Why Do Network Engineers Need To Have An Accurate Knowledge Of VPC?
When You Decide To Work As A Network Engineer In A Company That Provides Network And Cloud Infrastructure Services, You Should Be Familiar With Terms Such As MPLS WAN, VRF, SD-WAN And Specialized Vocabulary In Your Field To Be Able To Perform Tasks In The Best Way.
One of the most critical and severe topics in networking is the Virtual Private Cloud (VPC), the availability and redundancy of data centers.
If you are familiar with the definition of acronyms such as BGP, ECMP, ACL, VIP, and NIC, then you should be familiar with the two essential concepts of virtual private cloud and access area.
What is a virtual private cloud?
A virtual private cloud is a collection of subnets containing a Classless Inter-Domain Routing (CIDR) block that runs in a single geographic area called a region and with multiple data centers through the access area.
A VPC is similar to a virtual data center, except it is physically located in different access zones. Virtual private clouds in any region are created to access a communication mechanism to communicate with other networks. This communication mechanism can be the Internet, virtual private network, or VPC peering.
By this definition, a virtual private cloud is a secure, isolated private cloud hosted in a public cloud. Virtual private cloud clients can run their applications in the cloud, store data, and host websites, just as if they were using a regular private cloud.
The most crucial difference between a virtual private cloud and a private enterprise cloud is that a public cloud service provider hosts the virtual private cloud. Organizations consider virtual private cloud because of its scalability and ease of access to public cloud computing and the separation of personal cloud network data from the public cloud.
To get a clear picture of these two concepts, assume that the public cloud is like a crowded restaurant, while a virtual private cloud is a table reserved in that crowded restaurant. Even if the restaurant is full of people, the table with the reservation mark is empty and only available to the person who has booked it.
Similarly, a public cloud is full of different cloud clients with access to computing resources, but VPC reserves some of these resources for specific client use.
What is a public cloud? What is a private cloud?
Public cloud infrastructure is a shared cloud that allows different customers to access a vendor’s cloud infrastructure. At the same time, their information is distinct, and they have no access to each other’s information, just like people in a restaurant and order different dishes. Public cloud service providers such as Microsoft Azer, Google’s cloud platform, and Amazon offer such services.
This architecture is known as Multitenancy but is a single-tenant virtual private cloud. A private cloud is a cloud service provided exclusively to an organization. In this architecture, a VPC is a private cloud that sits inside a public cloud. In the above virtual private cloud architecture, one customer is never given to another customer.
How is a VPC isolated in a public cloud?
Virtual Private Cloud can separate public cloud computing resources. Because the virtual private cloud has a dedicated subnet and virtual local area network, it is only available to the client who has implemented it. There are several critical technologies for distinguishing virtual private cloud from the public cloud, the most important of which are:
- Subnets: A subnet refers to a wide range of IP addresses reserved to isolate a portion of the network for private use. In virtual private clouds, IP addresses are proprietary and, unlike ordinary IP addresses that are publicly visible, are not accessible via the Internet.
- VLAN: A virtual local area network is a local area network or group of computing devices that are all connected without the use of the Internet. Like the subnet, VLAN is a solution for network segmentation, but segmentation is done in Layer 2 of the OSI model instead of Layer 3.
- VPN: A virtual private network uses an encryption pattern to build a personal network on top of a public network. VPN traffic passes through common Internet infrastructures such as routers, switches, etc., except that the traffic is not visible and is encrypted.
- NAT: NAT technology matches private IP addresses with public IP addresses for connecting to the public Internet. With NAT, a public website or application can run on a VPC.
- BGP Routing Configuration: Some customer service providers allow BGP routing tables to be configured to connect their VPC to other in-house infrastructure.
How do cloud service companies provide VPCs to consumers?
Cloud computing companies that use potent data centers to provide services extend their application-based services to the Cloud Computing Region and Accessibility area.
(Availability Zone) (Figure 1). This process is done for various reasons, such as improving the error tolerance threshold and maintaining service performance in the event of cyber-attacks are the main reasons for using the above architecture. However, companies can provide such services based on a modular data center architecture. In the definition of a data center modular architecture, modules are defined as subsystems that are interconnected.
