Amazon VPC Overview — Understanding virtual networking, subnets, security controls, and connectivity options.


What is Amazon VPC?

Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Think of VPC as: Your own virtual data center in the cloud — complete with control over IP addressing, subnets, routing, gateways, and security.


VPC Architecture

flowchart TD
    Internet["Internet"]

    subgraph VPC["VPC (10.0.0.0/16)"]
        IGW["Internet Gateway (igw-xxxx)"]

        subgraph PublicSubnet["Public Subnet (10.0.1.0/24)"]
            Web["Web/ALB EC2"]
            NAT["NAT Gateway (EIP)"]
            PublicRT["Public Route Table<br/>10.0.0.0/16 -> local<br/>0.0.0.0/0 -> igw-xxxx"]
        end

        subgraph PrivateSubnet["Private Subnet (10.0.2.0/24)"]
            App["App/DB EC2"]
            PrivateRT["Private Route Table<br/>10.0.0.0/16 -> local<br/>0.0.0.0/0 -> nat-xxxx"]
        end
    end

    Web --> PublicRT --> IGW --> Internet
    App --> PrivateRT --> NAT --> IGW

VPC Components Explained

1. VPC (Virtual Private Cloud)

AttributeDescription
IP Address RangeCIDR block (e.g., 10.0.0.0/16, 172.16.0.0/12)
Maximum Size/16 (65,536 IPs)
Minimum Size/28 (16 IPs)
Multiple CIDRsUp to 5 CIDR blocks per VPC
PeeringCan peer with another VPC if CIDRs don’t overlap

Valid CIDR Ranges for VPC:

  • 10.0.0.0/8 to 10.255.255.255/8 (RFC 1918 private)
  • 172.16.0.0/12 to 172.31.255.255/12 (RFC 1918 private)
  • 192.168.0.0/16 to 192.168.255.255/16 (RFC 1918 private)

Note: You can now use public IP ranges in VPCs (as of 2024), but RFC 1918 is still recommended.


2. Subnets

A subnet is a segment of a VPC’s IP address range where you can place groups of isolated resources.

Subnet Sizing

CIDRTotal IPsUsable IPsAWS Reserved
/242562515
/251281235
/2664595
/2732275
/2816115

AWS Reserved IPs in Each Subnet:

  • .0 = Network address
  • .1 = VPC router (not usable by you)
  • .2 = DNS server (VPC+2)
  • .3 = Future use
  • .255 = Network broadcast

Public vs Private Subnets

CharacteristicPublic SubnetPrivate Subnet
Route to IGWYesNo
Can have Public IPYesYes (but limited use)
Direct Internet AccessYes (in + out)No (requires NAT)
Auto-assign Public IPEnabledDisabled
Use ForWeb servers, ALBsDatabases, app servers

How to Identify:

Public Subnet Route Table:
  10.0.0.0/16 → local
  0.0.0.0/0   → igw-xxxxxxxx ✓ (Has IGW = Public)

Private Subnet Route Table:
  10.0.0.0/16 → local
  (No IGW route = Private)

Internet Access Decision Guide:

Need internet access?
    YES
    ├── In both directions? → Public Subnet + IGW
    └── Outbound only? → Private Subnet + NAT Gateway
    NO
    └── Private Subnet (no IGW route)
NeedRecommended DesignRoute Requirement
Inbound + Outbound internetPublic subnet + Internet Gateway0.0.0.0/0 -> igw-xxxx
Outbound internet onlyPrivate subnet + NAT Gateway (NAT in public subnet)0.0.0.0/0 -> nat-xxxx
No internet accessPrivate subnet onlyNo default internet route

Subnet Types

TypeDescription
StandardRegular subnet
DedicatedInstances run on dedicated hardware
OutpostsSubnet on on-premises AWS Outposts

3. Internet Gateway (IGW)

AttributeValue
PurposeEnable internet access for VPC
ScopeVPC-level (one per VPC)
CostFree
AvailabilityHighly available, redundant

How It Works:

Internet ↔ IGW ↔ Public Subnet ↔ Instance with Public IP

Note: IGW is stateful — automatically allows return traffic.


4. NAT Gateway

AttributeValue
PurposeEnable private instances to access internet
ScopeSubnet-level (created in specific subnet)
DirectionOutbound only (response traffic allowed)
Cost$0.045/hour + $0.045/GB data processing
BandwidthUp to 100 Gbps
AvailabilityAZ-resilient (create one per AZ for HA)

NAT Gateway Flow:

Private Instance → NAT Gateway (Public IP) → Internet
                    ↑
                Created in public subnet

Warning: NAT Gateways cost money even when idle. Remove or stop when not needed.


