Amazon VPC
Virtual Private Cloud — isolated network environment covering subnets, route tables, NAT Gateways, NACLs, security groups, VPC endpoints, and peering.
Overview
Amazon Virtual Private Cloud (VPC) is a logically isolated virtual network within AWS — it provides complete control over IP addressing, subnets, route tables, gateways, and network security for AWS resources.
Every AWS account comes with a default VPC in each region. Production workloads should use custom VPCs designed with proper CIDR planning, multi-AZ subnets, and layered security.
Core Concepts
| Concept | Description |
|---|---|
| VPC | A virtual network scoped to a single region; defined by a CIDR block (e.g., 10.0.0.0/16) |
| Subnet | A range of IP addresses within a VPC, scoped to a single AZ; public or private |
| Route Table | Rules that determine where network traffic is directed; each subnet is associated with one |
| Internet Gateway (IGW) | Enables internet access for resources in public subnets (horizontally scaled, HA) |
| NAT Gateway | Allows private subnet resources to reach the internet without exposing them to inbound traffic |
| Security Group (SG) | Stateful firewall at the instance/ENI level; allow rules only (implicit deny) |
| Network ACL (NACL) | Stateless firewall at the subnet level; supports allow and deny rules |
| VPC Endpoint | Private connection to AWS services without traversing the internet |
| VPC Peering | One-to-one network connection between two VPCs (same or cross-account/region) |
| Elastic IP (EIP) | Static public IPv4 address allocatable to instances or NAT Gateways |
VPC Architecture
Region: us-east-1
┌──────────────────────────────────── VPC (10.0.0.0/16) ────────────────────────────────────┐
│ │
│ AZ: us-east-1a AZ: us-east-1b │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ Public Subnet │ │ Public Subnet │ │
│ │ 10.0.1.0/24 │ │ 10.0.3.0/24 │ │
│ │ ┌──────┐ ┌──────┐ │ │ ┌──────┐ ┌──────┐ │ │
│ │ │ ALB │ │ NAT │ │ │ │ ALB │ │ NAT │ │ │
│ │ └──────┘ └──────┘ │ │ └──────┘ └──────┘ │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ Private Subnet (App) │ │ Private Subnet (App) │ │
│ │ 10.0.2.0/24 │ │ 10.0.4.0/24 │ │
│ │ ┌──────┐ │ │ ┌──────┐ │ │
│ │ │ EC2 │ │ │ │ EC2 │ │ │
│ │ └──────┘ │ │ └──────┘ │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ ┌─────────────────────┐ ┌─────────────────────┐ │
│ │ Private Subnet (DB) │ │ Private Subnet (DB) │ │
│ │ 10.0.10.0/24 │ │ 10.0.11.0/24 │ │
│ │ ┌──────┐ │ │ ┌──────┐ │ │
│ │ │ RDS │ │ │ │ RDS │ │ │
│ │ └──────┘ │ │ └──────┘ │ │
│ └─────────────────────┘ └─────────────────────┘ │
│ │
│ ┌──────────┐ │
│ │ IGW │ ← Internet Gateway (attached to VPC) │
│ └──────────┘ │
└────────────────────────────────────────────────────────────────────────────────────────────┘Public vs Private Subnets
| Attribute | Public Subnet | Private Subnet |
|---|---|---|
| Route to IGW | Yes (0.0.0.0/0 → igw-xxx) | No |
| Auto-assign public IP | Typically enabled | Disabled |
| Internet access (inbound) | Possible (via SG rules) | Not directly reachable |
| Internet access (outbound) | Direct via IGW | Via NAT Gateway in a public subnet |
| Typical resources | ALB, NAT Gateway, bastion hosts | App servers, databases, internal services |
Exam Trap: A subnet is "public" only if its route table has a route to an Internet Gateway and the instances have a public or Elastic IP. Without both, instances cannot reach or be reached from the internet.
NAT Gateway vs NAT Instance
| Feature | NAT Gateway | NAT Instance |
|---|---|---|
| Managed by | AWS (fully managed, HA within AZ) | Self-managed EC2 instance |
| Bandwidth | Up to 100 Gbps | Depends on instance type |
| Availability | HA within a single AZ; deploy one per AZ | Single point of failure unless scripted |
| Security groups | Not applicable | Configurable |
| Bastion host | Cannot be used as one | Can double as a bastion |
| Cost | Per hour + per GB processed | EC2 instance pricing |
SAA/SAP Tip: NAT Gateway is the recommended choice for production. Deploy one per AZ for high availability. NAT instances are legacy and only relevant for cost-constrained scenarios or when SG-level filtering on NAT is required.
Security Groups vs NACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance / ENI | Subnet |
| State | Stateful (return traffic auto-allowed) | Stateless (return traffic must be explicitly allowed) |
| Rules | Allow only (implicit deny all) | Allow and Deny (evaluated in number order) |
| Default | Denies all inbound, allows all outbound | Allows all inbound and outbound |
| Evaluation | All rules evaluated before decision | Rules evaluated in order; first match wins |
| Applies to | Only when associated with an instance/ENI | All instances in the associated subnet |
Exam Trap: Security Groups are stateful — if inbound traffic is allowed, the response is automatically allowed. NACLs are stateless — both inbound and outbound rules must explicitly permit the traffic, including ephemeral ports.
