private Subnet Not Connecting to Internet
-
When we create a public subnet it can be connected from/to internet, Where as private subnet is not connected from/to internet.
-
But if we want to connect private machine to internet, we use NAT
-
IN AWS we have two popular ways of creating NAT
- NAT Instance:
- EC2 machine with Elastic IP address and NAT instance AMI in public subnet
- Now add a rout in private rt to route all the traffic to internet to NAT instance
- Is completely managed by users
- NAT Gateway
- NAT as a service
- Just specify you need a NAT, AWS does the rest
- Change route table
- NAT Instance Management is done by AWS
- NAT Instance:
-
Now create NAT Gateway in Public subnet and change the route table of private subnet
-
Exercise:
- Create a VPC with 2 subnets
- Make one subnet private and other subnet public
- create ec2 machines one in public and other in private
- now try to connect to private ec2 machine using public ec2 mahine and then check for internet connectivity (you will not have it)
- Now create a NAT Gateway in Public subnet
- Add a route in private rt to forward all packets apart from vpc’s range to be forwarded to NAT Gateway