top of page

The backbone of AWS - EC2 - [Networking Concepts]

Make sure you read the Cloud's basics and the overview of networking components here. There I explained some concepts/prerequisites required to understand EC2 instances in simple terms.

Every device inside a network is called a Host. Each host has an IP address to access them through the network links.

Understanding IPv4:

When the application is deployed on the server, the server becomes the host when it is connected to the network and will have an IP address. If you are an end user, you don't give an IP address because it is cumbersome. Therefore DNS comes.

DNS - Domain Naming System.

For example,

If you type, the DNS server (ISP provider has this server) resolves to the IP address(say -, and then it reaches a particular IP address in the network.

Structure of IPv4:

A total of 32 bits are divided by dots on every 8 bits(1 byte), and each byte is converted to decimal notation for the decimal version of the IP address.

That's called dotted decimal notation.

Do this at home, connect your laptop and mobile to your Wi-fi and type ipconfig in the command prompt(Windows) - you will get this.

For mobile,

Observe IPv4 address in both mobile and laptop, and Here only the 4th byte, 113 and 76, changes, and the rest three bytes remain unchanged.

192.168.29 is called Network ID, which is unchangeable if we connect more devices. The last byte, which is changeable, is the Host ID, and the hosts are laptop and mobile.

This essentially translates to the device or host being connected to the parent network with Network ID 192.168.29.

How many hosts or devices we connect depends on the parent network.

We can create many child networks from the parent network. These are called subnets. We can group hosts or devices into the subnets.

Relation between CIDR and IP range and total hosts in a network!

When you create a network in AWS, you create Virtual Private Cloud(VPC). So definition would be,

Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you've defined. This virtual network resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

In simple terms, VPC helps to create a virtual network in AWS. This VPC network is represented by CIDR notation. Based on the CIDR, we create subnets. Each subnet takes a specific range of IP addresses from VPC to allocate to the AWS resources(EC2). This process is called a Subnet mask.

What is masked here? A portion of Network ID from VPC.

Subnet Mask Explained!






Subnet Mask


Network ID = AND operation of IP and Subnet mask.


Subnet Mask

Network ID




So the network ID in decimal format is

Leverage good explanations whenever needed, I think I found the best video on subnet mask before proceeding further. The link is below!

I assume you watched the above video.

I am decoding CIDR notation!

It is denoted by [/number of bits reserved in IP address].For example,

[8 bits].[8 bits].[8 bits].[8 bits]

/8 = First 8 bits are reserved for the Network ID.

/16 = First 16 bits are reserved for the Network ID.

/20 = First 16 bits + borrowed 4 bits from the third byte or octet for the Network ID.

/26 = First 24 bits and borrowed 2 bits from the fourth byte or octet for the Network ID.

The total number of IPs in a particular CIDR notation is,

/32 = 1 IP

/31 = 2 IP's

/30 = 4 IP's

/29 = 8 IP's

/28 = 16 IP's

/27 = 32 IP's

/26 = 64 IP's

/25 = 128 IP's

/24 = 256 IP's and so on.

Found a pattern. Yes, it is in the power of 2.

So if you want to create 40 IPs, your CIDR should be in /26; if you wish 200 IPs, it should be /24 CIDR.

Enough let's get back to Subnets!
Subnet = Network within a Network.

We know each network is identified by Network ID, which is reserved for all IPs within the network.

So if you create Subnets, you essentially borrow from the variable part of the Parent network.

Variable network = Host ID.

Borrowing bits from the parent host ID and making it a part of the network ID when hosts are connected is called Subnetting.

Subnet = Parent Host ID to Network ID conversion.

When you create Virtual Private Cloud(VPC) in AWS, you create a CIDR notation. From CIDR notation, we can create Subnets depending on the number of IPs and resource grouping for each subnet.

Overall Picture looks like this in AWS,

If you observe,

  • VPC must be within Region.

  • VPC can span across multiple Availability zones within the same region.

  • The subnet must be within the Availability zone.

  • VPC has /16 masks (The first two octets are reserved)

  • Subnet = Conversion of host portion to network portion.

  • If I convert the third octet fully to network ID, then I get /24 mask. Hence anything within the subnet mask /24 will have the first three octets reserved.

VPC Router, Route table, and Internet gateway.

A router is a component that enables communication between subnets and the outside world(Internet).

If a subnet can communicate with the outside world(Internet), it is called Public Subnet, and if it can't, it is called a Private Subnet.

Who decides whether it is Private or Public? Route table.

Each subnet has a route table attached, and from the table information, the router decides whether it is a public or private subnet.

The component that connects to the internet is called the Internet Gateway(IGW).

A private subnet doesn't have IGW IP in it, and hence it cannot be connected to the outside world.

Anything within the mask of /16 will be local. This is recognized by the VPC router.

Public IP vs. Private IP:

When your device wants to communicate with the internet, it should have unique IPs throughout the globe. This IP is called Public IP.

Private IPs are used within the network, like offices, buildings, etc.

To make communication with the Internet, we need a public IP address, and that should be unique.

  • When creating EC2 instances, AWS automatically assigns a Public IP address to you.

  • The problem with the default assignment of public IP is when you stop and start the EC2 instances, Public IP assigned by AWS will change.

  • If we want public IP to be constant irrespective of the start and stop of instances, we need a service called Elastic IP in AWS.

We can attach the Elastic IP created to specific instances, and we can also detach them from instances.

What if we want to connect a Private Subnet to the Internet for software update/patch update? We need a NAT gateway for it.

IGW vs. NAT gateway

The rule of thumb is,

If the internet can't access from outside(Internet) - a NAT gateway is used.

If the Internet can access the resource - IGW is used.

Network Security

Here is the simple recap from the bottom-up approach:

  • We have a resource called EC2 instance. This EC2 needs to connect to a network.

  • We place EC2 inside a Subnet.

  • VPC contains many Subnets.

  • Subnet and EC2 are connected by ENI(Elastic Network Interface).

Every organization will have security policies. These policies decide inbound and outbound network traffic rules. The component that implements the policy is called Firewalls. Firewalls operate at NIC(Network Interface Card level).

AWS's equivalent of a Firewall is Security Groups. They operate at the ENI level just like firewalls operate at the NIC level.

We have security at the EC2 instances level(ENI), but what about subnet-level security? They are called NACL(Network Access Control Lists).

NACL is called the gatekeeper of Subnet.

bottom of page