AWS VPC Network Architecture

Question

I have the following three network architectures (similar to https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario3.html) that are to be used on web-based, DB-driven applications to:

• enhance communications between servers efficiently
• develop secure
• network policies keep nodes secure and organized

Note the CIDRs for each VPC and each subnet. Each subnet’s access is controlled by Route Tables and Network Access Control Lists which are not displayed in the diagrams for simplicity reasons. All subnets are different, some are public and some are private, some need to interact with some other ones as can be seen with the arrows.

Questions:

1. Is VPC Architecture 2 an enhancement over VPC Architecture 1?
2. Is VPC Architecture 3 an enhancement over VPC Architecture 2? (Note how each VPC CIDR is the same 10.0.0.0/20)
3. Is there or could there be a penalty for VPC Architecture 3 to have the same VPC CIDR of 10.0.0.0/20?
   • What if I decide to bridge vpc-4 and vpc-5?
4. If none of these architectures are good for my web-db networking needs, could you provide or point me towards good network architecture guidelines?

Thoughts are greatly appreciated.

Answer 1

Thank you @Raunak-Jhawar. You are right about VPC Architecture 1 being good for starters. But as more nodes are added to the VPC, this Architecture will become more complex and difficult to manage.

All of my VPC Network Architecture designs are correct and will work depending on your needs. However, i'd like to share some information that the the great folks at AWS Support have given me.

VPC Architecture 1:

This Architecture is pretty much simple.Everything will work like a charm. You can deploy the application servers in public subnet and db servers in a private subnet(If you do not wish to grant access to the DB server from internet).This Architecture will be easy to manage and all your requirements will be fulfilled with this type of Architecture.

VPC Architecture 2:

I can see that in VPC2, the CIDR block give was 10.0.0.0/20 which gives us ip range from 10.0.0.0 to 10.0.15.255. However, the VPC3 has a CIDR block given as 10.0.2.0/20, which also comes in a same range as of VPC 2 ip addresses. Hence, the Architecture 2 and 3 become same here.I believe, you wanted to show non overlapping CIDR range in VPC 2 and 3. Following my assumption, I would like to inform you that this Architecture can also be used. Customers use this kind of Architecture when they have multiple end customers. And these end customers also want to communicate with each other through VPC peering. VPC peering is possible when the VPC's has non overlapping subnets.

VPC Architecture 3:

This Architecture could also work however, the VPC peering/bridging is not possible in this case.Because, VPC 4 and 5 have same CIDR ip range. Hence, this is not a valid Architecture if you want to make VPC 4 and 5 communicate with each other.

This is great information.

Answer 2

Is VPC Architecture 2 an enhancement over VPC Architecture 1?

For all practical purposes, VPC illustration 1 is more subtle for your use case and also offers to avoid any inter-region or across-region VPC peering management/costs.

Is VPC Architecture 3 an enhancement over VPC Architecture 2? (Note how each VPC CIDR is the same 10.0.0.0/20)

No this is not a case of enhancement. As a matter of fact, you should not have overlapping CIDR ranges across VPC's regardless of whether you do a VPC peering or not in your account

Is there or could there be a penalty for VPC Architecture 3 to have the same VPC CIDR of 10.0.0.0/20? What if I decide to bridge vpc-4 and vpc-5?

Yes you should not create another VPC with an overlapping or matching CIDR ranges

If none of these architectures are good for my web-db networking needs, could you provide or point me towards good network architecture guidelines?

For all practical needs for this use case, illustration 1 is good for starters