πŸ’‘ Ask Tutor

VPC & Networking in AWS

Designing Secure, Scalable, and Isolated Network Architectures

🌐 What is a Virtual Private Cloud (VPC)?

A Virtual Private Cloud (VPC) is a logically isolated section of AWS where you can launch AWS resources (like EC2, RDS, Lambda) in a custom-defined networkβ€”with full control over IP addressing, subnets, routing, and security.

Think of it as your own virtual data center in AWS.

Core Components of a VPC

ComponentDescription
CIDR BlockIP address range for the VPC (e.g., 10.0.0.0/16)
SubnetsSubdivisions of the VPC (public/private)
Route TablesDefine where network traffic is directed
Internet GatewayEnables outbound internet access
NAT GatewayAllows private subnets to access the internet
Security GroupsFirewall rules at instance level
Network ACLsFirewall rules at subnet level (stateless)
VPC PeeringConnect two VPCs privately

Default VPC vs Custom VPC

FeatureDefault VPCCustom VPC
Automatically createdYesNo
Subnets1 per AZUser-defined
Internet AccessConfiguredNeeds explicit IGW, route
Use CaseTesting, quick deploymentsProduction, isolated setups

ASCII Diagram – Custom VPC Layout (Typical 2-Tier App)

Plaintext
                   +----------------------+
                   |     Internet         |
                   +----------+-----------+
                              |
                    +---------v----------+
                    |  Internet Gateway  |
                    +---------+----------+
                              |
                +-------------+--------------+
                |                            |
        +-------v--------+          +--------v-------+
        | Public Subnet 1|          | Public Subnet 2|
        |  (Web Servers) |          | (ALB/NAT GW)   |
        +-------+--------+          +--------+-------+
                |                            |
        +-------v--------+          +--------v-------+
        | Private Subnet1|          | Private Subnet2|
        | (App/DB Layer) |          | (RDS, EC2)     |
        +----------------+          +----------------+

How to Create a Custom VPC (Step-by-Step)

βœ… Via AWS Console:

  1. Go to VPC Dashboard β†’ Create VPC
  2. Choose VPC Only or VPC + Subnets (Wizard)
  3. Enter:
    • Name: my-production-vpc
    • IPv4 CIDR: 10.0.0.0/16
    • Tenancy: Default
  4. Click Create

βœ… Create Subnets:

  • Public Subnet: 10.0.1.0/24
  • Private Subnet: 10.0.2.0/24

βœ… Add an Internet Gateway:

  1. Create and attach to the VPC
  2. Update route table for public subnet β†’ Route to IGW

βœ… Add NAT Gateway (for Private Subnet):

  1. Deploy in public subnet
  2. Associate Elastic IP
  3. Route traffic from private subnet β†’ NAT Gateway

πŸ›‘οΈ Security in VPC – SG vs NACL

FeatureSecurity GroupNetwork ACL
LevelInstance-level (stateful)Subnet-level (stateless)
RulesAllow onlyAllow and Deny
StateStatefulStateless
Use CaseApp-level protectionSubnet-wide firewall

Example Security Group:

Bash
Inbound: TCP 22 (SSH) from MyIP
Inbound: TCP 80 (HTTP) from 0.0.0.0/0
Outbound: ALL

Example NACL Rules:

  • Allow TCP 80 from 0.0.0.0/0 (Inbound)
  • Deny all other traffic (Explicit)

NAT Gateway vs Internet Gateway

FeatureInternet GatewayNAT Gateway
For Subnet TypePublic SubnetPrivate Subnet
Inbound AccessYes (public IP)No
Outbound InternetYesYes
Elastic IP NeededOptionalRequired
CostFreePaid (by hour & GB)

Route Tables Explained

A route table controls how traffic is routed from subnets.

Example Routes:

DestinationTarget
10.0.0.0/16local
0.0.0.0/0igw-xxxxxxxx

βœ… VPC Peering

  • Connect two VPCs privately (no internet/GW needed)
  • Same or different accounts/regions
  • Add route entries in both VPCs
  • Access services like S3, Kinesis privately over interface VPC endpoints
  • No need to route traffic over public internet

Advanced Network Architectures

βœ… VPC with Multiple AZs and Load Balancer:

LESS
              [Internet]
                   |
            [Route 53 DNS]
                   |
       [Application Load Balancer]
                /       \
    [EC2 in Public AZ-A] [EC2 in Public AZ-B]
                \       /
         [Private Subnet with RDS in Multi-AZ]

βœ… Best for fault tolerance & multi-AZ failover.

βœ… Hybrid Cloud with VPN:

Bash
[On-Prem Firewall]----[AWS VPN Gateway]---[Private Subnet]

Use Site-to-Site VPN or Direct Connect for hybrid models.

Monitoring & Troubleshooting Tools

ToolUse Case
VPC Flow LogsMonitor IP traffic per ENI
CloudWatchAlarm for NAT data usage
Reachability AnalyzerVisual tool to trace network path
AWS ConfigAudit changes in VPC config

Best Practices for VPC Design

  1. Use CIDR blocks with growth room (e.g., /16)
  2. Split VPC into public/private subnets
  3. One AZ failure should not affect all resources
  4. Always use NAT Gateway + Private Subnet for app/database layers
  5. Use Network ACLs for subnet-wide protection
  6. Add flow logs for security audits and troubleshooting
  7. Tag your resources (Environment, Owner, CostCenter)
  8. Use VPC Endpoints for secure S3/DynamoDB access
  9. Place RDS/Databases in private subnets

Summary

ConceptDescription
VPCVirtual network in AWS
SubnetsPublic (for ALB), Private (for DB)
IGW vs NAT GWPublic internet vs secure outbound
Route TablesControl traffic directions
Security LayersSecurity Groups + NACLs
VPC PeeringCross-VPC private networking
MonitoringFlow Logs, CloudWatch, Reachability Analyzer

πŸ“˜ Continue to the Next Chapter

Monitoring and Logging in AWS

Track performance and troubleshoot issues using CloudWatch, CloudTrail, and other AWS tools.

➑️

πŸ’‘ Explore More AWS Tools & Resources

πŸŽ“

Educational AI Tutor

Get instant AWS-related answers and explanations using AI.
🧠

Interview Question Generator

Generate AWS interview questions for practice and preparation.
πŸ“

AWS Practice Quiz

Test your AWS knowledge with timed quizzes and scoring.
πŸ“‹

AWS Interview Questions

Browse frequently asked AWS interview questions with answers.