Amazon VPC Overview — Understanding virtual networking, subnets, security controls, and connectivity options.
What is Amazon VPC?
Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.
Think of VPC as: Your own virtual data center in the cloud — complete with control over IP addressing, subnets, routing, gateways, and security.
VPC Architecture
flowchart TD Internet["Internet"] subgraph VPC["VPC (10.0.0.0/16)"] IGW["Internet Gateway (igw-xxxx)"] subgraph PublicSubnet["Public Subnet (10.0.1.0/24)"] Web["Web/ALB EC2"] NAT["NAT Gateway (EIP)"] PublicRT["Public Route Table<br/>10.0.0.0/16 -> local<br/>0.0.0.0/0 -> igw-xxxx"] end subgraph PrivateSubnet["Private Subnet (10.0.2.0/24)"] App["App/DB EC2"] PrivateRT["Private Route Table<br/>10.0.0.0/16 -> local<br/>0.0.0.0/0 -> nat-xxxx"] end end Web --> PublicRT --> IGW --> Internet App --> PrivateRT --> NAT --> IGW
VPC Components Explained
1. VPC (Virtual Private Cloud)
| Attribute | Description |
|---|---|
| IP Address Range | CIDR block (e.g., 10.0.0.0/16, 172.16.0.0/12) |
| Maximum Size | /16 (65,536 IPs) |
| Minimum Size | /28 (16 IPs) |
| Multiple CIDRs | Up to 5 CIDR blocks per VPC |
| Peering | Can peer with another VPC if CIDRs don’t overlap |
Valid CIDR Ranges for VPC:
10.0.0.0/8to10.255.255.255/8(RFC 1918 private)172.16.0.0/12to172.31.255.255/12(RFC 1918 private)192.168.0.0/16to192.168.255.255/16(RFC 1918 private)
Note: You can now use public IP ranges in VPCs (as of 2024), but RFC 1918 is still recommended.
2. Subnets
A subnet is a segment of a VPC’s IP address range where you can place groups of isolated resources.
Subnet Sizing
| CIDR | Total IPs | Usable IPs | AWS Reserved |
|---|---|---|---|
/24 | 256 | 251 | 5 |
/25 | 128 | 123 | 5 |
/26 | 64 | 59 | 5 |
/27 | 32 | 27 | 5 |
/28 | 16 | 11 | 5 |
AWS Reserved IPs in Each Subnet:
.0= Network address.1= VPC router (not usable by you).2= DNS server (VPC+2).3= Future use.255= Network broadcast
Public vs Private Subnets
| Characteristic | Public Subnet | Private Subnet |
|---|---|---|
| Route to IGW | Yes | No |
| Can have Public IP | Yes | Yes (but limited use) |
| Direct Internet Access | Yes (in + out) | No (requires NAT) |
| Auto-assign Public IP | Enabled | Disabled |
| Use For | Web servers, ALBs | Databases, app servers |
How to Identify:
Public Subnet Route Table:
10.0.0.0/16 → local
0.0.0.0/0 → igw-xxxxxxxx ✓ (Has IGW = Public)
Private Subnet Route Table:
10.0.0.0/16 → local
(No IGW route = Private)
Internet Access Decision Guide:
Need internet access?
YES
├── In both directions? → Public Subnet + IGW
└── Outbound only? → Private Subnet + NAT Gateway
NO
└── Private Subnet (no IGW route)
| Need | Recommended Design | Route Requirement |
|---|---|---|
| Inbound + Outbound internet | Public subnet + Internet Gateway | 0.0.0.0/0 -> igw-xxxx |
| Outbound internet only | Private subnet + NAT Gateway (NAT in public subnet) | 0.0.0.0/0 -> nat-xxxx |
| No internet access | Private subnet only | No default internet route |
Subnet Types
| Type | Description |
|---|---|
| Standard | Regular subnet |
| Dedicated | Instances run on dedicated hardware |
| Outposts | Subnet on on-premises AWS Outposts |
3. Internet Gateway (IGW)
| Attribute | Value |
|---|---|
| Purpose | Enable internet access for VPC |
| Scope | VPC-level (one per VPC) |
| Cost | Free |
| Availability | Highly available, redundant |
How It Works:
Internet ↔ IGW ↔ Public Subnet ↔ Instance with Public IP
Note: IGW is stateful — automatically allows return traffic.
4. NAT Gateway
| Attribute | Value |
|---|---|
| Purpose | Enable private instances to access internet |
| Scope | Subnet-level (created in specific subnet) |
| Direction | Outbound only (response traffic allowed) |
| Cost | $0.045/hour + $0.045/GB data processing |
| Bandwidth | Up to 100 Gbps |
| Availability | AZ-resilient (create one per AZ for HA) |
NAT Gateway Flow:
Private Instance → NAT Gateway (Public IP) → Internet
↑
Created in public subnet
Warning: NAT Gateways cost money even when idle. Remove or stop when not needed.
5. Route Tables
Route tables control where network traffic is directed.
Default Routes
| Destination | Target | Meaning |
|---|---|---|
10.0.0.0/16 | local | Traffic within VPC stays local |
0.0.0.0/0 | igw-xxxx | All other traffic goes to Internet |
0.0.0.0/0 | nat-xxxx | All other traffic goes to NAT Gateway |
Main vs Custom Route Tables
| Type | Description |
|---|---|
| Main | Created with VPC, automatically associated with new subnets |
| Custom | User-created, explicitly associated with subnets |
Remember: Explicit association overrides main route table.
VPC Security Controls
Security Groups (Stateful)
| Characteristic | Detail |
|---|---|
| Type | Stateful firewall |
| Scope | Instance (network interface) level |
| Rules | Allow only (no deny) |
| Return Traffic | Automatically allowed |
| Evaluation | All rules evaluated |
| Order | Doesn’t matter (all rules checked) |
Example:
Security Group Rules:
Inbound:
Allow 80 0.0.0.0/0
Allow 443 0.0.0.0/0
Outbound:
Allow All 0.0.0.0/0 (default)
Result: Inbound traffic on port 80/443 allowed.
Return traffic automatically allowed (stateful).
NACLs (Network Access Control Lists)
| Characteristic | Detail |
|---|---|
| Type | Stateless firewall |
| Scope | Subnet level |
| Rules | Allow AND Deny |
| Return Traffic | Must explicitly allow |
| Evaluation | Numbered order, first match wins |
| Order | Lowest number processed first |
Example:
NACL Rules:
100 Allow TCP 80 0.0.0.0/0 Inbound
200 Deny TCP 80 192.168.1.0/24 Inbound
300 Allow TCP 443 0.0.0.0/0 Inbound
Result: 192.168.1.5 hits rule 100 first (allow 80) → Allowed
BUT if rule 200 came before 100, it would be denied.
Security Group vs NACL
| Feature | Security Group | NACL |
|---|---|---|
| Stateful/Stateless | Stateful | Stateless |
| Scope | Instance-level | Subnet-level |
| Rules | Allow only | Allow AND Deny |
| Return Traffic | Automatic | Must be explicitly allowed |
| Rule Order | Doesn’t matter | Critical (numbered) |
| Best Practice | Use for most security | Use when you need subnet-level or deny rules |
Rule of Thumb: Use Security Groups first. Only use NACLs when you need subnet-level control or explicit deny rules.
VPC Connectivity Options
1. VPC Peering
Connect two VPCs via direct network routing.
| Characteristic | Value |
|---|---|
| Type | One-to-one connection |
| Regions | Same region or different regions |
| Accounts | Same account or different accounts |
| Cost | Data transfer charges across regions |
| Limitations | Cannot transit through (A-B-C) |
| CIDR Overlap | Not allowed |
VPC Peering vs Transit Gateway:
VPC Peering:
VPC A ←→ VPC B
VPC A ←→ VPC C
VPC B ←→ VPC C
(Full mesh for 3+ VPCs = complex)
Transit Gateway:
┌─── VPC A
TG ──┼─── VPC B
└─── VPC C
(Hub-and-spoke = simpler)
2. Transit Gateway
Hub-and-spoke network transit attachment that connects thousands of VPCs, on-premises networks, and VPNs.
| Feature | Description |
|---|---|
| Max Attachments | 5,000 transit gateway attachments |
| Routing | Dynamic routing (BGP) supported |
| Use Cases | Large-scale multi-VPC environments |
| Cost | Per attachment + data transfer |
3. AWS PrivateLink
Expose services privately to other VPCs or on-premises without using public IPs or VPNs.
| Component | Description |
|---|---|
| Service Provider | Creates endpoint service |
| Service Consumer | Creates endpoint to access service |
Use Cases:
- Expose SaaS applications privately
- Access AWS services privately (S3, DynamoDB, etc.)
- Share services between VPCs without peering
4. VPN (Virtual Private Network)
Site-to-Site encrypted connection between your on-premises network and VPC.
| Feature | Description |
|---|---|
| Type | IPSec VPN |
| Cost | $0.05/hour connection |
| Throughput | Up to 1.25 Gbps |
| Redundancy | Use 2 VPN connections for HA |
5. AWS Direct Connect
Dedicated physical connection between your on-premises and AWS.
| Feature | Description |
|---|---|
| Type | Physical fiber connection |
| Bandwidth | 50 Mbps to 100 Gbps |
| Latency | Consistent, lower than internet |
| Cost | Port + data transfer fees |
| Use Cases | High-throughput, low-latency requirements |
VPC Security Features
VPC Encryption Controls (November 2025)
Monitor, enforce, and demonstrate encryption within and across VPCs.
| Capability | Description |
|---|---|
| Encryption Monitoring | Track unencrypted resources |
| Encryption Policies | Require encryption for resources |
| Compliance Reporting | Demonstrate encryption posture |
Block Public Access for VPC
Single control to block internet access via Internet Gateway or Egress-Only Internet Gateway.
| Setting | Effect |
|---|---|
| Block Public Access | No public access for ANY subnet in VPC |
| Use Case | Isolated environments, air-gapped workloads |
VPC Flow Logs
Capture information about IP traffic going to and from network interfaces.
| Field | Description |
|---|---|
| Version | Flow log record version |
| Account ID | AWS account ID |
| VPC ID | VPC identifier |
| Subnet ID | Subnet identifier |
| Instance ID | Instance identifier |
| SrcAddr/DstAddr | Source/destination IP |
| SrcPort/DstPort | Source/destination port |
| Protocol | IANA protocol number |
| Bytes | Bytes transferred |
| Action | Action (ACCEPT or REJECT) |
Use Cases:
- Security analysis
- Troubleshooting connectivity
- Compliance auditing
Traffic Mirroring
Copy network traffic from an elastic network interface out to out-of-band security and monitoring appliances.
| Use Case | Description |
|---|---|
| Intrusion Detection | Send traffic to IDS for analysis |
| Content Inspection | Deep packet inspection |
| Troubleshooting | Packet capture without affecting production |
VPC IP Addressing
CIDR Notation
Format: X.X.X.X/Y
X.X.X.X = Network address
Y = Number of network bits
Examples:
10.0.0.0/16 = 10.0.0.0 to 10.0.255.255 (65,536 addresses)
10.0.0.0/24 = 10.0.0.0 to 10.0.0.255 (256 addresses)
Subnet Planning
Example: VPC 10.0.0.0/16
| Subnet | CIDR | IPs | Purpose |
|---|---|---|---|
| Public 1a | 10.0.1.0/24 | 256 | Web servers AZ us-east-1a |
| Public 1b | 10.0.2.0/24 | 256 | Web servers AZ us-east-1b |
| Private 1a | 10.0.11.0/24 | 256 | App servers AZ us-east-1a |
| Private 1b | 10.0.12.0/24 | 256 | App servers AZ us-east-1b |
| Data 1a | 10.0.21.0/24 | 256 | Databases AZ us-east-1a |
| Data 1b | 10.0.22.0/24 | 256 | Databases AZ us-east-1b |
DNS in VPC
| Feature | Description |
|---|---|
| VPC DNS Server | Available at VPC CIDR + 2 (e.g., 10.0.0.2) |
| DNS Hostnames | Enable to assign DNS names to instances |
| DNS Resolution | Enable to resolve AWS DNS endpoints |
| Private DNS | Use PrivateLink to resolve service endpoints privately |
Common VPC Patterns
1. Public-Private Architecture
flowchart TD Internet["Internet"] --> IGW["Internet Gateway"] IGW --> Public["Public Subnet<br/>Web ALB"] Public -->|SG allow| Private["Private Subnet<br/>App EC2"]
2. Three-Tier Architecture
flowchart TD Internet["Internet"] --> IGW["Internet Gateway"] IGW --> WebTier["Public Subnet<br/>Web ALB"] WebTier -->|SG allow| AppTier["Private Subnet (App)<br/>App EC2"] AppTier -->|SG allow| DataTier["Private Subnet (Data)<br/>RDS DB"]
3. Shared Services VPC
flowchart TD TGW["Transit Gateway (or hub routing)"] subgraph Shared["Shared Services VPC"] Directory["Directory Services"] Monitoring["Central Monitoring"] Tooling["Security/IT Tooling"] end Dev["Dev VPC"] --> TGW Prod["Prod VPC"] --> TGW Test["Test VPC"] --> TGW TGW --> Shared
VPC Best Practices
| Practice | Why |
|---|---|
| Use multiple AZs | High availability |
| Separate public/private | Security (databases not exposed) |
| Use Security Groups first | Simpler than NACLs |
| Least privilege | Only allow necessary traffic |
| Tag resources | Organization, cost allocation |
| Use VPC Flow Logs | Security monitoring |
| Document IP allocation | Avoid conflicts |
| Consider NAT Gateway costs | Remove when not needed |
TL;DR
VPC Component Summary
| Component | Purpose | Key Point |
|---|---|---|
| VPC | Isolated network | Define CIDR range |
| Subnet | Segment VPC | Public = IGW route; Private = no IGW |
| IGW | Internet access | For public subnets, free |
| NAT Gateway | Private internet access | Outbound only, $0.045/hr + $0.045/GB |
| Route Table | Traffic direction | Direct traffic to targets |
| Security Group | Instance firewall | Stateful, allow only |
| NACL | Subnet firewall | Stateless, allow/deny, ordered |
Decision Tree
Need internet access?
YES
├── In both directions? → Public Subnet + IGW
└── Outbound only? → Private Subnet + NAT Gateway
NO
└── Private Subnet (no IGW route)
Need to connect VPCs?
├── 2 VPCs? → VPC Peering
└── Many VPCs? → Transit Gateway
Need to connect on-prem?
├── Lower cost? → VPN
└── High bandwidth/low latency? → Direct Connect
Resources
Amazon VPC Documentation Complete VPC user guide.
VPC Networking Introduction to VPC concepts.
VPC Security Security groups, NACLs, flow logs.
VPC Pricing Detailed pricing for VPC components.