All About AWS VPC

After making my hands dirty on AWS from last 6 years, I thought now I am ready to write on AWS VPC & it should share my learning with everyone. I generally don’t write something on hands on but this write up is little different as compared to all my previous article.

Today we will talk about VPC & all the related associated components to VPC.

What is a VPC (Virtual Private Cloud) ?

This is private virtual network with AWS resources associated with your AWS account & similar to your data center network but with capabilities to scale AWS infrastructure.

You can also say VPC as your own virtual logical data center in AWS.

AWS VPC consists of below things,

    1. Subnets
    2. Internet Gateway
    3. Routing Table
    4. NAT Gateways & NAT Instances
    5. VPC Endpoint

Subnets are the range of IPs in a VPC. Subnets can not span across availability zone, while VPCs can.

  • – (10/8 prefix)
  • – (172.16/12 prefix)
  • – (192.168/16 prefix)

Subnets can be public as well as private. When subnets are created we need to make sure they are without any overlapping IP addresses. You also need to be aware of CIDR block allocations. You can take numerous websites help for calculating number of IP address allocations in each CIDR block.

As you can see in below screenshot I have created one VPC in my account with CIDR block, which gives addresses close to 65,536.

VPC Creation
VPC Creation

I have broken down this VPC into two subnets with each CIDR block allocation as shown in below screenshot & each has maximum IP addresses available are 256. In AWS for our actual use AWS gives 251 IP addresses because Amazon keeps  5  IP addresses for their internal use.

Avilable IPv4
Subnet CIDR Block assignment


By Default subnets are marked as private.When any VPC is created Main routing table ,Network ACL & Security group is created with default values. We can make it public by enabling auto assign public IP addresses to the resources, so that these can be accessed from outside. In below screenshot you can see I have made one of the subnet as public subnet.


Auto Assign Public IP
Enable auto-assign public IPv4
Marked as public Subnet
Making Subnet Public


Internet Gateway

We have created subnet public but we haven’t given an access to external world & we can give that by adding internet gateway.

Internet gateway can be created and attached to only one VPC at a time. In multiple availability zone you should create multiple internet gateways. This is avoid any impact to your internet facing applications or resources. You are disconnected from internet if your internet gateway stops working. Amazon promises to be highly available.

In our exercise I have created one gateway & attached it to our VPC as shown in below diagram.

Gateway Attached
Gateway Creation & Association


Routing Table

When we create VPC with two subnets we get Main routing table which has entries related to both subnets, it also has entries related to how subnets can talk to each other. Now we have internet gateway but we need to give our subnet a way to internet gateway, this we can give by adding below entries into routing table as shown in below diagram, but one thing to take care is we don’t want to expose both the subnets to external world, so we will not add entries to internet gateway in main routing table. We create another routing table & associate public subnet with a routing table with internet gateway entries. As shown in below diagrams,

Routing Table entries & association
Subnet Association with Routing Table
Routing Table Entries only
Adding entries to Internet Gateway

Now we have successfully created a a VPC with two subnets with one of them is public & other one is private. By default the two subnets can not talk to each other till we make changes at the security group level & apply those security groups to the resources like EC2.

Let us extend this exercise further where we want private subnet resources like EC2 to have access to internet for downloading patches from internet & at the same time we want to make sure our entire subnet is not public.

NAT(Network Address Translation) Gateway or NAT(Network Address Translation) Instances

As the name suggests NAT Instance is nothing but EC2 instance which provide access to resource in private subnet to internet gateway & NAT gateway is the offering of AWS, which is again highly available.

NAT Instance

These are EC2 instance which acts as a gateway in between incoming & outgoing traffic.These need to be created under public subnet.  The entries related to NAT instance must be added into routing table & these entries must be added in main routing table,so that private subnet have route to internet gateway. As you can see in below diagram I have created an EC2 instance from an available NAT AMI  & following diagram I have disabled Source & Destination check to act this instance in the capacity of Gateway.

NAT Instance
NAT EC2 Instance from an AMI


Disable Source Destination Check
Disable Source/Destination Check


NAT Gateway

NAT gateway is AWS offering & it is much efficient with high availability in an availability zone.  It is not associated with any security group like NAT instance. Enterprises prefer NAT gateway as there is no maintenance issues. All you need to do is add an entry in main routing table. We also need not to worry about security group configuration. NAT Gateway needs to be created in public subnet. As shown in below diagram.

NAT Gateway Creation
NAT Gateway


Network ACL(Access Control List)

It is an additional level of security for VPC & it acts as firewall for controlling in or out traffic.It comes by default with VPC & by default it allows all the incoming as well as outgoing traffic. You can create custom NACLs & they are by default created with all the traffic denied. It takes precedence over security group. The number ordering takes precedence in execution of NACL rules, in below diagram, if I add DENY rule with 99 number, it will be executed first . Any number of subnets can be associated with one NACL but one Subnet is associated with only one NACL.  As you can see in below diagram default VPC, I can modify it to limit some traffic & if I want to make that effective I need to add an entry with Rule# less than 100.

NACL Rules
NACL Rules

NACL rules are different from security groups & Outbound Rules entries need to be managed separately than Inbound Rule. In case of security group if you are adding an inbound rule by default outbound rule is enabled.

VPC Gateways

Suppose you want to use some of the AWS services from your VPC through a private reliable network & you don’t want your traffic to be leaving the AWS network. VPC Gateway is the way to access it. Generally direct connect & NAT gateway are the alternatives. Directconnect is a again private link setup in between your network & AWS network.

There are two types of VPC gateways

Interface Endpoints: There are lot of services can be accessed from interface endpoints. It’s huge list & can be accessed from AWS documentation.

Gateway Endpoints: Support S3 & Dyanamo DB.

As you can see S3 endpoint creation is below & it adds those entries into routing table. You should add those entries in main routing table where all the subnets have access to it.

VPC Endpoint Creation

We should be able to execute all the s3 commands without going outside AWS network & privately.

So I hope you have enjoyed all the concepts related to VPC & this will certainly help you in future for understanding VPC and related components. It is one time activity mostly but understanding about it is very much important. I am keeping direct connect, transit gateway & bastion hosts for another article till then stay tuned.

3 responses to “All About AWS VPC”

  1. Celeste Kroninger Avatar

    It’s difficult to find experienced people in this particular subject, but you sound like you know what you’re talking about! Thanks


  2. Hairstyles Avatar

    There may be noticeably a bundle to learn about this. I assume you made sure nice points in options also.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Website Powered by

%d bloggers like this: