🌐 VPC & Networking#

Learning Objectives#

Design VPCs with public/private subnets, NAT gateways, and route tables
Configure VPC endpoints, peering connections, and VPNs
Understand NACLs vs Security Groups
Implement multi-tier network isolation

1. Amazon VPC Fundamentals#

A Virtual Private Cloud (VPC) is your isolated network within AWS where you launch resources.

VPC Architecture#

┌────────────────────────────────────────────────────────────┐
│              AWS Region (us-east-1)                        │
│                                                            │
│  ┌──────────────────────────────────────────────────────┐  │
│  │              VPC (10.0.0.0/16)                       │  │
│  │                                                      │  │
│  │  ┌───────────────┐       ┌───────────────┐          │  │
│  │  │ Public Subnet │       │ Private Subnet│          │  │
│  │  │ 10.0.1.0/24   │       │ 10.0.2.0/24   │          │  │
│  │  │               │       │               │          │  │
│  │  │  ┌─────────┐  │       │  ┌─────────┐  │          │  │
│  │  │  │  EC2    │  │       │  │  RDS    │  │          │  │
│  │  │  │ (Public)│  │       │  │ (Private)│  │          │  │
│  │  │  └────┬────┘  │       │  └─────────┘  │          │  │
│  │  │       │       │       │               │          │  │
│  │  │  ┌────┴────┐  │       │               │          │  │
│  │  │  │  NAT GW │  │       │               │          │  │
│  │  │  └─────────┘  │       │               │          │  │
│  │  └───────────────┘       └───────────────┘          │  │
│  │                                                      │  │
│  │  ┌──────────────────────────────────────────────┐   │  │
│  │  │              Route Tables                     │   │  │
│  │  │  Public: 0.0.0.0/0 → IGW                     │   │  │
│  │  │  Private: 0.0.0.0/0 → NAT GW                 │   │  │
│  │  └──────────────────────────────────────────────┘   │  │
│  └──────────────────────────────────────────────────────┘  │
│                                                            │
│  ┌────────────┐  ┌────────────┐  ┌────────────┐          │
│  │ Internet   │  │ Direct     │  │ VPC        │          │
│  │ Gateway    │  │ Connect    │  │ Peering    │          │
│  └────────────┘  └────────────┘  └────────────┘          │
└────────────────────────────────────────────────────────────┘

1.1 VPC Components#

Component	Purpose	Example
VPC	Isolated network	`10.0.0.0/16`
Subnet	AZ-level network segment	`10.0.1.0/24` (public)
Route Table	Traffic routing rules	Routes to IGW, NAT, Peering
Internet Gateway (IGW)	Internet connectivity	Attached to VPC
NAT Gateway	Private subnet → Internet	In public subnet
Security Group	Instance-level firewall	Stateful, allow only
NACL	Subnet-level firewall	Stateless, allow+deny
VPC Endpoint	Private access to AWS services	S3, DynamoDB, SQS

1.2 CIDR & Subnetting#

VPC CIDR:     10.0.0.0/16  (65,536 IPs)
├── Public Subnet:  10.0.1.0/24  (256 IPs, us-east-1a)
├── Public Subnet:  10.0.2.0/24  (256 IPs, us-east-1b)
├── Private Subnet: 10.0.10.0/24 (256 IPs, us-east-1a)
├── Private Subnet: 10.0.11.0/24 (256 IPs, us-east-1b)
├── DB Subnet:      10.0.20.0/24 (256 IPs, us-east-1a)
└── DB Subnet:      10.0.21.0/24 (256 IPs, us-east-1b)

⚡ Exam Tip: AWS reserves 5 IPs per subnet (network, gateway, 2 AWS DNS, broadcast). So a /24 has 251 usable IPs, not 256.

1.3 Default vs Custom VPC#

Feature	Default VPC	Custom VPC
Created	Auto-created per region	You create
Subnets	One per AZ (public)	You define
IGW	Auto-attached	You create/attach
NACL	Default (all allow)	Customizable
Use when	Quick testing	Production, isolation needed

# Create a custom VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --instance-tenancy default
# Output: vpc-abc123

# Create subnets
aws ec2 create-subnet --vpc-id vpc-abc123 --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a
aws ec2 create-subnet --vpc-id vpc-abc123 --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1b

# Create and attach Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-abc123 --internet-gateway-id igw-123

# Create route table for public subnets
aws ec2 create-route-table --vpc-id vpc-abc123
aws ec2 create-route --route-table-id rtb-123 --destination-cidr-block 0.0.0.0/0 \
  --gateway-id igw-123
aws ec2 associate-route-table --route-table-id rtb-123 --subnet-id subnet-abc

2. Security Groups vs NACLs#

Feature	Security Group	NACL
Level	Instance (ENI)	Subnet
State	Stateful	Stateless
Default	Deny all inbound	Allow all (custom VPC)
Rules	Allow only	Allow + Deny
Evaluation	All rules checked	Rule number order (1-32766)
Return traffic	Auto-allowed	Must explicitly allow

Security Group (Stateful):
  Inbound: Allow SSH from 203.0.113.0/24
  Response: Auto-allowed back  ← No outbound rule needed

NACL (Stateless):
  Inbound Rule #100: Allow SSH from 203.0.113.0/24
  Outbound Rule #100: Allow SSH to 203.0.113.0/24  ← Must add!

