Routing is the process of directing traffic flow between networks or VPCs. Routing also connects a VPC to the Internet. Routing defines how traffic flows from one network to another. Obviously, we don’t want external traffic to access everything on your network so we whitelist IPs in routing tables to restrict where traffic is allowed to go. Within your network, there are multiple subnets. Access to subnets is controlled by Network access control lists (NACLs). Security groups control access to individual Amazon Machine Instances (AMIs)

Suppose you have a VPC with a web server, application server, and a database server. Each of these are on separate EC2 instances.

VPC connectivity

Setup a Gateway. Gateway is a device that enables two or more networks to share traffic. Create a routing table to define which IP addresses will allow bidirectional traffic with the Internet. Associate the routing table with subnets that will be accessing the Internet. This is called a public subnet or DMZ, which is a part of the network that connects an untrusted network (Internet) to our trusted network.

Subnet Connectivity

Access to subnets are controlled by Network Access Control Lists (NACLs). NACL is a firewall for the subnet. Here you define which ports can accept or send packets to other subnets or the Internet. For example, you could open port 80 to the Internet for the webserver, open port 22 from VPN only for SSH access, and port 3306 only to the application server in our VPC so that it can access the database.

Security Groups

Security Groups are firewalls for individual Amazon Machine Instances (AMIs) such as an EC2 instance. Security groups deny all access by default. They need to be configured to allow access. For example, we can say that the database server port 3306 is open only to traffic from a specific application server.

AWS allows you to control traffic to your applications and data through security groups, NACLs, and routing.

By master