Skip to content

Ferdinand Agyei-Yeboah

AWS Networking Tips

June 16, 2022

Summarized tips/info on AWS Networking.

Use Cases & Setups

  • Setting up internet access
    • The internet is not part of your VPC (Virtual Private Cloud) and as such, by default, any custom VPC will not have internet access until you add it.
    • Setup: Public IP (public subnet) + Internet Gateway + Route Table Entry to Internet Gateway
  • Public subnet
    • Services deployed can have public IPs meaning they are accessible to internet.
    • To add internet traffic, add an internet gateway.
  • Private subnet
    • Services deployed only have private IPs meaning they are not accessible to internet, and are only accessible within VPC. This also means you cannot connect from your local machine to the service (unless you are on the same network, which can be configured through AWS Site to Site VPN or AWS Direct Connect).
    • To get outbound only internet access, add a NAT gateway.
  • SGs
    • Create SGs for each service and use them as source to allow one service to talk to another as opposed to using CIDR rules (ex: if container SG allows load balancer SG as source, then the load balancer can talk to containers).
  • NACLs
    • NACLs operate on the subnet level and are meant for coarse grained access. Generally, NACLs should be short and most configurations with IPs, ports and such should be in SGs.
    • Beginner Guidance: Don’t configure NACLs, keep the NACL open and use SGs (along with correctly choosing between private/public subnets) to configure security.
  • Whitelisting your home IP
    • The best way to connect from a local machine to private services in AWS is to use AWS Site to Site VPN or AWS Direct Connect. These are both options to bridge your custom network with your VPC. But if that is too much work, then a quick solution is to deploy the service in a public subnet but use SGs to restrict access to only your network (home router).
    • To do this, find the public IP address of your router (search what is my ip address on google) and whitelist that IP address in your SG.
    • Note that your router’s public IP may change from time to time so you will have to update your SG accordingly.
  • Default vs. Custom VPC
    • Do not use the default vpc for production services, create a custom VPC. The default vpc is meant for easy use in learning AWS. It uses public subnets, auto assigns public IP addresses to any instances launched in the VPC, has open NACLs and open access to and from the internet. When running production architecture, you should be mindful of your security configurations and thus a custom vpc is best.

More Reading:

Software Engineering Tutorials & Best Practices