Understanding AWS Subnet and Elastic IP
In this article, we will discuss what a subnet is, how AWS uses it in the VPC to connect internal resources, and what an elastic IP is.
AWS Subnet
A VPC is confined to a region with multiple availability zones. In this VPC multiple instances can be launched. But to access these instances we need to call them by some unique address. For this, subnets are used.
IP (Internet Protocol) address connects online computers to be accessed through other computers. We can access the computers by entering the IP address in our browsers. AWS uses a range of IPs, which is called a subnet to connect its internal resources. The subnets can be public or private. Public subnets can be accessed from outside of the VPC and private subnets can only be accessed from inside the VPC.
IPv4 CIDR blocks are specified while creating the subnet. The subnet is a subset of the VPC CIDR block. CIDR blocks help to assign rules to a broad range of IP addresses. Subnets are confined to a specific availability zone, this makes each zone separate from the other. Each subnet can not span multiple zones. Users can also create local zone subnets to run applications closer to the end users. Local zone subnets are used for single-digit millisecond latencies.
Types
Subnets use the CIDR system while allocating to VPC. There are mainly two types of subnets. They vary in their connection to an internet gateway.
Public subnet: Public subnet is directly connected to the internet gateway. Resources in the public subnet can access the internet.
Private subnet: Resources in a private subnet can’t directly connect to the internet. To access the internet, a private subnet is connected to NAT Gateway.
There is also a VPN-only subnet, which doesn't have a direct connection to the internet gateway. It is routed via a virtual private gateway by a site-to-site VPN connection.
For public and private subnets the best practice is to create two separate subnets from the VPC’s CIDR block and use two different routing rules for the two types of subnets at the launch of the VPC.
Depending on the type of CIDR IP address, subnets can be of 3 types. If an IPv4 CIDR block is assigned to a subnet it’s called an IPv4-only subnet. For IPv6 CIDR blocks, the subnet is called an IPv6-only subnet. If Both IPv4 and IPv6 CIDR blocks are assigned to a subnet then it’s called a dual-stack subnet. For all these types of subnets, the VPC must have the specific type of CIDR block available.
How it works
When we launch an instance (Launch and SSH (from Windows) to AWS EC2 Instance) in a VPC, we assign a subnet to the instance. What it does is: it gets an available subnet address from the subnet pool and assigns the address to the instance. So, we can address that instance by that assigned subnet. Subnet connects all the instances in the VPC with routing.
From the VPCs CIDR block, a subset can be created for the subnet CIDR. The allowed block size is between /28 netmask and /16 netmask. There are tools available (IP Subnet Calculator) to calculate subnet CIDR blocks.
The first four and the last IP address of the subnet are reserved for AWS’s use. We can’t assign them to our instances. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved:
10.0.0.0: Network address.
10.0.0.1: Reserved for the VPC router.
10.0.0.2: Reserved by AWS. This is the IP address of the DNS server. For VPCs with multiple CIDR blocks, the IP address of the DNS server is located in the primary CIDR.
10.0.0.3: Reserved for future use.
10.0.0.255: Network broadcast address. AWS doesn’t support broadcast in a VPC.
Subnet routing
Subnets must be associated with the routing table. It defines the communication directions and protocols. While creating the subnets, it gets auto-assigned to the main subnet. But it’s recommended to change the routing depending on usage.
Public subnets are routed through an Internet Gateway. By doing so, traffic from the subnet can go through the internet gateway. Outsiders can also access the subnet via the internet gateway.
Private subnets are not directly connected via an Internet Gateway. But they can access one-way internet connectivity with NAT Gateway or NAT Instance (AWS Internet Gateway vs NAT Gateway vs AWS Internet Gateway vs NAT Gateway vs Nat Instance). Any outsider can’t access the private subnets, which provides a higher level of security for VPC resources. You can choose what to share with the outside world.
Subnet Security
AWS lets the user configure security groups to resources. To protect instances from uncertain network attacks, it’s recommended to use a private subnet connected through a NAT Gateway. This makes the instances secure. For the backend and databases, this practice is preferable. We don't need to connect an instance to the internet if it’s not necessary for the general public to access it.
While creating a subnet, it is assigned to a default network Access Control List (ACL). Default network ACL allows all inbound and outbound traffic. The user is recommended to configure these rules and make the instances secure.
AWS Elastic IP
AWS provides Elastic IP to help users to create a fixed IP for their resources. It mitigates some problems related to AWS’s changing public IP addresses. In this article, we will discuss what Elastic IP is, how to use them properly, and give some additional information about them that might be beneficial for beginners.
What is Elastic IP?
Before discussing Elastic IP, we should understand what an IP is. An IP or Internet Protocol is a numerical labeling of connected computers in a network. Each computer in that network is addressed by its unique IP address. An example of an IP address is 192.1.0.2.
Elastic IP is a static IPv4 address that doesn’t change over time. The user can buy these IPs from AWS or they can bring their IP to AWS. By ‘own IP’, we mean IPs of their other resources outside of AWS. It also can be from a third-party provider.
Elastic IP can be accessed from the internet. You can also use your elastic IP for the DNS record to direct to your application.
Why Do We Need Elastic IP
When a user creates instances in a VPC, the public IP attached to the instances is randomly chosen and is not defined by the user. The public IP address comes from Amazon's pool of public IPv4 addresses. It’s independent of the user’s account. The user can’t specify what their public IP address will be. If the user stops, hibernates, or terminates his instances’ public IP is released back into the public IPv4 pool.
So if the user needs a stable IP for his instances for development ease, he can attach an available elastic IP to the instance. This helps to manage unnecessary hassles for the development team. For instance failure, Elastic IP comes to the rescue. By remapping the elastic IP address to a new instance, instance failures can be easily mitigated without changing anything from the development side.
How to assign an Elastic IP to an EC2 instance? To know this you can simply watch the following video.
Pricing
As AWS already provides a public IP to instances, if the allocated Elastic IP isn’t attached to any instances, it’s being wasted. So, AWS charges hourly for any elastic IP that isn’t attached to any instances. If the IP is attached to stopped instances or unattached network interfaces, then also a small hourly charge is made.
Additional Information
Elastic IPs are region specific. One region's IP can’t be used for other regions’ resources.
Elastic IPs are first assigned to the user account. Then the user can use the IP for different instances.
A public IPv4 address can’t be used as an Elastic IP.
Elastic IP remains attached to the user account until the user releases it.
Adding elastic IP also releases the public IP back to AWS’s public IPv4 pool.
By default, an AWS can use up to 5 elastic IPs per region. It’s recommended to only use elastic IPs for remapping purposes only.
Outside elastic IP addresses that the user has brought to AWS, don’t count toward the maximum limit of AWS’s elastic IP.
In this article, we discussed AWS subnet and Elastic IP and the relation between public IP and Elastic IP. Learning when and how to use different types of subnets and the Elastic IP can be crucial to protecting your AWS instances.