In this article, I have tried to explain the concepts of VPC in a more layperson's point of view. This is because, not everyone may understand the networking concepts and jargons in the beginning stage of learning. I did go through the same while learning. So I started to relate the concepts with some real life analogies so that it stays in mind longer. This article may help very beginners or someone who is not from technical background or fresh graduates in understanding the VPC better.
Imagine you have a 3 Bed room rental flat in a Multi-storey apartment with gated security. Lets assume the aspects of a flat as below for the rest of the article;
Multi-Storey apartment building - Region
Each Apartment Floor - Availability Zone
Individual Flat - VPC
Rooms - Subnets
Main door of Apartment building - Internet Gateway
Doors in a flat - Route Tables
Building Security System - NACL
Now, lets look at the VPC components one by one and compare with lay-person's example.
AWS: In AWS, a region is a geographical location of a Data center.
Apartment: Lets assume the entire Multi-storeyed apartment building as a Region, where you will have many floors with multiple flats in each floor.
Component: Availability Zone
AWS: In AWS, availability zone is an isolated location within a region. One region can have multiple availability zones.
Apartment: A multi-storey apartment will have many floors. Each floor in the Apartment building can be compared with Availability zone.
Component: Virtual Private Cloud (VPC)
AWS: In AWS, a VPC is a virtual cloud space provided by Amazon. When it comes to your AWS VPC, It is a logical section of the aws cloud allocated to you with an IP range provided by you, to launch aws resources. Companies would go for VPC when they do not want to invest in buying physical infrastructure as the cost may be huge which may not align with their policies.
Apartment: Each flat in a multi-storey building can be compared with VPC. A flat is a private portion in a Multi-storey building, allocated to you by your owner so that you can utilize the premises for your living and use their provided infrastructure or facilities (like, Power, Water, Gas etc).
You would go for a rental apartment when you do not want to invest in buying a flat on your own as it may not be aligned with your financial goals.
AWS: In AWS, a VPC can further be divided into logical Subnets. A Subnet is a logical smaller section within a VPC that has defined boundaries (IP ranges). The IP ranges should span within the main IP range provided while creating VPC.
Public Subnet: A Subnet is called a Public Subnet when the associated route table has a route out to Internet Gateway. The instances in this subnet can reach to internet.
Private Subnet: A Subnet is called Private Subnet when the associated route table has NO route out to Internet Gateway. This route table will only have a route to local. The instances in this subnet can communicate only to resources within the VPC.
Apartment: A Subnet can be compared to a room in the apartment. Each room has a defined boundary (area) within the apartment. The rooms can be a living room or Guest room or Bed room. The privacy level is defined by the type or use of the room.
In this diagram, the Living room (highlighted in highlighted in RED) can be compared to Public Subnet. The living room has the main door attached that leads to the apartment main entrance and outside the estate.
A Private Subnet can be compared with your private room (highlighted in GREEN). It can be a locker room or a Bedroom which will NOT have direct access to the main door of the apartment building. This room has direct access only to lounge and dining area.
Component: Internet Gateway
AWS: This is the gateway that allows the resources within a VPC to interact with external resources or internet based resources that are outside of AWS VPC.
Apartment: The main entrance of the apartment can be compared with Internet Gateway as this is way through which, people living in the apartment can go outside the premises.
Component: Route Table
AWS: Route table defines the communication of resources in a subnet with other resources within VPC or outside VPC (i.e Internet).
Route table defines whether a particular subnet is public or private. The outbound traffic is regulated as per the entries set in the route table.
Apartment: Assume the doors at each room as route tables. Because only though these doors you can go to other rooms or outside the flat. In this diagram, the doors of each room (highlighted in yellow) leads to either the living room or dining room or kitchen etc. However, the door at the entrance of the flat (highlighted in red) leads to main door of the apartment through which one can go apartment main entrance.
We have assumed living room as Public Subnet as this has the door to go to apartment main entrance which is assumed as Internet Gateway.
Component: Security Group
AWS: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. This defines who can reach your instance and who your instance can reach to.
Apartment: This is a security aspect of individual resources in your apartment. For example, Lets take the example of a home Laptop. You may allow the access to only adult members of the family for use and technicians (outside people) for any repair work. You may also copy some important documents from laptop to take it outside.
Component: Network Access Control Lists (NACLs)
AWS: A network access control list (NACL) is an additional layer of security for your VPC that acts as a firewall for controlling traffic in and out of your subnets. NACLS operate at subnet level in a VPC. Each subnet in your VPC must be associated with a network ACL. If you don't explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
Apartment: NACLs can be compared with the additional security system to some rooms. You can restrict access to certain rooms like Boiler room or Electrical room with certain additional security system so that is not accessible to every members in the family. If you put a video door phone or camera door bell instead of just a calling bell at your main door, that's like an additional security, that you want restrict access to only known people.
I hope one can easily understand the VPC concepts now. Kindly provide your feedback on this topic.