This approach aims to minimize complexity. In this architecture, the characteristics of the deployed system such as capacity, performance, density, and weight must specify without additional analysis and in a predefined form.
In addition, the level of detail and dimensions of the modules must correctly specify, and the availability, redundancy, and power consumption characteristics must adequately address.
Figure 1 – View of the performance of the access area in the separation of machines and virtual networks
Accessibility area
In its technical and technical definition, the Availability Zone refers to an option with a high level of accessibility that protects applications and user data against data center crashes.
More precisely, access zones refer to unique physical locations called regions, which arise from a combination of data centers, each with its cooling mechanisms, independent networks, and power supply mechanisms.
An important point to note before analyzing this concept is that the accessibility area is not just a simple concept and consists of complex components, architectures, communication protocols, and networking that aim to provide commercial customer services continuously.
To be more precise, companies whose business services are based on this architecture are trustworthy and have a team of experienced network and security technicians working for them.
In addition, each region uses its communication mechanisms (Internet connection) to provide services.
To ensure flexibility and self-healing, ISPs define at least three separate areas in all active regions. Physical separation of accessible areas makes it possible to best protect applications and data from data center failures. In the above model, services based on the redundancy-area principle, programs, and data are amplified in different areas to overcome the header’s single point failure problem (SPFO).
Physical separation of accessible areas in an area makes it possible to best protect applications and data from data center failures. In the above model, services based on the redundancy-area principle, programs, and data are amplified in different areas to overcome the header’s single point failure problem (SPFO). Physical separation of accessible regions makes it possible to best protect applications and data from data center failures.
In the above model, services based on the redundancy-area principle, programs, and data are amplified in different areas to overcome the header’s single point failure problem (SPFO).
Provide Single-Points-Of-Failure so that customers can easily access the programs or data they need at any time.
Based on this architecture, cloud service providers will gain significant benefits. For example, improving the availability and operation of a virtual machine is maximized. Service providers assure organizations that they will access their lease services following the Service Level Agreement (SLA) terms.
The principle of accessibility is based on the dispersion of the areas in which data centers are located. The above approach is directly related to the concept of error tolerance threshold, which is based on N + 1 redundancy.
Suppose the architecture is implemented accurately and calculatedly. In that case, the error tolerance threshold will improve. Whenever the data center is seriously challenged due to physical problems or cyberattacks, other data centers will have additional data center tasks during maintenance. Take charge of the output circuit.
Technically and logically, the accessibility area and the modular architecture of the data center are very similar. In both cases, the goal is to divide an extensive system or architecture into smaller subsystems.
Based on the above definition, we see that the principle of an inaccessible area refers to the combination of several data centers that are physically so far apart that both cannot access simultaneously in the event of an accident. Still, at the same time, They are close to each other, able to meet the business needs of businesses, and do not face the problem of latency.
In the meantime, the role of the content delivery network should not be overlooked. Refer to Figure 2 for a more accurate understanding of this concept. As shown in Figure 2, an access area is a collection of buildings, Internet links, and power supplies. The access area can be considered a data center, but some include more physical data centers.
Region
An important concept related to accessibility is a region. A region consists of several data centers within the exact geographic location but does not share a common Fault Domain. For example, an area with two accessibility zones can provide good post-disaster recovery performance based on asynchronous replication patterns. Based on this architecture, services can be available in several access areas in the same place.
What is the advantage of the access area?
- The access area is implemented based on the principle that servers that provide specific applications are close to the end-users to minimize latency. Delay is one of the significant challenges of communication networks. To overcome this problem, many cloud service providers distribute servers and storage space and place these resources near end-users.
- Customers can deploy their applications inaccessible areas and design the operating environment so that if an accessible location is corrupted, samples in other available regions are activated. The server load in the affected area is restored until recovery. Take over.
- Another critical area of в… В… Accessibility is associated with the virtual private cloud. As mentioned, a virtual private cloud is a set of subnets containing a classless inter-domain routing block implemented in a single geographic area (region) across multiple data centers. A virtual private network is similar to a virtual data center, except it is physically located in different access areas.
