Reading 10 - theSam1998/ops-301-Reading-Notes GitHub Wiki

Reading 10

GPT4 insertions indicated by: 🤖

Statement of relevance:

  • A VPC is an extremely useful resource, allowing for private access to otherwise public resources, and enabling public facing sites to run entirely in the cloud with a much greater level of security and scalability. A great number of companies utilize VPC providers to run their services, and so it is vital to familiarize ourselves not only with what they are, but how they work, why they work, and how we can use them.

How can one host within a VPC any services that need to be public?

  • There are several components that enable a VPC to host public facing services. Depending on your specific use case, you may need to add more functions to improve or enable functionality in certain aspects. However, the corem bare minimum technologies that would enable a public facing service to work within a VPC are as follows:
  • IP addressing: Each VPC is associated with a different subnet within an IP range. The VPC's (or one of the subnets containing resources within that VPC which are meant to be public facing) IP address can be configured to be associated with a public facing IP so that it can be routed to over the internet.
  • An Internet Gateway: An Internet Gateway is a service that allows communication between instances within the VPC and the public internet. It is essential to provide a path betweeen your webserver or other service and the internet, and vice versa.
  • Routing: Each VPC uses its routing table to control where network traffic is directed. This would be used to create a route that directs outbound traffic to the internet.
  • Security Groups: Security Groups act as a virtual firewall for an instance within a VPC, controlling inbound and outbound traffic as any firewall would. It could be used to lock down unused ports to prevent unauthorized access, while enabling the ones needed to host your public facing service.
  • These four are the absolute minimum vital technologies that enable a public facing service within a VPC to work, but as mentioned earlier, more technologies can be added on depending on the use case.
  • 🤖 Network Address Translation (NAT) is another key technology that can be used within a VPC. It allows a public-facing website or application to run in a VPC by matching private IP addresses to a public IP address for connections with the public Internet.

What are examples of services that would live in the publicly-accessible part of the VPC? The privately-accessible part?

  • One example could be a webserver, as mentioned earlier. In this case, any sensitive data could be stored on servers within a private subnet in that VPC, preventing public access to sensitive resources through a public facing site for a large organization, while the webserver itself is configured to accept http requests. On the other hand, this same webserver could delegate access based on user credentials, such as how your banking website allows you to view your balance once you login, but if you close the window and attempt to navigate to the same URL or IP again, it would prompt you again for your credentials or deny access altogether.
  • 🤖 The use of a VPN for secure connection to the VPC is crucial, especially when dealing with sensitive data. This ensures that data passing into and out of the VPC is not visible to other public cloud users.

What are the trade-offs of using a VPC vs traditional infrastructure?

  • You would not have direct access to the physical hardware, so the interactions you could perform within the network would be limited to the scope of what could be done within the VPC's GUI (remember your EC2 struggles). Any faults, outages, or other failures within that cloud infrastructure could lead to issues that you would have no ability to mitigate, and the only way to counteract this would be to have a thorough backup ready, which would likely require either local infrastructure or further use of cloud resources.
  • On the other hand, you do not have to maintain or purchase new physical hardware. You also do not require any storage space on hand: a company could run out of a small room, running their entire infrastructure within a VPC, and not be hard pressed for space at all. The burden of upgrading and maintaining a system is removed from your shoulders, and whenever you need access to more resources, you can easily purchase more for a much lower cost than buying and installing new hardware.
  • 🤖 The scalability of a VPC is a significant advantage over traditional infrastructure. Because a VPC is hosted by a public cloud provider, customers can add more computing resources on demand.
  • 🤖 VPCs also offer better performance and security. Cloud-hosted websites and applications typically perform better than those hosted on local on-premises servers. Plus, public cloud providers that offer VPCs often have more resources for updating and maintaining the infrastructure, which can be especially beneficial for small and mid-market businesses.

Things I want to know more about:

  • What exactly are the most common use cases for public facing services running on VPCs?
  • 🤖 The most common use cases for public-facing services running on VPCs include hosting websites, web applications, and APIs. These services need to be accessible to users on the internet, but also need the security and isolation provided by a VPC. E-commerce platforms, content delivery networks (CDNs), and customer-facing portals are other examples of public-facing services that can benefit from being hosted in a VPC.
  • What are some of the most common use cases for services housed on privately accessible VPCs?
  • 🤖 Services housed on privately accessible VPCs are typically those that handle sensitive data or internal operations. This includes databases, internal application servers, and systems for logging, monitoring, or analytics. For example, a company might use a private subnet within a VPC to host a database containing sensitive customer information. This database needs to be accessible to the company's application servers (which might be in a public subnet), but should not be directly accessible from the internet.
  • What are some of the security risks of using a VPC as opposed to maintaining on site hardware with which to host your service.
  • 🤖 While VPCs offer many security advantages, there are still potential risks. Misconfigurations are a common issue - if a security group or network ACL is not configured correctly, it could accidentally expose sensitive services to the internet. Also, while the cloud provider is responsible for the security of the underlying infrastructure, the customer is responsible for securing their own applications and data within the VPC. This shared responsibility model can lead to security gaps if not managed properly. Lastly, using a VPC can lead to increased reliance on a single cloud provider, which can be a risk if the provider experiences an outage or other issues.