AWS VPC Control Plane & Data Plane

Amazon Virtual Private Cloud

AWS VPC called as Virtual Private Network is just another virtual DC hosted in Cloud Environment in different AWS regions.

In AWS, each Region consist of various Availability Zones, which are isolated locations and has one or More Data centers.

VPC spans over multiple AZ in one region, but it will span between multiple regions.  Each VPC will have a CIDR (IP address range) attached to it and from this CIDR, we will be allocating Subnets to our VPC. The CIDR range is local to VPC and can overlap with other VPC, but if we are configuring VPC peering, we need to have unique CIDR range per VPC. When we allocated Subnets from CIDR, these subnets should be AZ Specific.

The Subnets which will be created in VPC, are categorized as public and private Subnets. Public subnets are those subnets which has route to Internet GW and all public facing services like Web servers, Internet gateway, NAT gateway etc are part of public subnet.

Private Subnets are those subnets in which all your APP servers, Database, which does not have direct internet connectivity and EC2 instance present in Private Subnet will get access to Internet via NAT gateway. For EC2 instance to have internet connection from private subnet, we must add route in Private subnet routing table pointing towards NAT GW.

The communication between EC2 Instance present in public subnet and private Subnet in particular VPC, will happen via VPC main route table.

Each VPC once created, also has a default NACL (network Access Control List) and is bind to all subnets in that VPC. We must allow for Inbound as well as outbound rule for inbound and outbound traffic specifically, because NACL are Stateless in nature. By Default, NACL allow all inbound and outbound traffic.

AWS Control Plane & Data Plane Function:

AWS Control Plane works when two EC2 instance initiates TCP session between them for communication.

Here Two EC2 instance are launched in two different host and in two different AZ. Each Physical Host having Nitro card for VPC , which is responsible for routing  data packets and its encapsulation and decapsulation. Security Groups are also implemented in hardware Nitro card for VPC.

AWS Control Plane functioning depends on Mapping Service system. In Control Plane , Physical network switches are responsible for underlay network routing , advertisement of MAC/IP information to Mapping Services , Routing info to each physical host.

Mapping Register:

As soon as EC2 instance is launched, it will inform this information to Mapping Service database. Also, each physical host will also cache its EC2 MAC/IP information locally.

Once information is send to mapping Service, Mapping Service keeps following information in its database table :

• EC2 Instance MAC/IP address bind to ENI
• Virtual Network identifier which is VPC
• Physical host IP on which EC2 Instance was launched
• Encapsulation Mode

Refer below figure for VPC Control plane operation: mapping register