Docs
/
AWS Cloud
Chapter 5
05 — VPC & Networking
What is a VPC?
Virtual Private Cloud — your own isolated network in AWS. You control IP ranges, subnets, routing, and security.
┌─ VPC (10.0.0.0/16) ─────────────────────────────────┐
│ │
│ ┌─ Public Subnet (10.0.1.0/24) ── AZ-a ──┐ │
│ │ EC2 (web server) NAT Gateway │ │
│ │ ALB │ │
│ └──────────────────────────────────────────┘ │
│ │
│ ┌─ Private Subnet (10.0.2.0/24) ── AZ-a ─┐ │
│ │ EC2 (app server) RDS │ │
│ │ Lambda │ │
│ └──────────────────────────────────────────┘ │
│ │
│ ┌─ Public Subnet (10.0.3.0/24) ── AZ-b ──┐ │
│ │ EC2 (web server) │ │
│ └──────────────────────────────────────────┘ │
│ │
│ ┌─ Private Subnet (10.0.4.0/24) ── AZ-b ─┐ │
│ │ EC2 (app server) RDS (standby) │ │
│ └──────────────────────────────────────────┘ │
│ │
│ Internet Gateway ←→ Internet │
└───────────────────────────────────────────────────────┘
Key Components
| Component | Purpose |
|---|---|
| VPC | Isolated network (CIDR block, e.g., 10.0.0.0/16 = 65,536 IPs) |
| Subnet | Segment of VPC in one AZ (public or private) |
| Internet Gateway (IGW) | VPC ↔ Internet connection |
| NAT Gateway | Private subnet → Internet (outbound only) |
| Route Table | Rules for directing traffic |
| Security Group | Instance-level firewall (stateful) |
| NACL | Subnet-level firewall (stateless) |
| Elastic IP | Static public IP |
Public vs Private Subnets
| Public Subnet | Private Subnet | |
|---|---|---|
| Route to IGW | ✅ Yes | ❌ No |
| Direct internet access | ✅ Yes | ❌ No |
| Outbound internet | Via IGW | Via NAT Gateway |
| Use for | Load balancers, bastion hosts | App servers, databases |
Route Tables
Public subnet route table:
10.0.0.0/16 → local (VPC internal)
0.0.0.0/0 → igw-xxxxx (internet)
Private subnet route table:
10.0.0.0/16 → local (VPC internal)
0.0.0.0/0 → nat-xxxxx (outbound internet via NAT)
Security Groups vs NACLs
| Security Group | NACL | |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both directions) |
| Rules | Allow only | Allow + Deny |
| Evaluation | All rules evaluated | Rules evaluated in order (by number) |
| Default | Deny all inbound, allow all outbound | Allow all |
Internet → NACL (subnet) → Security Group (instance) → EC2
NAT Gateway
Lets private subnet instances reach the internet (for updates, API calls) without being publicly accessible.
# Created in PUBLIC subnet
# Private subnet route table points 0.0.0.0/0 → NAT Gateway
# Cost: ~$0.045/hr + $0.045/GB processed
# Tip: Use NAT Gateway in each AZ for high availability
VPC Peering
Connect two VPCs (same or different accounts/regions).
VPC-A (10.0.0.0/16) ←── Peering ──→ VPC-B (172.16.0.0/16)
- No transitive peering (A↔B, B↔C does NOT mean A↔C)
- No overlapping CIDRs
- Update route tables in both VPCs
Common Architecture
# 3-tier architecture
Internet
↓
ALB (public subnet)
↓
App servers (private subnet) ← Security Group: allow from ALB only
↓
RDS (private subnet, isolated) ← Security Group: allow from app SG only
# Database NEVER in public subnet
# App servers access internet via NAT Gateway (for package updates)
Key Takeaways
- VPC = your isolated network; always use multiple AZs for HA
- Public subnets for load balancers; private subnets for apps and databases
- Security Groups (stateful, instance-level) are your primary firewall
- NACLs (stateless, subnet-level) for extra defense layer
- NAT Gateway lets private instances reach the internet without being exposed
- Never place databases in public subnets — always private, accessed only from app layer