VPC Endpoints
| Type | Protocol | Use Case | Key Behaviour |
|---|---|---|---|
| Gateway Endpoint | S3, DynamoDB only | Access S3/DynamoDB without internet | Free; add route to route table |
| Interface Endpoint | Most AWS services | Private access to AWS APIs | Creates ENI in subnet; powered by PrivateLink; charged per hour + per GB |
SAA/SAP Tip: Gateway Endpoints for S3 and DynamoDB are free and should always be used in private subnet architectures. Interface Endpoints (PrivateLink) carry hourly + data processing charges but support nearly all AWS services.
VPC Peering
- Direct network route between two VPCs using private IPs
- Works cross-account and cross-region
- Not transitive — if VPC A peers with VPC B and VPC B peers with VPC C, A cannot reach C through B
- CIDR blocks must not overlap
- Each peering connection requires route table entries in both VPCs
Transit Gateway
For hub-and-spoke connectivity across many VPCs and on-premises networks:
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Topology | Point-to-point (mesh) | Hub-and-spoke (centralised) |
| Transitivity | Not transitive | Transitive routing supported |
| Scale | Complex at >5 VPCs | Supports thousands of VPCs + VPN/DX |
| Cross-region | Supported | Inter-region peering supported |
| Cost | Free (data transfer charges) | Per attachment + per GB processed |
VPC Flow Logs
Capture IP traffic metadata (not payload) for network interfaces, subnets, or entire VPCs.
- Destinations: CloudWatch Logs, S3, Kinesis Data Firehose
- Aggregation intervals: 1 minute or 10 minutes
- Use cases: troubleshooting connectivity, security analysis, compliance auditing
Common Use Cases
- Multi-tier web architecture — Public subnets for ALBs, private subnets for app servers, isolated subnets for databases.
- Hybrid connectivity — Connect on-premises data centres via VPN or Direct Connect through a Transit Gateway.
- Micro-segmentation — Use security groups and NACLs to enforce least-privilege network access between services.
- Private AWS API access — Interface Endpoints (PrivateLink) keep traffic off the public internet for compliance.
- Multi-account networking — Transit Gateway + RAM (Resource Access Manager) for shared network infrastructure.
- Network compliance — VPC Flow Logs to S3 for audit trails and anomaly detection.
SAA/SAP Exam Tips
SAA/SAP Tip: For problems requiring connectivity across many VPCs (>3), Transit Gateway is the scalable answer. VPC Peering is point-to-point and becomes unmanageable at scale. Transit Gateway also supports transitive routing, which peering does not.
Exam Trap: A Lambda function in a VPC can only access the internet through a NAT Gateway (in a public subnet). Attaching a Lambda to a VPC with no NAT Gateway and no VPC endpoints will cause external API calls and even AWS API calls to fail.
SAA/SAP Tip: For "lowest cost to access S3 from private EC2 instances," the answer is a Gateway Endpoint (free). Interface Endpoints for S3 are charged and should only be used when on-premises access via Direct Connect is required.
Cross-Cloud Equivalents
| Provider | Service / Solution | Notes |
|---|---|---|
| AWS | Amazon VPC | Baseline |
| Azure | Azure Virtual Network (VNet) | Similar concepts; uses NSGs instead of NACLs |
| GCP | Google Cloud VPC | Global VPC model (subnets are regional) |
| On-Premises | VLANs, pfSense, Cisco routers | Physical network segmentation |
Pricing Model
| Dimension | Unit | Notes |
|---|---|---|
| VPC | Free | No charge for the VPC itself |
| NAT Gateway | Per hour + per GB processed | ~$0.045/hr + $0.045/GB (varies by region) |
| VPC Endpoints (Interface) | Per hour + per GB | ~$0.01/hr per AZ + $0.01/GB |
| VPC Endpoints (Gateway) | Free | No charge for S3 and DynamoDB gateway endpoints |
| VPC Peering | Per GB transferred | Same-region: $0.01/GB each direction |
| Transit Gateway | Per attachment/hr + per GB | ~$0.05/hr per attachment + $0.02/GB |
| Elastic IP (idle) | Per hour | Charged when not associated with a running instance |
Related Services / See Also
- Elastic Load Balancing — distributes traffic within VPC subnets
- Amazon Route 53 — DNS routing to VPC resources
- AWS Direct Connect and VPN — hybrid connectivity into VPC
- AWS IAM — controls who can create and modify VPC resources
- Amazon CloudWatch — monitors VPC Flow Logs and network metrics
Amazon Route 53
Managed DNS service — domain registration, routing policies, health checks, hosted zones, and DNS failover for high-availability architectures.
Amazon GuardDuty
Intelligent threat detection — continuous monitoring of AWS accounts using VPC Flow Logs, CloudTrail, and DNS logs to identify malicious activity.