What i understand from Cloud is , it is something to share computing resources (RAM,CPU,Network etc) among several virtual instances on that cloud infrastructure. read here
But in case of AWS VPC , it have nothing to do with RAM,CPU etc, It is just something Like VPN, where we create our private network.
So why it is named as Virtual Private Cloud?
Its mostly a networking and security model. Classic, which existed before VPC, had very limited control of network and security. VPC allows you control of subnets, network interfaces, inbound and outbound security rules.
Related
I am able to use VPC + public accessible with some services e.g. RDS, but AWS Elasticsearch doesn't provide the option to use both together.
So I am wondering, if:
Public accessibility in a VPC is same as public accessibility without VPC in terms of security, OR
Are we compromising on security when creating a publicly accessible cluster without VPC. There is an option to restrict access by IP within Elasticsearch configuration, which can mimic Security group like protection.
VPC Access
Public Access
Q1.
Using VPC gives you much more control over public access then not-using VPC. You can use security groups (SGs), network acls, you can monitor traffic using VPC flow logs, or setup extra proxies.
Q2.
It does not mimic the behavior of SGs. SGs provide protection ahead of any traffic hitting your resources. In contrast, the policies that ES are using take effect only when the traffic actually gets to your ES domain, not before it.
From a cost optimization perspective, are there any benefits in deploying web servers in private subnets rather than in public subnets? (behind an Internet-facing ALB)
What would be the pros and cons for the two approaches?
Putting your web-servers in private subnets will probably be more expensive (depends on exactly what the servers do) then putting them in public. The reason is that in private subnet they will not have access to the internet nor any AWS services.
Thus if they require the use of some external API or access to some AWS services you will need to use NAT gateway and/or VPC endpoints which are not free (except endpoints to S3 and DynamoDB).
But keeping everything in a public subnet is a security risk and many prefer to keep the servers in private subnets to follow good practices and be more secure then cheap.
Short answer - No
One case where it will be a bit more expensive:
If you need to access public internet from your server, you will need to pay some money for either NAT gateway, or NAT instance. NAT gateway vs NAT instance.
When to use Public subnet
You are not planning on using any ALB, or autoscaling, and would like to attach Elastic IP directly to your single instance.
You would like to have access to the internet from your ec2, and not pay for NAT
When to use Private subnet
If you are planning to use ALB: You should always have 1 entry point to your application, let it be through publicly faced ALB, and don't risk, by allowing direct public access to your service. For ssh or other direct connection, you can setup bastion host
Any service that should not be accessible from the public internet should be better placed in a private subnet and communicate with other services through a private network, which is faster and cheaper, also, when communicating inside vpc, you can set up good security groups.
I need to set up a connection between VPCs. My plan was VPC peering but customer asks for Private Link as they heard it is the secure way. But I am mostly concerned with performance overhead with the private link. What I understood (maybe wrong); in the Private Link architecture there is an extra NLB. Does not this introduce a latency because of extra network hop?
VPC peering and Private Link serve two different purposes.
VPC peering enables you to connect two VPC in a same way you would connect to local networks together, and remote networks using VPN. VPC peering allows network traffic from one VPC to the second VPC. For example, you can SSH from an instance in VPC A into an instance in VPC B.
Private Link is used to expose individual services of yours in VPC A to VPC B. But this does not allow for free flow of network traffic from VPC A to VPC B. For example, let's say you've developed very cool application for image segmentation. The application and all its databases and other resources that it requires are in VPC A. Now a friend comes and he/she would like to use your application. But the friend is in VPC B. Since your application is private, not exposed to the internet, a way for your friend to use the app would be to expose it through Private Link. For this you create NLB in-front of your application, and your friend will get network interface in his VPC B through which he can access your private application in VPC A.
Based on this and your question, there is no clear answer as the two options are used for different purposes. I would suggest to clarify exactly what are your or your customer requirements.
But generally, both will be equally fast. AWS docs write about VPC peering the following:
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware. There is no single point of failure for communication or a bandwidth bottleneck.
Other examples from AWS docs is here:
Example: Services Using AWS PrivateLink and VPC Peering
Edit: Based on #Michael comment.
Why can't we implement multiple network interface on a single VPC (Which has multiple subnets) in GCP? Where as it is possible in AWS and Azure.
I came across with a problem where I had to implement multiple network interface in GCP. But in my case, all the subnets was present in the single VPC network, I read GCP documentation and got to know that, in GCP it is not possible to have multiple network interface in a single VPC network, in order to implement multiple network interface, all the subnets must be in a different VPC network, where as its completely opposite in AWS and Azure.
In AWS - all network interface must be available in the same VPC, and cannot at network interface from other VPC network.
In Azure vNet - all network interface must be available in the same VPC, and cannot at network interface from other vNet.
Of course, VPC in google cloud is little different from AWS, as an example, Azure vNet and AWS VPC's are regional in nature where as in GCP it is global in nature. And there are several other difference as well.
Was just curious to know about this limitation in GCP which I got.
Your assumption is wrong. You cannot attach more than one network interface to the same subnet, but you can to different subnets in the same VPC.
Google Cloud & AWS have different implementation for a VPC. In GCP VPC are associated with projects. What's confusing me is that in a GCP project you can have two different VPC but with same subnet CIDR. If anyone has any resource which can clear my doubts please
In GCP, 2 VPC networks in the same project must have different names, so they are distinguishable and completely independent/isolated. VMs in one VPC network have to go through external IP addresses to talk to VMs in other VPC network. Or you can connect them through VPC Peering, so that they can talk to each other through internal IPs. See:
GCP - VPC Network Overview.
GCP - VPC Network Peering
A feature you can use in this case is to create a Peering in the VPC, this function will allows internal IP address connectivity across two Virtual Private Cloud (VPC) networks regardless of whether they belong to the same project or the same organization.
VPC Network Peering enables you to connect VPC networks so that workloads in different VPC networks can communicate internally. Traffic stays within Google's network and doesn't traverse the public internet.
VPC Network Peering gives you several advantages over using external IP addresses or VPNs to connect networks, including: Network Latency,Network Security and Network Cost.
For information about Peering and VPC,see:
VPC: https://cloud.google.com/vpc/docs/vpc
Peering: https://cloud.google.com/vpc/docs/vpc-peering