本文主要包含以下内容
- 公有子网和私有子网的区别
- 如何新建IGW,如何更改路由表
- 如何创建NAT网关,如何更改路由表
- 合理的网络拓扑
- VPC Wizard
公有子网与私有子网
- 子网:VPC是跨可用区的.在创建VPC后需要为每个可用区添加一个或多个子网,子网不可跨可用区。
- 公有子网:子网的关联路由表包含指向Internet网关的路由的子网。
- 私有子网:子网的关联路由表不包含指向Internet网关的路由的子网。
- 仅限VPN的子网:特别的,一个子网没有通向Internet网关的路由,但其流量会被路由到虚拟专用网关以进行VPN连接,则这个子网就是仅限VPN的子网。
如上图
- Subnet1:有通向Internet网关的路由,因此它是公有子网
- Subnet2:没有通向Internet网关的路由,因此它是私有子网
- Subnet3:没有通向Internet网关的路由,但流量可达VPN,因此它是仅限VPN的子网
InternetGateways
使用Internet网关(InternetGateways,igw),可实现VPC中的实例与Internet之间的通信。
Internet网关有两个用途:
- 在VPC路由表中为Internet可路由流量提供目标
- 为已经分配了公有IPv4地址的实例执行网络地址转换(NAT)
当生成AWS账户的时候,AWS系统会默认的在每一个区域内都生成一个默认的VPC,并且这个默认的VPC已经绑定了一个Internet网关;一个Internet网关一次只能绑定一个VPC;当VPC中有EC2实例等AWS资源的时候,Internet网关是不能手动和相结合的VPC相分离的
路由表
每个子网都会和路由表相结合使用,并且只能使用一个路由表;VPC中的子网是共有子网还是私有子网是由该子网使用的路由表决定的
如果该路由表中有Internet网关路由条目,那么该子网就是共有子网;
路由表由一系列的路由规则组成,决定了子网的访问权限;默认情况下,同一个VPC之间的子网之间是可以相互通信的;当路由表和子网已经结合的情况下,该路由表是不能被删除的。
This article mainly covers the following content:
- Difference between public subnets and private subnets
- How to create a new IGW, how to modify route tables
- How to create a NAT gateway, how to modify route tables
- Reasonable network topology
- VPC Wizard
Public Subnets vs Private Subnets
- Subnet: VPC spans across availability zones. After creating a VPC, you need to add one or more subnets for each availability zone. Subnets cannot span across availability zones.
- Public subnet: A subnet whose associated route table contains a route pointing to an Internet gateway.
- Private subnet: A subnet whose associated route table does not contain a route pointing to an Internet gateway.
- VPN-only subnet: Specifically, a subnet that has no route to an Internet gateway, but its traffic is routed to a virtual private gateway for VPN connection, this subnet is a VPN-only subnet.
As shown above:
- Subnet1: Has a route to Internet gateway, therefore it's a public subnet
- Subnet2: Has no route to Internet gateway, therefore it's a private subnet
- Subnet3: Has no route to Internet gateway, but traffic can reach VPN, therefore it's a VPN-only subnet
Internet Gateways
Using an Internet Gateway (Internet Gateways, IGW), you can enable communication between instances in a VPC and the Internet.
Internet gateways serve two purposes:
- Provide a target for Internet-routable traffic in VPC route tables
- Perform network address translation (NAT) for instances that have been assigned public IPv4 addresses
When an AWS account is created, the AWS system defaults to creating a default VPC in each region, and this default VPC is already bound to an Internet gateway. An Internet gateway can only be bound to one VPC at a time. When there are EC2 instances or other AWS resources in a VPC, the Internet gateway cannot be manually detached from the associated VPC.
Route Tables
Each subnet is associated with a route table and can only use one route table. Whether a subnet in a VPC is a public subnet or private subnet is determined by the route table used by that subnet.
If the route table has an Internet gateway route entry, then the subnet is a public subnet.
Route tables consist of a series of routing rules that determine the subnet's access permissions. By default, subnets in the same VPC can communicate with each other. When a route table is already associated with a subnet, that route table cannot be deleted.