Every device connected to the Internet needs to have an identifier. Internet Protocol (IP) addresses are the numerical addresses used to identify a particular piece of hardware connected to the Internet. The most common two types are Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv6. Some IP Addresses are reserved (e.g. for private networks).
IP Addresses (for IPv4 and IPv6) are divided into two parts:
For example, you might have an IP address like:
192.168.0.27
The boundary between the network address part and the host address part is determined by the IP Address class and the NetMask or the SubnetMask.
IP addresses are assigned to networks in different sized blocks. The size of the ‘block’ assigned
is written after an oblique(/). For example, a /16 means 64,000 IPv4 addresses and a /26 means
64 IPv4 addresses. The lower the number aftr the oblique means the more addresses are contained in that ‘block’.
Address format Difference to last address Mask Addresses (Dec, 2^n) Typical Use
a.b.c.d/32 +0.0.0.0 255.255.255.255 1 20 Host route
a.b.c.d/31 +0.0.0.1 255.255.255.254 2 21 Point to point links (RFC 3021)
a.b.c.d/30 +0.0.0.3 255.255.255.252 4 22 Point to point links (glue network)
a.b.c.d/29 +0.0.0.7 255.255.255.248 8 23 Smallest multi-host network
a.b.c.d/28 +0.0.0.15 255.255.255.240 16 24 Small LAN
a.b.c.d/27 +0.0.0.31 255.255.255.224 32 25
a.b.c.d/26 +0.0.0.63 255.255.255.192 64 26
a.b.c.d/25 +0.0.0.127 255.255.255.128 128 27 Large LAN
a.b.c.0/24 +0.0.0.255 255.255.255.0 256 28
a.b.c.0/23 +0.0.1.255 255.255.254.0 512 29
a.b.c.0/22 +0.0.3.255 255.255.252.0 1,024 210 Small business
a.b.c.0/21 +0.0.7.255 255.255.248.0 2,048 211 Small ISP/ large business
a.b.c.0/20 +0.0.15.255 255.255.240.0 4,096 212
a.b.c.0/19 +0.0.31.255 255.255.224.0 8,192 213 ISP/ large business
a.b.c.0/18 +0.0.63.255 255.255.192.0 16,384 214
a.b.c.0/17 +0.0.127.255 255.255.128.0 32,768 215
a.b.0.0/16 +0.0.255.255 255.255.0.0 65,536 216
a.b.0.0/15 +0.1.255.255 255.254.0.0 131,072 217
a.b.0.0/14 +0.3.255.255 255.252.0.0 262,144 218
a.b.0.0/13 +0.7.255.255 255.248.0.0 524,288 219
a.b.0.0/12 +0.15.255.255 255.240.0.0 1,048,576 220
a.b.0.0/11 +0.31.255.255 255.224.0.0 2,097,152 221
a.b.0.0/10 +0.63.255.255 255.192.0.0 4,194,304 222
a.b.0.0/9 +0.127.255.255 255.128.0.0 8,388,608 223
a.0.0.0/8 +0.255.255.255 255.0.0.0 16,777,216 224 Largest IANA block allocation
a.0.0.0/7 +1.255.255.255 254.0.0.0 33,554,432 225
a.0.0.0/6 +3.255.255.255 252.0.0.0 67,108,864 226
a.0.0.0/5 +7.255.255.255 248.0.0.0 134,217,728 227
a.0.0.0/4 +15.255.255.255 240.0.0.0 268,435,456 228
a.0.0.0/3 +31.255.255.255 224.0.0.0 536,870,912 229
a.0.0.0/2 +63.255.255.255 192.0.0.0 1,073,741,824 230
a.0.0.0/1 +127.255.255.255 128.0.0.0 2,147,483,648 231
0.0.0.0/0 +255.255.255.255 0.0.0.0 4,294,967,296 232
You will often see IP Addresses used in a Virtual Private Cloud aka VPC (e.g. Amazon VPC), which allows you to launch AWS resources into a virtual network that you have defined; think of it as a virtual network that is isolated from other virtual networks. With VPCs, we will get into:
IAM (Identity and Access Management) has identify-based policies where you can allow or deny actions.
