VPC — Concept
What it is
Amazon Virtual Private Cloud (VPC) = a logically isolated virtual network you define inside an AWS region. You control its IP range, subnets, routing, and security.
Why it exists
Every AWS resource that has a network interface lives inside a VPC (or AWS-managed one for serverless). VPC isolation lets you build production-grade networks with private/public segmentation, hybrid links, and granular security.
Core building blocks
| Object | Role |
|---|---|
| CIDR block | The IPv4 range you pick at VPC creation (e.g. 10.0.0.0/16). Up to 5 CIDRs per VPC. |
| Subnet | A slice of the VPC inside one AZ. Public = has route to IGW. Private = no IGW route. |
| Route table | Per subnet (or main RT). Defines where traffic goes. |
| Internet Gateway (IGW) | One per VPC. Allows public IPv4 / Elastic IP traffic to/from internet. |
| NAT Gateway | Lets private subnets reach internet outbound only. AZ-scoped, managed, charged per-hour + GB. |
| NAT Instance | DIY EC2 NAT (legacy, cheaper, less HA). |
| Egress-only IGW | IPv6 outbound-only (analog of NAT for IPv6). |
| Elastic IP (EIP) | Static public IPv4. Charged when not associated with running instance. |
| Security Group | Stateful firewall on ENI. Allow-only. |
| NACL | Stateless firewall on subnet. Allow + deny rules, evaluated in order. |
| ENI | Virtual NIC; can be attached/detached, has SG + IPs. |
| DHCP option set | DNS / NTP / domain suffix served to instances. |
| VPC Flow Logs | Capture metadata of accepted/rejected traffic → CloudWatch Logs / S3. |
Subnet design pattern (exam standard)
- VPC with
/16 - Per AZ (use ≥ 2 for HA): one public + one private + optional database subnet
- Public subnet route table:
0.0.0.0/0 → IGW - Private subnet route table:
0.0.0.0/0 → NAT GW(NAT in the public subnet of the same AZ) - DB subnet usually has no internet route at all
Security Groups vs NACLs (must memorize)
| Security Group | NACL | |
|---|---|---|
| Layer | ENI / instance | Subnet |
| Stateful? | Yes (return traffic auto-allowed) | No (must allow both directions) |
| Rules | Allow only | Allow + Deny |
| Order | All rules evaluated | Numbered, lowest first |
| Default | Deny all in, allow all out | Allow all in & out |
| Multiple per resource? | Up to 5 per ENI | One per subnet |
VPC endpoints (private access to AWS services)
- Gateway endpoint = route-table entry, free. Only for S3 and DynamoDB.
- Interface endpoint (PrivateLink) = ENI in your subnet with private IP, hourly + per GB. Most other services (KMS, SQS, SNS, EC2 API, CloudWatch, ECR, …).
- Solve "private subnet must reach S3 without internet" by adding a Gateway endpoint.
When to use vs alternatives
| Use ... | Instead of ... | When ... |
|---|---|---|
| NAT Gateway | NAT Instance | Production — managed, HA per AZ, scalable |
| Gateway Endpoint | NAT Gateway for S3/DynamoDB | Avoid NAT data charges for AWS-service traffic |
| Security Group reference | Hard-coded IPs | SG can allow another SG as source (cross-instance) |
| NACL | SG | You need explicit Deny (e.g. block a bad IP) |
Limits & defaults
- CIDR block size:
/16to/28(max 65,536 IPs, min 16). - AWS reserves 5 IPs per subnet (network, VPC router, DNS, future, broadcast).
- 5 VPCs per region (soft).
- 5 SGs per ENI (soft, max 16).
- NAT Gateway: AZ-resident — for HA put one per AZ.
- Default VPC includes one
/16and one public subnet per AZ.
Common exam scenarios
- "EC2 in private subnet must download patches" → NAT Gateway in public subnet, route
0.0.0.0/0 → NAT. - "Private EC2 must read from S3 without going to internet" → Gateway VPC Endpoint for S3.
- "Need to block a specific malicious IP" → NACL Deny rule (SGs can't deny).
- "Avoid cross-AZ NAT charges" → one NAT per AZ + per-AZ private subnet routes.
- "Two-tier app: web + DB, DB never sees internet" → DB subnet with no IGW/NAT route.
- "VPC Flow Logs to investigate denied traffic" → enable Flow Logs at VPC or subnet level.
- "Connect two VPCs in same region" → VPC Peering (1:1, no transitive) or Transit Gateway (hub).
Exam tip
Whenever a question says "private subnet", mentally check: how does this traffic leave? It must be via NAT GW (internet), VPC Endpoint (AWS service), Peering / TGW / VPN / DX (other networks). If no path exists, the answer is broken.