5. Route Tables

Route tables control where network traffic is directed.

Default Routes

DestinationTargetMeaning
10.0.0.0/16localTraffic within VPC stays local
0.0.0.0/0igw-xxxxAll other traffic goes to Internet
0.0.0.0/0nat-xxxxAll other traffic goes to NAT Gateway

Main vs Custom Route Tables

TypeDescription
MainCreated with VPC, automatically associated with new subnets
CustomUser-created, explicitly associated with subnets

Remember: Explicit association overrides main route table.


VPC Security Controls

Security Groups (Stateful)

CharacteristicDetail
TypeStateful firewall
ScopeInstance (network interface) level
RulesAllow only (no deny)
Return TrafficAutomatically allowed
EvaluationAll rules evaluated
OrderDoesn’t matter (all rules checked)

Example:

Security Group Rules:
  Inbound:
    Allow  80    0.0.0.0/0
    Allow  443   0.0.0.0/0
  Outbound:
    Allow  All   0.0.0.0/0 (default)

Result: Inbound traffic on port 80/443 allowed.
        Return traffic automatically allowed (stateful).

NACLs (Network Access Control Lists)

CharacteristicDetail
TypeStateless firewall
ScopeSubnet level
RulesAllow AND Deny
Return TrafficMust explicitly allow
EvaluationNumbered order, first match wins
OrderLowest number processed first

Example:

NACL Rules:
  100  Allow  TCP  80   0.0.0.0/0  Inbound
  200  Deny   TCP  80   192.168.1.0/24  Inbound
  300  Allow  TCP  443  0.0.0.0/0  Inbound

Result: 192.168.1.5 hits rule 100 first (allow 80) → Allowed
        BUT if rule 200 came before 100, it would be denied.

Security Group vs NACL

FeatureSecurity GroupNACL
Stateful/StatelessStatefulStateless
ScopeInstance-levelSubnet-level
RulesAllow onlyAllow AND Deny
Return TrafficAutomaticMust be explicitly allowed
Rule OrderDoesn’t matterCritical (numbered)
Best PracticeUse for most securityUse when you need subnet-level or deny rules

Rule of Thumb: Use Security Groups first. Only use NACLs when you need subnet-level control or explicit deny rules.


VPC Connectivity Options

1. VPC Peering

Connect two VPCs via direct network routing.

CharacteristicValue
TypeOne-to-one connection
RegionsSame region or different regions
AccountsSame account or different accounts
CostData transfer charges across regions
LimitationsCannot transit through (A-B-C)
CIDR OverlapNot allowed

VPC Peering vs Transit Gateway:

VPC Peering:
    VPC A ←→ VPC B
    VPC A ←→ VPC C
    VPC B ←→ VPC C
    (Full mesh for 3+ VPCs = complex)

Transit Gateway:
         ┌─── VPC A
    TG ──┼─── VPC B
         └─── VPC C
    (Hub-and-spoke = simpler)

2. Transit Gateway

Hub-and-spoke network transit attachment that connects thousands of VPCs, on-premises networks, and VPNs.

FeatureDescription
Max Attachments5,000 transit gateway attachments
RoutingDynamic routing (BGP) supported
Use CasesLarge-scale multi-VPC environments
CostPer attachment + data transfer

Expose services privately to other VPCs or on-premises without using public IPs or VPNs.

ComponentDescription
Service ProviderCreates endpoint service
Service ConsumerCreates endpoint to access service

Use Cases:

  • Expose SaaS applications privately
  • Access AWS services privately (S3, DynamoDB, etc.)
  • Share services between VPCs without peering

4. VPN (Virtual Private Network)

Site-to-Site encrypted connection between your on-premises network and VPC.

FeatureDescription
TypeIPSec VPN
Cost$0.05/hour connection
ThroughputUp to 1.25 Gbps
RedundancyUse 2 VPN connections for HA

5. AWS Direct Connect

Dedicated physical connection between your on-premises and AWS.

FeatureDescription
TypePhysical fiber connection
Bandwidth50 Mbps to 100 Gbps
LatencyConsistent, lower than internet
CostPort + data transfer fees
Use CasesHigh-throughput, low-latency requirements

VPC Security Features

VPC Encryption Controls (November 2025)

Monitor, enforce, and demonstrate encryption within and across VPCs.

CapabilityDescription
Encryption MonitoringTrack unencrypted resources
Encryption PoliciesRequire encryption for resources
Compliance ReportingDemonstrate encryption posture

Block Public Access for VPC

Single control to block internet access via Internet Gateway or Egress-Only Internet Gateway.

SettingEffect
Block Public AccessNo public access for ANY subnet in VPC
Use CaseIsolated environments, air-gapped workloads

VPC Flow Logs

Capture information about IP traffic going to and from network interfaces.