A conceptual example of a virtual private cloud
The question is, what role does the access area play in a virtual private cloud? To clarify this issue, pay attention to Figure 3. The components shown in Figure 3 are as follows:
SubnetSubnets: A variable part of the CIDR block assigned to a virtual private cloud that uses traditional subnetting and markup rules, so be careful when sizing subnets and design the address range to fit with internal data centers or other Virtual private clouds that do not overlap. In the above architecture, a subnet dedicated to an access area is considered. In addition, several subnets can define in each access area. Each subnet has a single route table, and each subnet is associated with a network access control list. Note that a private subnet does not have external access in the above architecture and connects to an internal data center via a virtual personal gateway (VGW) or uses network address translation (NAT) technology to communicate with the Internet.
Route table: Each subnet has a path table. A single path table can be linked to several subnets. Functional path tables similar to the source-based routing, line-oriented PBR rule are called Source-based Policy-based Routing. In other words, you can specify subnet-based paths for packets. For example, private subnets may have path tables with a default path to a NAT gateway, and public subnets may have path tables with access to the Internet through an Internet gateway. In addition, private subnets can use a virtual personal gateway to create routes to return to internal data centers.
Simply put, route tables can be described as similar to Virtual Routing and Forwarding (VRF) tables. However, subnets in the same virtual private cloud can communicate directly with each other. Technically, all interactions in the virtual private cloud, from security groups to network access control lists, occur in Layer 2. Route tables contain paths that show a CIDR block as an instance, Internet gateway, virtual private gateway, NAT gateway, VPC peer, or VPC endpoint. In addition, route tables can receive dynamic BGP routes from a virtual personal gateway.
Security Group: A security group, such as an Access Control List (ACL), is called the Access Control List, usually applied to routers and firewalls, except that it applies directly to the sample. The Security groups are an essential component of the virtual private cloud that secures this communication infrastructure. Security groups play a vital role in this architecture, monitoring the connection status of TCP, UDP, and ICMP. Security groups contain rules and policies that function similarly to access control list entries and point to other security groups. The above feature allows you to block traffic of a particular group without using IP addresses. In general, security groups are like firewalls distributed in Layer 4.
Network ACL: Network access control lists are applied to each subnet more effectively than security groups. Access control lists similar to VLAN ACL or Layer 2 ACL are used. Network access control lists support the PERMIT and DENY command sets. Unlike security groups, these components are stateless. In addition, access control lists only work within the CIDR range and cannot point to other objects similar to the samples. By default, the Network Access Control List allows all packets to enter and exit the network unless you explicitly apply new policies. For example, if you want to block SSH for the entire subnet, you can add a DENY input for TCP port 22 to the subnet access control list. If you do not want to do this, you must block SSH in the security group for each instance.
Flexible network interface: An elastic network interface (ENI) is like a virtual network interface card (NIC). You can apply multiple ENIs to one instance and transfer the ENI to another example in the same subnet. An ENI has a dynamically assigned private address in the subnet and can optionally also have a dynamic public IP address.
Public IP Address: A public IP address is a routable public address that can access over the Internet. There are two types of public IP addresses in a virtual private cloud: dynamic proprietary IP addresses and resilient IP addresses.
Elastic IP address: A resilient IP address is a public IP address applied to the ENI and can be assigned to another instance upon completion. It is especially true for access control list rules, DNS inputs, and allowlists. Each public address has a corresponding private address.
Which cloud service providers have invested in accessibility architecture?
Companies active in cloud services use the above architecture in various ways. The most critical big names, such as Microsoft, Google, and Amazon, are pioneers in designing and implementing new communication architectures. As mentioned, the above architecture has proven effective in cyber-attacks and has significantly reduced network latency.
Fortunately, cloud service providers have taken practical steps in this area. Almost all of them build a large area and multiple access areas in cities or even different countries.
In general, the model used by these companies is based on a new architecture that facilitates the process of moving in an area and building sustainable clusters based on the Multi-Availability Zone model. This architecture is of grave concern to cloud service providers to address the leading security threats, ensuring sustainable access to services and reducing latency.