The Complete Guide to AWS Virtual Private Cloud (VPC) and Networking

I want to summarize everything I’ve learned about Networking in Amazon Web Services (AWS) in the form of notes, but in a detailed and simple way. This post is meant as a revision for myself and as a helpful guide for anyone else who is learning like I am. Let’s get started.

What is a Network?

Computer networks allow devices to connect and exchange data. To regulate this data exchange, we rely on several concepts: IP addresses, subnets, ports, routers, etc. When we learn these concepts in the context of AWS, things become more abstract because instead of physical devices, we use “virtual components.”

VPC and Subnet Architecture

A VPC (Virtual Private Cloud) is a private network space within AWS. It’s like building your own virtual data center inside AWS. Within this network space, we can run servers (EC2), databases, storage services, and more. The most important feature of a VPC is that it’s isolated from other users.

CIDR Block Example:

CIDR	Description
10.0.0.0/16	Provides 65,536 IP addresses
10.0.1.0/24	Contains 256 IP addresses

We can divide subnets into two types:

• Public Subnet: Connected to an Internet Gateway, allows external access.
• Private Subnet: Used for internal resources, not accessible from the outside.

Routing Tables

Each subnet must be associated with a routing table. These tables define how inbound and outbound traffic is directed.

Example:

Subnet Type	Destination	Target Gateway
Public Subnet	0.0.0.0/0	Internet Gateway
Private Subnet	0.0.0.0/0	NAT Gateway (optional)

Security Structures: Security Groups and NACLs

AWS provides two key network security mechanisms:

• Security Group: Applied at the instance level; stateful.
• Network ACL (NACL): Applied at the subnet level; stateless.

Comparison Table:

Feature	Security Group	Network ACL
Level of Application	EC2 (Instance)	Subnet
Stateful	Yes	No
Deny Rules Supported	No	Yes
Rule Evaluation Order	Irrelevant	Based on rule number

Internet and NAT Gateways

• Internet Gateway: Allows public subnets to connect to the internet.
• NAT Gateway: Allows private subnets to access the internet without accepting incoming traffic.

High Availability

To improve system reliability, distribute your subnets across multiple Availability Zones (AZs). For example:

• us-east-1a → public subnet
• us-east-1b → private subnet

Site-to-Site VPN

• Virtual Private Gateway: The AWS side
• Customer Gateway: The on-premises network side
• This connection creates a secure tunnel between your corporate network and AWS.

VPC Endpoints and PrivateLink

Type	Use Case	Cost	Notes
Gateway Endpoint	S3, DynamoDB	Free	Works with route tables
Interface Endpoint	All AWS services	Paid	Creates an Elastic Network Interface

VPC Peering

Used to create private connections between two VPCs. Important points:

• CIDR blocks must not overlap
• No transitive routing
• Routing tables must be updated on both sides

Additional AWS Network Services

Service	Description
Route 53	DNS management
CloudFront	Content delivery network (CDN)
API Gateway	Management of RESTful and WebSocket APIs

Example Use Case

VPC: 10.0.0.0/16

• 2 AZs: us-east-1a, us-east-1b
• Public Subnet (10.0.1.0/24): EC2 web servers
• Private Subnet (10.0.2.0/24): RDS database

Routing Table:

Subnet	Destination	Gateway
Public	0.0.0.0/0	Internet Gateway
Private	0.0.0.0/0	NAT Gateway

Security Group Settings:

Resource	Ports	Description
Web Server	443, 80, 22	HTTPS, HTTP, SSH (admin IP only)
RDS	3306	Accessible only from EC2 internal IP

In this system, you can also use CloudFront for static content delivery, Route 53 for domain routing, and API Gateway to expose services to the public. If corporate connectivity is required, you can establish a Site-to-Site VPN for secure communication.

These notes aim to summarize AWS VPC and Networking topics for both beginners and intermediate learners. While there are automation templates available, understanding the core concepts is essential. I hope this helps anyone learning like I am.