FieldDescription
VersionFlow log record version
Account IDAWS account ID
VPC IDVPC identifier
Subnet IDSubnet identifier
Instance IDInstance identifier
SrcAddr/DstAddrSource/destination IP
SrcPort/DstPortSource/destination port
ProtocolIANA protocol number
BytesBytes transferred
ActionAction (ACCEPT or REJECT)

Use Cases:

  • Security analysis
  • Troubleshooting connectivity
  • Compliance auditing

Traffic Mirroring

Copy network traffic from an elastic network interface out to out-of-band security and monitoring appliances.

Use CaseDescription
Intrusion DetectionSend traffic to IDS for analysis
Content InspectionDeep packet inspection
TroubleshootingPacket capture without affecting production

VPC IP Addressing

CIDR Notation

Format: X.X.X.X/Y
  X.X.X.X = Network address
  Y       = Number of network bits

Examples:
  10.0.0.0/16 = 10.0.0.0 to 10.0.255.255 (65,536 addresses)
  10.0.0.0/24 = 10.0.0.0 to 10.0.0.255 (256 addresses)

Subnet Planning

Example: VPC 10.0.0.0/16

SubnetCIDRIPsPurpose
Public 1a10.0.1.0/24256Web servers AZ us-east-1a
Public 1b10.0.2.0/24256Web servers AZ us-east-1b
Private 1a10.0.11.0/24256App servers AZ us-east-1a
Private 1b10.0.12.0/24256App servers AZ us-east-1b
Data 1a10.0.21.0/24256Databases AZ us-east-1a
Data 1b10.0.22.0/24256Databases AZ us-east-1b

DNS in VPC

FeatureDescription
VPC DNS ServerAvailable at VPC CIDR + 2 (e.g., 10.0.0.2)
DNS HostnamesEnable to assign DNS names to instances
DNS ResolutionEnable to resolve AWS DNS endpoints
Private DNSUse PrivateLink to resolve service endpoints privately

Common VPC Patterns

1. Public-Private Architecture

flowchart TD
    Internet["Internet"] --> IGW["Internet Gateway"]
    IGW --> Public["Public Subnet<br/>Web ALB"]
    Public -->|SG allow| Private["Private Subnet<br/>App EC2"]

2. Three-Tier Architecture

flowchart TD
    Internet["Internet"] --> IGW["Internet Gateway"]
    IGW --> WebTier["Public Subnet<br/>Web ALB"]
    WebTier -->|SG allow| AppTier["Private Subnet (App)<br/>App EC2"]
    AppTier -->|SG allow| DataTier["Private Subnet (Data)<br/>RDS DB"]

3. Shared Services VPC

flowchart TD
    TGW["Transit Gateway (or hub routing)"]

    subgraph Shared["Shared Services VPC"]
        Directory["Directory Services"]
        Monitoring["Central Monitoring"]
        Tooling["Security/IT Tooling"]
    end

    Dev["Dev VPC"] --> TGW
    Prod["Prod VPC"] --> TGW
    Test["Test VPC"] --> TGW

    TGW --> Shared

VPC Best Practices

PracticeWhy
Use multiple AZsHigh availability
Separate public/privateSecurity (databases not exposed)
Use Security Groups firstSimpler than NACLs
Least privilegeOnly allow necessary traffic
Tag resourcesOrganization, cost allocation
Use VPC Flow LogsSecurity monitoring
Document IP allocationAvoid conflicts
Consider NAT Gateway costsRemove when not needed

TL;DR

VPC Component Summary

ComponentPurposeKey Point
VPCIsolated networkDefine CIDR range
SubnetSegment VPCPublic = IGW route; Private = no IGW
IGWInternet accessFor public subnets, free
NAT GatewayPrivate internet accessOutbound only, $0.045/hr + $0.045/GB
Route TableTraffic directionDirect traffic to targets
Security GroupInstance firewallStateful, allow only
NACLSubnet firewallStateless, allow/deny, ordered

Decision Tree

Need internet access?
    YES
    ├── In both directions? → Public Subnet + IGW
    └── Outbound only? → Private Subnet + NAT Gateway
    NO
    └── Private Subnet (no IGW route)

Need to connect VPCs?
    ├── 2 VPCs? → VPC Peering
    └── Many VPCs? → Transit Gateway

Need to connect on-prem?
    ├── Lower cost? → VPN
    └── High bandwidth/low latency? → Direct Connect

Resources

Amazon VPC Documentation Complete VPC user guide.

VPC Networking Introduction to VPC concepts.

VPC Security Security groups, NACLs, flow logs.

VPC Pricing Detailed pricing for VPC components.