Amazon VPC
Your private network in AWS. Isolate and secure your resources.
What is VPC?
Private network for your AWS resources. You control the IP ranges and routing. Like having your own data center network in the cloud. Completely isolated.
Think of it like building your own private data center
You define the network layout: which parts are public (lobby), which are private (server room), and who can enter through which doors (security groups).
Key Features
Subnets
Divide your VPC. Public subnets for internet, private for internal.
Security Groups
Firewall for instances. Allow/deny traffic by port and IP.
NAT Gateway
Let private subnets access internet. Outbound only.
VPC Peering
Connect two VPCs. Traffic stays on AWS network.
VPC Endpoints
Access AWS services privately. No internet needed.
Flow Logs
Log all network traffic. Debug connectivity issues.
When to Use
- Running any AWS compute
- Need network isolation
- Multi-tier architectures
- Hybrid cloud connectivity
- Compliance requirements
- Custom IP addressing
When Not to Use
- Serverless only -> Default VPC or none
- Quick experiments -> Default VPC
- S3/DynamoDB only -> No VPC needed
- Simple Lambda -> No VPC faster
- Public APIs only -> API Gateway
- Static sites -> CloudFront + S3
Prerequisites
- An AWS account (default VPC provided)
- Understanding of IP addressing and CIDR notation
- AWS CLI installed (optional but recommended)
AWS Console Steps
Open VPC Dashboard
Navigate to VPC in the AWS Console and click 'Create VPC'
Choose VPC Settings
Select 'VPC and more' to create VPC with subnets, route tables, and gateways automatically
Configure CIDR Block
Enter an IPv4 CIDR block (e.g., 10.0.0.0/16 for 65,536 addresses)
Set Up Subnets
Create public and private subnets across multiple Availability Zones
Configure Gateways
Add Internet Gateway for public subnets, NAT Gateway for private subnet internet access
Review and Create
Verify the configuration and create the VPC with all components
AWS CLI Quickstart
Create VPC with AWS CLI
Create a VPC with public and private subnets using the AWS CLI
# Create VPC
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=my-vpc}]'
# Create public subnet
aws ec2 create-subnet \
--vpc-id vpc-xxx \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a
# Create Internet Gateway and attach
# ...Creates a VPC with CIDR 10.0.0.0/16, a public subnet, and configures internet access via Internet Gateway.
First Project Ideas
- Create a VPC with public and private subnets
- Deploy a web server in public subnet with RDS in private subnet
- Set up VPC peering between two VPCs
- Configure VPC endpoints for S3 and DynamoDB
- Create a bastion host for secure SSH access
Pro Tips8
Plan CIDR blocks for growth
operationalUse /16 for VPCs to allow room for growth. Plan non-overlapping CIDRs across all VPCs and accounts.
Document your IP allocation scheme. Reserve CIDR ranges for future VPCs.Don't use overlapping CIDRs in VPCs you'll need to peer.Separate public and private subnets
reliabilityPublic subnets get Internet Gateway routes. Private subnets use NAT Gateway for outbound only.
Put web servers in public, databases in private. Use 3 AZs for production.Don't mix public and private resources in the same subnet.Reduce NAT Gateway costs
costNAT Gateway costs ~$32/month plus $0.045/GB. Use free S3/DynamoDB endpoints to skip NAT charges.
Always create free gateway endpoints for S3 and DynamoDB.Don't route AWS service traffic through NAT Gateway.Know Security Groups vs NACLs
securitySecurity Groups are STATEFUL and allow-only. NACLs are STATELESS with allow/deny rules.
Use Security Groups for instance rules. Use NACLs to block specific IPs.Don't forget ephemeral ports (1024-65535) in NACL rules.Use VPC Endpoints for AWS services
costGateway endpoints for S3/DynamoDB are FREE. Interface endpoints cost ~$7/month/AZ but avoid NAT.
Create S3 and DynamoDB gateway endpoints in every VPC.Don't create interface endpoints for rarely-used services.Enable Flow Logs for debugging
securityFlow Logs capture traffic metadata. Send to S3 for cheap storage or CloudWatch for real-time analysis.
Enable flow logs at VPC level. Query with Athena or CloudWatch Insights.Don't forget to set retention policies on log storage.Use Transit Gateway for 4+ VPCs
operationalTransit Gateway provides hub-and-spoke routing. VPC Peering is non-transitive and gets messy at scale.
Use Transit Gateway for 4+ VPCs or transitive routing needs.Don't create mesh peering with 10+ VPCs. Use Transit Gateway instead.Remember 5 reserved IPs per subnet
operationalAWS reserves .0, .1, .2, .3, and .255 in every subnet. A /24 has 251 usable IPs, not 256.
Use /24 minimum for subnets with many resources.Don't use /28 subnets unless absolutely necessary.Key Facts8
VPC CIDR: /16 to /28 (65,536 to 16 IPs)
Use RFC 1918 ranges. Can add up to 5 secondary CIDRs.
limitDefault: 200 subnets per VPC
Subnets are AZ-specific. Cannot span multiple AZs.
limitDefault: 60 inbound + 60 outbound rules per SG
2,500 security groups per VPC. 5 SGs per network interface.
limitNACL: 20 inbound + 20 outbound rules (default)
One NACL per subnet. Custom NACLs deny all by default.
limitNAT Gateway: 45 Gbps burst, scales to 100 Gbps
~$32/month + $0.045/GB. One per AZ for full HA.
behaviorVPC Peering: 125 active per VPC (default)
Non-transitive. No overlapping CIDRs allowed.
limitDefault: 5 Elastic IPs per region
Charged when not associated with running instance.
limit5 IPs reserved per subnet
.0, .1, .2, .3, .255 reserved. A /24 has 251 usable IPs.
default