EMAIL SUPPORT
dclessons@dclessons.comLOCATION
USAWS VPC Control Plane & Data Plane
Amazon Virtual Private Cloud
AWS VPC called as Virtual Private Network is just another virtual DC hosted in Cloud Environment in different AWS regions.
In AWS, each Region consist of various Availability Zones, which are isolated locations and has one or More Data centers.
VPC spans over multiple AZ in one region, but it will span between multiple regions. Each VPC will have a CIDR (IP address range) attached to it and from this CIDR, we will be allocating Subnets to our VPC. The CIDR range is local to VPC and can overlap with other VPC, but if we are configuring VPC peering, we need to have unique CIDR range per VPC. When we allocated Subnets from CIDR, these subnets should be AZ Specific.
The Subnets which will be created in VPC, are categorized as public and private Subnets. Public subnets are those subnets which has route to Internet GW and all public facing services like Web servers, Internet gateway, NAT gateway etc are part of public subnet.
Private Subnets are those subnets in which all your APP servers, Database, which does not have direct internet connectivity and EC2 instance present in Private Subnet will get access to Internet via NAT gateway. For EC2 instance to have internet connection from private subnet, we must add route in Private subnet routing table pointing towards NAT GW.
The communication between EC2 Instance present in public subnet and private Subnet in particular VPC, will happen via VPC main route table.
Each VPC once created, also has a default NACL (network Access Control List) and is bind to all subnets in that VPC. We must allow for Inbound as well as outbound rule for inbound and outbound traffic specifically, because NACL are Stateless in nature. By Default, NACL allow all inbound and outbound traffic.
AWS Control Plane & Data Plane Function:
AWS Control Plane works when two EC2 instance initiates TCP session between them for communication.
Here Two EC2 instance are launched in two different host and in two different AZ. Each Physical Host having Nitro card for VPC , which is responsible for routing data packets and its encapsulation and decapsulation. Security Groups are also implemented in hardware Nitro card for VPC.
AWS Control Plane functioning depends on Mapping Service system. In Control Plane , Physical network switches are responsible for underlay network routing , advertisement of MAC/IP information to Mapping Services , Routing info to each physical host.
Mapping Register:
As soon as EC2 instance is launched, it will inform this information to Mapping Service database. Also, each physical host will also cache its EC2 MAC/IP information locally.
Once information is send to mapping Service, Mapping Service keeps following information in its database table :
- EC2 Instance MAC/IP address bind to ENI
- Virtual Network identifier which is VPC
- Physical host IP on which EC2 Instance was launched
- Encapsulation Mode
Refer below figure for VPC Control plane operation: mapping register
Comment
TABLE OF CONTENTS
- LAB: Create a Custom VPC & test reachability between EC2 via Internet GW and NAT GW.
- LAB: Configure EC2 as VPN Server for Open VPN Connection
- LAB: Configure AWS Site to Site VPN Connection
- LAB: Configure Network Loadbalancer
- LAB : Configure Transit Gateway with Segmentation
- LAB :Configure Transit Gateway Peering between Two VPC
- LAB: Configure VPC Peering between Two VPC
- LAB : Configure VPC Endpoint to access S3
- LAB: Configure End to End VPC Endpoint Service
- LAB : Create VPC Flow Logs and Generate Traffic
- LAB : Configure WAF to block Web traffic
RECENT POSTS
- What is Docker and Why is It Important?
- Learn Python 3.0 Programming for Network Automation
- Cisco ACI Data Centre: A Comprehensive Overview
- How to Prepare for the Microsoft Azure AZ-305 Exam
- AWS Training Certification Course for Solutions Architect
- Cisco SASE Architecture
- SASE vs SD-WAN
- What is SASE
- Accessing Amazon S3 using AWS private Link in Secure hybrid method.
- Cisco Smart Licensing Policy
LEAVE A COMMENT
Please login here to comment.