Study notes for networking on AWS.
The core pieces of networking in AWS are:
- Virtual Private Clouds (VPCs) - Spans only 1 Region
- Subnets - Spans only 1 Availability Zone
- Network Access Control Lists (NACLs) - Stateless firewall rules protecting subnets
- Security Groups (SG) - Stateful firewall rules protecting instances
- Gateways - Managed network resources that route network traffic in various ways
Public and Private Subnets… and their expenses
There are public and private subnets. Public subnets are addressable from the internet and can also route traffic to the internet. Private subnets are not addressable from the internet, nor can they route traffic to the internet.
In order for instances in private subnets to access AWS services, one of the following solutions must be employed:
- Use AWS Private Link to provide a route from within the private subnet directly to AWS Services
- Provision an AWS NAT Gateway on a public subnet to NAT translate requests from the private subnet to the internet
- Provision an EC2 instance running a NAT server to NAT translate requests from the private subnet to the internet
All three solutions cost money. This is unfortunate, because in order to provide defense in depth, users must pay an additional premium to keep their instances protected in a private subnet, while still accessing AWS resources. Option #3 is the cheapest option, but is arguably the most work.
IP Addresses
In order to have EC2 instances in a public subnet be reachable via the Internet, they need a public IP address.
Public IPv4 addresses are in short supply, so AWS charges your account a rate per-second of public IPv4 address usage.
Not only are you charged for elastic IP addresses and EC2 public IPv4 addresses, but also the IP addresses that are managed by AWS Services (see this list). This means that if you provision a publicly addressable Amazon RDS instance, you pay for the IPv4 address usage.
You can get around this by buying a public IPv4 address through a broker and using it on AWS, or you could use a public IPv6 address.
Sadly, IPv6 addressing is not supported by all AWS services. Here is a list of services that support IPv6.
So, if you want to host a publicly reachable EC2 instance/service on AWS, count on paying for a public IPv4 address. Unless you go serverless… but that is a topic for later.
Gateways
There are many different types of network gateways that AWS offers; each has its own purpose.
I’ve tried to compile a list of all the network gateways that AWS offers as of writing this post:
| Gateway Name | Use Case | Cost Model |
|---|---|---|
| NAT Gateway | Perform NAT for instances in a private subnet. | Per hour gateway is provisioned, and per GB of data processed. |
| Private Link | Connect instances in private subnets to AWS services. | Per hour gateway is provisioned, and per GB of data processed. |
| Internet Gateway | Connect a subnet to the Internet. | Gateway is free; other EC2 data charges apply. |
| Egress-Only Internet Gateway | Connect a subnet to the Internet for outbound, IPv6 requests. | Gateway is free; other EC2 data charges apply. |
| Transit Gateway | Gateway to connect multiple VPCs and on-prem networks. | Number of connections per hour, and per GB of data processed. |
| Direct Connect Gateway | Dedicated, physical connection to AWS | Expensive. Depends on link capacity. Large up-front commitment. |
Data Transfer Out (DTO) Costs
One complaint that I’ve consistently heard from others using AWS is: data transfer costs are huge.
As far as I can tell, this is one of the largest cost issues that users face on AWS.
The Internet Gateway is free to provision, but any EC2 instances sending data through that gateway will incur data transfer out costs. After you breach the 100GB free per month, you will begin seeing a cost of $0.09/GB for data transferred from your EC2 instances in us-east-2 out to the Internet.
That can add up quickly. Options to cut down on DTO cost include:
- Use AWS CloudFront to serve up static assets (see this Reddit post, and this one too)
- Use S3 to serve static assets
- Use other CDNs such as CloudFlare to distribute static assets
- Compress + optimize content
Sadly, switching to serverless (such as AWS Lambda) still incurs DTO charges and provides no benefit here.
Recommended Reading
This guide only serves to connect ideas already presented in AWS documentation to provide a more complete learning path. After reading this, you should take the time to read these resources as well:
- Amazon Virtual Private Cloud Docs
- This StackOverflow post and this one too about Private Subnets in AWS.
- This Reddit Post about a user running a podcast platform.