Ref: https://learn.cantrill.io/courses/1820301/lectures/41301351

DEMO: https://learn.cantrill.io/courses/1820301/lectures/41301352 and https://learn.cantrill.io/courses/1820301/lectures/41301353

• Summary
• Contents:

VPC Router

• 🔧 Moves (routes) traffic inside a VPC
  • Enabled by default: routing VPC-internal traffic (inside subnets & between subnets)
  • Requires additional config: routing VPC-outbound traffic
• Present in every VPC
  • Has a NW interface in every subnet
  • NW interface's IP = Network + 1 address of the subnet
• Highly available → Runs in all AZs of the VPC (no need to worry about its availability)
• Controllable via route tables

VPC Route Table (RT)

• 🔧 List of routes
  • A route indicates where an IP packet needs to go (target) based on its DST IP (destination)
• Route components
  • Destination: a CIDR that determines whether the IP packet can take this route or not
    • If Destination CIDR does not cover the packet's DST IP, it will never take this route
  • Target: where to forward the IP packet if DST IP is covered in Destination CIDR
    • local: stays in the VPC itself, VPC Router will direct to appropriate resource
    • Internet Gateway (IGW): VPC-outbound traffic, will route to public internet
    • Other VPC Gateway objects also possible (GWE, VGW, TGW…)
• ❗ If many routes match/overlap with DST IP, the most specific one is chosen
  • higher prefix in a route = more specific route = higher priority
• ❗Each VPC subnet always has one (and only one!) RT associated to it
  • By default the subnet's RT is the VPC main RT
  • One can associate a custom RT (or the VPC main RT) to the subnet → previous RT then gets disassociated from subnet
  • A RT can be associated to many subnets
• Local route = a route where Destination CIDR matches the VPC CIDR
  • Every RT has at least one local route (the IPv4 local route)
  • If VPC has IPv6 CIDR → there's an additional IPv6 local route
  • Always present
  • Can never be updated
  • ‼️ Always take priority! → exception to “higher prefix = higher priority” rule
• Default route → determines where to send traffic when no other routes match
  • IPv4: destination = 0.0.0.0/0
  • IPv6: destination = ::/0

Internet Gateway (IGW)

• 🔧 Gateways traffic between the internet/AWS public zone and VPC resources
  • 💡 An IGW runs in the border between a VPC and the AWS public zone
  • Public AWS services (S3, SQS, SNS…) run in the AWS public zone → IGW is needed to reach their public endpoints from your VPC
  • VPC resources that can access the IGW must have allocated public IPv4 addresses and/or allocated IPv6 addresses
  • When attached to VPC, its IP address can be used as a target in a RT (VPC-outbound traffic)