How to design a VPC

0

Hello everyone,

I am learning about VPCs, and I have questions about how to design them, along with subnets.

I put a practical example to be able to raise the doubts: Imagine that we have an application, on the one hand we have the backend made with microservices (for example, 3 microservices) and we have a frontend.

When adding subnets to the VPC, how would it be designed for a project like this?

Should it have a subnet for each part of the project (frontend and backend) being in total 2 subnets? Or for each microservice, being in total 4 subnets?

Do you understand my doubts? I would like to know when creating a VPC, how to design it, how many subnets are created and why that amount is chosen... etc...

Thank you very much in advance. Best regards. I look forward to your answers :)

Daniel
asked a month ago284 views
1 Answer
1
Accepted Answer

There are several factors which can determine the design of your VPC. I have summarized the different factor with some possible solutions. Feel free to deviate from this if you have different requirements.

Designing VPCs and Subnets

  1. Public and Private Subnets:
  • Separate public subnet for resources that need internet access (load balancers, bastion hosts)
  • Private subnet(s) for resources that shouldn't be publicly accessible (application servers, databases)

Note: The reson for doing this is that route tables are applied on a subnet level.

  1. Number of Subnets:
  • At least two private subnets, each in a different Availability Zone (AZ) for high availability
  • Frontend and backend components can share private subnets and use security groups (SG's) for allow appropriate traffic to the microservice. Remeber, SG's can reference itself or other SG's.
  1. Microservices:
  • Deploy microservices within the same private subnets
  • Use security groups and network ACLs to control communication between microservices and other components
  1. Security Groups and Network ACLs:
  • Security groups act as stateful virtual firewalls for instances (inbound/outbound traffic)
  • Network ACLs act as stateless firewalls at the subnet level - usually SGs meets the requirements of customers, i recommend proceeding with SG's as your stateful firewall.
  • Use them to enforce strict security policies and control traffic between subnets and components
  1. Resiliency and High Availability:
  • Deploy components across multiple AZs to ensure resiliency
  • If one AZ goes down, workloads can failover to other AZ(s)
  1. Scalability:
  • Consider future growth when sizing CIDR blocks for subnets to avoid IP address exhaustion. By leveraging fewer subnets, you mitigate the risks of certain subnets exausts their IP allocation. It might be very hard to estimate which worklaods are going to consume IP addresses if you priceed with DB subnet, app subnet, frontent subnet and so on.

Design your VPC and subnets based on your application's security, availability, and scalability requirement.

This architecture illustrate what i'm talking about above:

Enter image description here

Taken form this link.

Hope this helps.

AWS
emned
answered a month ago
profile picture
EXPERT
Sandeep
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions