π
VPC - Virtual Private Cloud and Networking
Subnets, Route Tables, NAT & Security Groups
β±οΈ Estimated reading time: 30 minutes
VPC Fundamentals
Amazon VPC lets you provision a logically isolated section of AWS cloud where you can launch resources in a virtual network you define.
Core Concepts:
- VPC: Private virtual network in AWS (max 5 per region, soft limit)
- CIDR Block: IP range for VPC (e.g., 10.0.0.0/16)
- Subnets: VPC subdivisions associated with specific AZ
- Route Tables: Rules determining where traffic is directed
- Internet Gateway (IGW): Enables internet communication
- NAT Gateway/Instance: Allows private subnets to access internet
Public vs Private Subnets:
- Public: Has route to Internet Gateway, instances have public IP
- Private: No direct internet route, uses NAT for outbound
Core Concepts:
- VPC: Private virtual network in AWS (max 5 per region, soft limit)
- CIDR Block: IP range for VPC (e.g., 10.0.0.0/16)
- Subnets: VPC subdivisions associated with specific AZ
- Route Tables: Rules determining where traffic is directed
- Internet Gateway (IGW): Enables internet communication
- NAT Gateway/Instance: Allows private subnets to access internet
Public vs Private Subnets:
- Public: Has route to Internet Gateway, instances have public IP
- Private: No direct internet route, uses NAT for outbound
π― Key Points
- β VPC spans multiple AZ, subnets belong to one AZ
- β Each VPC has main CIDR block and up to 4 secondary
- β Default VPC has IGW, public subnets, and route tables configured
- β CIDR /16 (65536 IPs) to /28 (16 IPs) allowed
- β AWS reserves 5 IPs in each subnet (first 4 and last)
π» Basic VPC creation
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16
# Create public subnet
aws ec2 create-subnet \n --vpc-id vpc-0123456789abcdef0 \n --cidr-block 10.0.1.0/24 \n --availability-zone us-east-1a
# Create Internet Gateway
aws ec2 create-internet-gateway
# Attach IGW to VPC
aws ec2 attach-internet-gateway \n --vpc-id vpc-0123456789abcdef0 \n --internet-gateway-id igw-0123456789abcdef0NAT Gateway and NAT Instance
NAT (Network Address Translation) allows instances in private subnets to initiate outbound traffic to internet, but prevents inbound connections initiated from internet.
NAT Gateway (recommended):
- AWS-managed service
- High bandwidth (up to 100 Gbps)
- High availability within AZ
- No management required
- Cost per hour + per GB processed
- Must be created in public subnet
- Requires Elastic IP
- Doesn't support Security Groups (only NACL)
NAT Instance:
- EC2 instance configured as NAT
- You manage failover, patching, scaling
- More economical for low traffic
- Can be used as bastion host
- Supports Security Groups
- Must disable source/destination check
High Availability:
- NAT Gateway: Create one per AZ for redundancy
- NAT Instance: Multi-AZ Auto Scaling Group + failover script
NAT Gateway (recommended):
- AWS-managed service
- High bandwidth (up to 100 Gbps)
- High availability within AZ
- No management required
- Cost per hour + per GB processed
- Must be created in public subnet
- Requires Elastic IP
- Doesn't support Security Groups (only NACL)
NAT Instance:
- EC2 instance configured as NAT
- You manage failover, patching, scaling
- More economical for low traffic
- Can be used as bastion host
- Supports Security Groups
- Must disable source/destination check
High Availability:
- NAT Gateway: Create one per AZ for redundancy
- NAT Instance: Multi-AZ Auto Scaling Group + failover script
π― Key Points
- β NAT Gateway is managed, NAT Instance requires administration
- β NAT Gateway has no automatic AZ failover (create one per AZ)
- β Private instances point to NAT in route table (0.0.0.0/0 -> nat-xxx)
- β NAT doesn't allow inbound connections from internet
- β For multi-AZ, need one NAT Gateway per AZ
NACL vs Security Groups
AWS offers two levels of network security: NACL (Network Access Control List) at subnet level and Security Groups at instance level.
Network ACL:
- Subnet level (first line of defense)
- Stateless: Inbound and outbound rules evaluated independently
- Supports ALLOW and DENY rules
- Rules evaluated in numerical order (lowest first)
- Each subnet must be associated with NACL
- Default NACL allows all inbound/outbound
- Custom NACL denies all by default
Security Groups:
- Instance/ENI level (second line of defense)
- Stateful: If you allow inbound, outbound is automatic
- Only ALLOW rules (no explicit DENY)
- All rules evaluated (no order)
- Default: all inbound denied, all outbound allowed
When to use:
- NACL: Block specific IPs, subnet-level rules
- SG: Granular per-instance control, more common and flexible
Network ACL:
- Subnet level (first line of defense)
- Stateless: Inbound and outbound rules evaluated independently
- Supports ALLOW and DENY rules
- Rules evaluated in numerical order (lowest first)
- Each subnet must be associated with NACL
- Default NACL allows all inbound/outbound
- Custom NACL denies all by default
Security Groups:
- Instance/ENI level (second line of defense)
- Stateful: If you allow inbound, outbound is automatic
- Only ALLOW rules (no explicit DENY)
- All rules evaluated (no order)
- Default: all inbound denied, all outbound allowed
When to use:
- NACL: Block specific IPs, subnet-level rules
- SG: Granular per-instance control, more common and flexible
π― Key Points
- β NACL is stateless, Security Group is stateful
- β NACL can explicitly DENY, SG only ALLOW
- β Resource can have multiple SG, but only one NACL (via subnet)
- β NACL rules numbered 1-32766, use increments of 100
- β Ephemeral ports (1024-65535) must be allowed in NACL outbound
VPC Peering
VPC Peering allows connecting two VPCs privately using AWS network. Instances behave as if in same network.
Features:
- Connection between two VPCs (same account or cross-account)
- Can be inter-region (cross-region VPC Peering)
- Not transitive: If AβB and BβC, A cannot reach C directly
- VPC CIDRs must not overlap
- Must update route tables in both VPCs
- Can reference Security Groups from peer VPC (same region)
Limitations:
- Doesn't support edge-to-edge routing (can't access IGW, VGW, etc. from peer VPC)
- Maximum 125 peering connections per VPC
- Not transitive (use Transit Gateway for complex topologies)
Use Cases:
- Share resources between VPCs (same or cross-region)
- Connect VPCs from different AWS accounts
- Environment separation (dev, prod) in different VPCs
Features:
- Connection between two VPCs (same account or cross-account)
- Can be inter-region (cross-region VPC Peering)
- Not transitive: If AβB and BβC, A cannot reach C directly
- VPC CIDRs must not overlap
- Must update route tables in both VPCs
- Can reference Security Groups from peer VPC (same region)
Limitations:
- Doesn't support edge-to-edge routing (can't access IGW, VGW, etc. from peer VPC)
- Maximum 125 peering connections per VPC
- Not transitive (use Transit Gateway for complex topologies)
Use Cases:
- Share resources between VPCs (same or cross-region)
- Connect VPCs from different AWS accounts
- Environment separation (dev, prod) in different VPCs
π― Key Points
- β VPC Peering is 1-to-1, not transitive
- β Transit Gateway better for hub-and-spoke topologies
- β No data transfer charge intra-region
- β Cross-region peering has transfer charge
- β Must approve peering connection in both VPCs
VPC Endpoints
VPC Endpoints allow private connection to AWS services without using Internet Gateway, NAT, VPN, or Direct Connect.
Endpoint Types:
Interface Endpoint (powered by PrivateLink):
- Elastic Network Interface (ENI) with private IP
- Supports most AWS services
- Cost per hour + per GB processed
- Requires Security Group
- Created in specific subnet
- Can be multi-AZ (create in each AZ)
Gateway Endpoint:
- Gateway in route table (not ENI)
- Only for S3 and DynamoDB
- FREE (no additional charge)
- No Security Group required (uses endpoint policies)
- VPC level (not specific subnet)
- High availability by default
Benefits:
- Traffic doesn't leave AWS network (more secure)
- Lower latency
- No internet setup required
- Gateway endpoints are free
Endpoint Types:
Interface Endpoint (powered by PrivateLink):
- Elastic Network Interface (ENI) with private IP
- Supports most AWS services
- Cost per hour + per GB processed
- Requires Security Group
- Created in specific subnet
- Can be multi-AZ (create in each AZ)
Gateway Endpoint:
- Gateway in route table (not ENI)
- Only for S3 and DynamoDB
- FREE (no additional charge)
- No Security Group required (uses endpoint policies)
- VPC level (not specific subnet)
- High availability by default
Benefits:
- Traffic doesn't leave AWS network (more secure)
- Lower latency
- No internet setup required
- Gateway endpoints are free
π― Key Points
- β Gateway Endpoint: only S3 and DynamoDB, free
- β Interface Endpoint: almost all services, has cost
- β VPC Endpoints eliminate need for NAT Gateway to AWS services
- β Use endpoint policies to control access
- β PrivateLink enables private access to third-party services
VPC Flow Logs
VPC Flow Logs captures information about IP traffic going to and from network interfaces in your VPC.
Capture Levels:
- VPC: Captures all VPC traffic
- Subnet: Captures traffic from all ENIs in subnet
- ENI: Captures traffic from specific interface
Destinations:
- CloudWatch Logs: Real-time analysis, alarms
- S3: Long-term storage, analysis with Athena
- Kinesis Data Firehose: Streaming to external destinations
Captured Information:
- Source/Destination IP and port
- Protocol and action (ACCEPT/REJECT)
- Number of bytes and packets
- Timestamp
Limitations:
- Doesn't capture everything (e.g., DHCP, metadata 169.254.169.254, Amazon DNS)
- May take several minutes to appear
- No impact on network performance
Capture Levels:
- VPC: Captures all VPC traffic
- Subnet: Captures traffic from all ENIs in subnet
- ENI: Captures traffic from specific interface
Destinations:
- CloudWatch Logs: Real-time analysis, alarms
- S3: Long-term storage, analysis with Athena
- Kinesis Data Firehose: Streaming to external destinations
Captured Information:
- Source/Destination IP and port
- Protocol and action (ACCEPT/REJECT)
- Number of bytes and packets
- Timestamp
Limitations:
- Doesn't capture everything (e.g., DHCP, metadata 169.254.169.254, Amazon DNS)
- May take several minutes to appear
- No impact on network performance
π― Key Points
- β Flow Logs help with connectivity troubleshooting
- β Can identify traffic rejected by Security Groups/NACL
- β Not real-time (may have delay)
- β Useful for compliance and security auditing
- β Athena can query logs stored in S3