By default can services in the same VPC talk to each other or does this need to be specifically allowed? (i.e via route tables)
How about if they are in the same VPC but different availability zones?
How do public and private subnets differ in this situation?
A VPC is just a network. The fact that it’s in cloud makes it no different to if it was a physical network in a data center.
A VPC is divided into subnets - you define those.
How to things talk to each other? That depends on how you set up the route tables. A Route Table resource effectively programs a router device which defines how the subnets are linked together. If you have done any of the Linux courses, it’s the same concept.
A subnet is defined as public if it has a route to an Internet Gateway resource. Devices on a public subnet can be connected to from outside of AWS, i.e. from the Internet, if they are assigned a public IP address.
A private subnet does not have an associated Internet Gateway and is so-called because it’s private with respect to the Internet - devices on private subnets cannot be directly connected to from the Internet and don’t have an IP address that can be accessed from the outside world.
Generally it is bad practice for security reasons to place things like EC2 or RDS on public subnets. You put AWS managed devices like Load Balancers which are security-hardened on your public subnet, and connect the back end of the load balancer to EC2 instances running in private subnets. A Network ACL (firewall) placed on the private subnets can help restrict the traffic going from the public to the private subnets to allow only the load balancer traffic.
AZs are transparent with respect to devices seeing each other within the VPC. A subnet in AZ-A is connected to a subnet in AZ-B by its route table.
At the end of the day, it is all just networking and nothing special about it being in AWS. If you understand the basics of networking, which you can get in our Linux courses, it should all be clear.
2 Likes
Thanks for your response. So it sounds like by default I need to configure route tables to have my services talk between availability zones.
Yes, if you create a VPC from scratch.
You need to create subnets and route tables, plus an internet gateway to route public subnets through.