A VPC, or Virtual Private Cloud, is essentially your own private network in AWS. A VPC allows you to define your private IP range for your AWS resources, and you place things like ec2 instances and ELBs inside of your VPC. Now, you don't just go throw your resources into a VPC and move on. You place them into different subnets. Subnets are chunks of IP addresses in your VPC that allow you to group resources together. Subnets, along with networking rules we will cover later, control whether resources are either publicly, or privately available. What we haven't told you yet, is there are actually ways you can control what traffic gets into your VPC at all. What I mean by this is, for some VPCs, you might have Internet-facing resources that the public should be able to reach, like a public website, for example. However, in other scenarios, you might have resources that you'll only want to be reachable if someone is logged into your private network. This might be internal services like an HR application, or a back-end database. First, let's talk about public-facing resources. In order to allow traffic from the public Internet to flow into and out of your VPC, you must attach what is called an Internet gateway, or IGW, to your VPC. An Internet gateway is like a doorway that is open to the public. Think of a coffee shop. Without a front door, the customers couldn't get in, and order their coffee. So we install a front door, and the people can then go in and out of that door when coming and going from our shop. The front door in this example is like an Internet gateway. Without it, no one can reach the resources placed inside of your VPC. Next, let's talk about a VPC with all internal private resources. We don't want just anyone from anywhere to be able to reach these resources, so we don't want an Internet gateway attached to our VPC. Instead, we want a private gateway that only allows people in if they're coming from an approved network, not the public Internet. This private doorway is called a virtual private gateway, and it allows you to create a VPN connection between a private network, like your on-premises data center, or internal corporate network to your VPC. To relate this back to the coffee shop, this would be like having a private bus route going from my building to the coffee shop. If I want to go get coffee, I first must badge into the building thus authenticating my identity, and then I can take the secret bus route to the internal coffee shop that only people from my building can use. If you want to establish an encrypted VPN connection to your private, internal AWS resources, you would need to attach a virtual private gateway to your VPC. Now, the problem with our super-secret bus route is that it still uses the open road. It's susceptible to a traffic jams and slowdowns caused by the rest of the world going about their business. The same thing is true for VPN connections. They are private, and they are encrypted, but they still use a regular Internet connection that has bandwidth that is being shared by many people using the Internet. So what I've done to make things more reliable, and less susceptible to slowdowns, is I made a totally separate magic doorway that leads directly from the studio into the coffee shop. No one else driving around on the road can slow me down, because this is my direct doorway. No one else can use it. What? Did you not have a secret magic doorway into your favorite coffee shop? Moving on. The point being is you still want a private connection, but you want it to be dedicated and shared with no one else. You want the lowest amount of latency possible with the highest amount of security possible. With AWS, you can achieve that using what is called AWS Direct Connect. Direct Connect allows you to establish a completely private, dedicated fiber connection from your data center to AWS. You work with a Direct Connect partner in your area to establish this connection. Because like my magic doorway, AWS Direct Connect provides a physical line that connects your network to your AWS VPC. This can help you meet high regulatory and compliance needs, as well as sidestep any potential bandwidth issues. It's also important to note that one VPC might have multiple types of gateways attached for multiple types of resources, all residing in the same VPC, just in different subnets. Thanks for listening. I'm going to sit here and keep ordering coffees from my magic door. See you.
