Post

AWS Cloud Networking: Traffic Flow from EC2 Instance to VPC Internet Gateway

Posted Updated
Preview Image
By Tech Head
3 min read
AWS Cloud Networking: Traffic Flow from EC2 Instance to VPC Internet Gateway

In this post, we will break down an AWS architecture diagram that illustrates the flow of traffic from an EC2 instance to a VPC Internet Gateway. The diagram showcases the various components involved, such as Regions, VPCs, Availability Zones, Subnets, Network ACLs (Access Control Lists), Security Groups, and the Internet Gateway. Let’s dive into each layer and understand their roles and how traffic flows through them.

AWS Cloud Diagram

Components Overview

Region

A Region is a geographical area containing multiple Availability Zones. AWS has multiple Regions worldwide to provide better redundancy and disaster recovery.

VPC (Virtual Private Cloud)

A VPC is a logically isolated network within the AWS cloud where you can launch AWS resources. Each VPC spans all the Availability Zones in the Region.

Availability Zone

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. Each Availability Zone is isolated, but the Availability Zones in a Region are connected through low-latency links.

Subnet

A Subnet is a range of IP addresses in your VPC. A Subnet can be in one Availability Zone only and can be categorized as public or private based on routing.

Network ACL (Access Control List)

Network ACLs are stateless, meaning that they monitor both inbound and outbound traffic separately. They provide a layer of security for the Subnets within a VPC by allowing or denying traffic at the Subnet level.

Security Group

Security Groups are stateful, meaning that if you allow an inbound request, the outbound response is automatically allowed. They act as virtual firewalls for your instances to control inbound and outbound traffic.

Internet Gateway

An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet.

Traffic Flow Explanation

Traffic Outbound from EC2 Instance to Internet Gateway

  • When an EC2 instance initiates outbound traffic (e.g., to the internet), the traffic first passes through the Security Group associated with the instance.
  • The Security Group checks the outbound rules to determine if the traffic is allowed. Since Security Groups are stateful, if outbound traffic is allowed, the return traffic is also allowed.
  • The traffic then moves to the Subnet’s Network ACL. The Network ACL evaluates the outbound rules to permit or deny the traffic. Since Network ACLs are stateless, it must explicitly allow outbound and return inbound traffic.
  • Finally, the traffic reaches the VPC Internet Gateway, which enables the instance to communicate with the internet.

Traffic Inbound to EC2 Instance from Internet Gateway

  • Inbound traffic from the internet first hits the VPC Internet Gateway.
  • The traffic then passes through the Subnet’s Network ACL, which evaluates the inbound rules to determine if the traffic is allowed.
  • If permitted, the traffic reaches the Security Group of the EC2 instance. The Security Group checks the inbound rules to decide whether to allow the traffic to reach the instance.

Key Points

  • Security Groups are stateful. This means that when you allow an inbound rule, the response outbound traffic is automatically allowed.
  • Network ACLs are stateless. Therefore, you must explicitly allow both inbound and outbound traffic rules.
  • Internet Gateways serve as a bridge between the VPC and the internet, handling the routing of traffic to and from the internet.
  • VPC Subnet All of this considering the EC2 is in a public subent, otherwise you need to use a NAT gateway for private subnets.

Conclusion

Understanding how traffic flows within an AWS VPC is crucial for designing secure and efficient cloud architectures. By properly configuring Security Groups and Network ACLs, you can ensure that your EC2 instances are protected from unauthorized access while allowing necessary traffic to and from the internet. The diagram and explanation provided in this post should help you visualize and comprehend the interaction between various AWS components involved in managing network traffic.

By carefully managing each layer, from the Region down to the Security Group, you can achieve a robust and secure network setup for your AWS resources.

AWS, Networking
aws VPC EC2 Security Networking
This post is licensed under CC BY 4.0 by the author.