Skip to main content
An Amazon Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you can launch AWS resources in a custom IP network that you define. It behaves like an on-premises data centre network, giving full control over IP addressing, subnetting, routing, firewalls, and connectivity.

Core VPC Components

ComponentDescription
VPCThe root container for all AWS networking resources
SubnetLogical segmentation within a VPC (public or private)
Route TableDefines how traffic is directed within or outside the VPC
Internet Gateway (IGW)Enables Internet access for public subnets
NAT Gateway (NATGW)Enables private subnets to initiate outbound traffic securely
Network ACL (NACL)Stateless packet filter applied at subnet level
Security Group (SG)Stateful firewall applied to instances/ENIs
VPC Peering / Transit GatewayConnects multiple VPCs or hybrid networks

Default vs Custom VPCs

Automatically created per region
  • One public subnet per AZ
  • Internet access enabled
  • Auto-created security group and route table
  • Good for testing or quick labs
Not recommended for production environments

VPC CIDR and Subnetting

Each VPC is assigned an IPv4 CIDR block (and optionally IPv6). AWS allows between /16 and /28 for the VPC’s CIDR range.

Example Architecture

VPC CIDR: 10.0.0.0/16
Subnet-A: 10.0.1.0/24 (Public)
Subnet-B: 10.0.2.0/24 (Private)
Subnet-C: 10.0.3.0/24 (Private)
SubnetCIDRAZTypeRoute TableInternet Access
Public-A10.0.1.0/24eu-west-2aPublicPublic RT
Private-A10.0.2.0/24eu-west-2aPrivatePrivate RT
Private-B10.0.3.0/24eu-west-2bPrivatePrivate RT
Each subnet resides entirely within one Availability Zone.

VPC Architecture Overview

                 +-----------------------------+
                 |         AWS Cloud           |
                 |   VPC: 10.0.0.0/16          |
                 |                             |
     +-----------+-----------------------------+-----------+
     | Public Subnet (10.0.1.0/24)                         |
     |  EC2 (Web)  -->  IGW (Internet Gateway)             |
     +------------------------------------------------------+
     | Private Subnet (10.0.2.0/24)                        |
     |  EC2 (App/DB) --> NATGW (Outbound only)             |
     +------------------------------------------------------+

Public Subnet

Contains resources needing Internet access (e.g. bastion hosts, web servers)

Private Subnet

Isolated, no direct inbound access (e.g. databases, backend apps)

NAT Gateway

Allows outbound Internet access from private subnets

Internet Gateway

Allows inbound/outbound Internet for public subnets

Route Table Behaviour

DestinationTargetDescription
10.0.0.0/16localEnables internal VPC communication
0.0.0.0/0igw-xxxxxxInternet access for public subnets
0.0.0.0/0nat-xxxxxxOutbound Internet via NATGW for private subnets
Each subnet can be associated with only one route table, but a route table can be associated with multiple subnets.

Security Model: NACL vs Security Groups

FeatureNetwork ACL (NACL)Security Group (SG)
TypeStatelessStateful
ScopeSubnet-levelInstance/ENI-level
Rules EvaluatedInbound + OutboundInbound + Outbound
Default BehaviourDeny all (custom) / Allow all (default)Deny all inbound, allow all outbound
Use CaseGranular subnet filteringInstance-level firewalling

Common AWS CLI Commands

# List all VPCs
aws ec2 describe-vpcs

# Create a new VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16

Lab Exercise

1

Create Custom VPC

Create a custom VPC with CIDR 10.0.0.0/16
2

Create Subnets

Create two subnets:
  • 10.0.1.0/24 (public)
  • 10.0.2.0/24 (private)
3

Attach Gateways

Attach an Internet Gateway and create a NAT Gateway
4

Configure Route Tables

Create route tables for public and private subnets:
  • Public → IGW for Internet
  • Private → NAT Gateway for outbound Internet
5

Test Connectivity

Launch EC2 instances in each subnet and verify:
  • Public EC2 → Internet ✅
  • Private EC2 → Internet via NAT ✅
  • Private EC2 → Direct inbound ❌

Integration with On-Prem / Multi-VPC

AWS supports multiple interconnect options:
Connection TypeDescriptionRouting Type
VPC PeeringPoint-to-point connection between VPCsStatic routes
Transit Gateway (TGW)Central hub for multi-VPC or hybrid connectivityDynamic (BGP optional)
VPN / Direct ConnectConnect on-premises networksStatic or BGP dynamic routing

Security Best Practices

Use Custom VPCs

Disable default VPCs in production environments

Restrict Security Groups

Change default security groups — restrict inbound access

Separate Environments

Separate Prod/Dev/Test into different VPCs

Least Privilege

Enforce least privilege routing and network isolation

Enable Flow Logs

Use VPC Flow Logs for visibility and auditing

Tag Resources

Tag all network components consistently

Further Reading

Build docs developers (and LLMs) love

Get started for freeTalk to us