A subnet is a range of IP Addresses in your VPC. You can launch AWS resources (e.g. an EC2 instance) into a specified subnet. Each subnet needs to reside in one availability zone (cannot span zones). A public subnet is used for resources that must be connected to the Internet. A private subnet is used for resources that won’t be connected to the Internet. A private subnet does not have a route table entry that points to an internet gateway.
For AWS, each subnet has to reside entirely within one Availability Zone and cannot span zones. Each subnet also needs you to choose the CIDR blocks for the public or private subnets.
You can add optionally add subnets in a Local Zone, an AWS infrastucture deployment that places compute, storage, database, and other services closer to your end user.
When you create a VPC, you have to specify a range of IPv4 addresses for the VPC in the form of
Classless Inter-Domain Routing (CIDR) blocks. This might look like 10.0.0.0/16. You can also assign
an IPv6 CIRD block to your VPC if you are using IPv6 addresses.
Your VPC works with Route Tables, which are tables that enable routing within the VPC. We specify the destination as the CIDR block and what the target is.
VPC with 1 CIDR block
Region = us-west-2
VPC 10.0.0.0/16
Subnet 1 = 10.0.0.0/17
Subnet 2 = 10.0.128.0/17
Main Route Table:
Destination Target
10.0.0.0/16 local
VPC with 2 CIDR blocks
Region = us-west-2
VPC 10.0.0.0/16 (primary CIDR)
VPC 10.2.0.0/16 (secondary CIDR)
Subnet 1 = 10.0.0.0/17
Subnet 2 = 10.0.128.0/17
Subnet 3 = 10.2.0.0/17
Main Route Table:
Destination Target
10.0.0.0/16 local
10.2.0.0/16 local
There are a few rules for adding a CIDR block to your VPC, see here
Security Groups are the firewall for say AWS EC2 instances since they control both the inbound and outbound traffic at an instance level.
When you create a VPC, it has a default security group. You can create additional security groups for each VPC. You can associate a security group only with resources in that VPC.
There are two ways to configure AWS Security Groups in Terraform. You can:
aws_security_group resourceaws_security_group_ruleExample inline aws_security_group:
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
Here’s the same rule as an external rule using aws_security_group_rule
resource "aws_security_group" "allow_all" {
name = "allow_all"
description = "Allow all inbound traffic"
}
resource "aws_security_group_rule" "ingress" {
type = "ingress"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.allow_all.id}"
}
resource "aws_security_group_rule" "egress" {
type = "egress"
from_port = 0
to_port = 0
protocol = -1
cidr_blocks = ["0.0.0.0/0"]
security_group_id = "${aws_security_group.allow_all.id}"
}
There is a network specific security group called Network Access Control Lists (ACL) that act as a firewall for a subnet, meaning it will control inbound and outbound traffic at a subnet level. Your VPC will have a default network ACL that allows all inbound and outbound traffic (IPv4 and IPv6).
In AWS, there are Flow Logs that capture the information about the IP traffic coming and going from the network interfaces in your VPC. These logs are published to CloudWatch Logs or S3.
An internet gateway is a VPC component that allows communication between instances in your VPC and the internet. An internet gateway has two purposes:
A NAT device to enables instances in a private subnet to connect to the internet while also preventing the internet from initiating connections with the instances. There are two different types of NAT devices, a NAT gateway or a NAT instance.
A NAT Gateway (aka network address translation (NAT)) enables instances in a private subnet to connect to the internet or other AWS Services, but prevents the internet from initiating a connection with those other instances.
To create a NAT gateway, we have to specify the public subnet where the NAT gateway resides as well as an elastic IP address to associate with the NAT gateway. After you create your NAT gateway, you have to update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway (which will enable instances in your private subnets to communicate with the Internet).
In summary, resources on the internet cannot establish a connection with your instance (e.g. your EC2), but lets your EC2 instances in private subnets to send outbound traffic to the internet.
Domain Name System (DNS) is how names are resolved to their corresponding IP Address. It’s made up of a host name and a domain name.
In AWS, there are Elastic Network Interfaces (aka network interface), that is a logical netowkring component in a VPC that represents a virtual network card. You create and configure network interfaces and attach them to instances in your VPC.
A requester-managed network interface is a network interface that an AWS service creates in your VPC. This network interface can represent an instance for another service (e.g. an AWS RDS instance).