NACL Rule Example:

{"Rules": [ {"RuleNumber": 100, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "Protocol": "6", "PortRange": {"From": 80, "To": 80}},
    {"RuleNumber": 110, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "Protocol": "6", "PortRange": {"From": 443, "To": 443}},
    {"RuleNumber": 120, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0", "Protocol": "6", "PortRange": {"From": 1024, "To": 65535}},
    {"RuleNumber": 200, "RuleAction": "deny", "CidrBlock": "10.0.0.0/8", "Protocol": "-1"}
  ]
}

⚡ Exam Tip: SG is stateful (return traffic auto-allowed). NACL is stateless (must explicitly allow return traffic). SG supports allow rules only. NACL supports allow AND deny rules.

3. VPC Connectivity Options#

3.1 VPC Peering#

Connect two VPCs directly (same or cross-account, cross-region)
No transitive peering (A ↔ B, A ↔ C does not mean B ↔ C)
No overlapping CIDR blocks

VPC-A (10.0.0.0/16) ←→ VPC-B (10.1.0.0/16)
      │                    │
      └──── No route ──────┘  to VPC-C

3.2 AWS Transit Gateway#

Hub-and-spoke architecture for many VPCs and on-premises:

                       ┌─────────────────┐
                       │  Transit Gateway │
                       └──┬───┬───┬───┬──┘
                          │   │   │   │
                    ┌─────┘   │   │   └─────┐
                    │         │   │         │
              ┌─────┴──┐ ┌───┴───┴──┐ ┌─────┴──┐
              │ VPC-A  │ │ VPC-B    │ │ On-Prem │
              │ (Prod) │ │ (Dev)    │ │ (VPN/DX)│
              └────────┘ └──────────┘ └─────────┘

⚡ Exam Tip: Transit Gateway = many-to-many VPC connections. VPC Peering = one-to-one. Use Transit Gateway when you have 5+ VPCs.

3.3 VPC Endpoints#

Two types:

Gateway Endpoint — S3, DynamoDB (uses route table, free)
Interface Endpoint — Most other services (uses ENI + PrivateLink, paid)

graph LR
    subgraph VPC["VPC (10.0.0.0/16)"]
        EC2["EC2 Instance\nPrivate Subnet\nNo Public IP"]
        RT_GW["Route Table:\npl-xxxxx → Gateway Endpoint"]
        ENI["Interface Endpoint (ENI)\nvpce-xxx\n10.0.1.50"]
    end
    
    subgraph AWSServices["AWS Services"]
        S3["S3 Bucket\n✅ Free (Gateway)"]
        SQS["SQS Queue\n💰 Paid (Interface)"]
    end

    EC2 -->|Gateway Endpoint| RT_GW
    RT_GW --> S3
    EC2 -->|Interface Endpoint| ENI
    ENI --> SQS

    style EC2 fill:#ff9900,color:#fff
    style S3 fill:#01ab5c,color:#fff
    style SQS fill:#527fff,color:#fff
    style ENI fill:#d33,color:#fff

# Create Gateway Endpoint for S3
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-abc123 \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids rtb-123

# Create Interface Endpoint for SQS
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-abc123 \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.sqs \
  --subnet-ids subnet-abc subnet-def \
  --security-group-ids sg-xyz

3.4 AWS Direct Connect vs VPN#

Feature	Direct Connect	Site-to-Site VPN
Connection	Dedicated fiber	Internet (IPsec)
Bandwidth	50 Mbps - 100 Gbps	Up to 1.25 Gbps per tunnel
Latency	Consistent	Variable
Cost	Higher (monthly port fee)	Lower
Setup time	Weeks (physical installation)	Hours
Use case	High-volume, latency-sensitive	Backup, smaller workloads

4. Real-World Use Cases#

Use Case 1: Multi-Tier Web Application#

                     Internet
                        │
                   ┌────┴────┐
                   │   IGW   │
                   └────┬────┘
                        │
               ┌────────┴────────┐
               │  Public Subnet  │
               │  ALB (HTTPS)    │
               │  NAT Gateway    │
               └────────┬────────┘
                        │
               ┌────────┴────────┐
               │  Private Subnet │
               │  EC2 Web Tier   │
               │  Auto Scaling   │
               └────────┬────────┘
                        │
               ┌────────┴────────┐
               │  Private Subnet │
               │  RDS (Multi-AZ) │
               │  ElastiCache    │
               └─────────────────┘

Use Case 2: VPC Endpoint for Private S3 Access#

No internet gateway needed — use Gateway Endpoint:

EC2 (No public IP, Private subnet)
  └── Route Table: pl-6xxxxx (S3 prefix list) → Gateway Endpoint
  └── Can access S3 without internet!

Use Case 3: Hybrid Cloud with Direct Connect#

On-Premises Data Center
  └── Direct Connect (1 Gbps)
  └── Private Virtual Interface (VLAN 100)
  └── VGW (Virtual Private Gateway)
  └── VPC: Private Subnets → On-premises app servers

5. Flow Logs & Monitoring#

VPC Flow Logs capture IP traffic information:

# Create flow log
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-id vpc-abc123 \
  --traffic-type ALL \
  --log-destination-type s3 \
  --log-destination arn:aws:s3:::flow-logs-bucket

Flow log records include: src-ip, dest-ip, src-port, dest-port, protocol, action (ACCEPT/REJECT)

6. ⚡ Exam Tips#

5 IPs reserved per subnet — network, gateway, 2 DNS, broadcast
NAT Gateway vs NAT Instance — NAT Gateway is managed (HA, auto-scaled), NAT Instance is self-managed (deprecated)
VPC Peering — No transitive routing, no overlapping CIDRs
Security Group — Stateful, can reference other SGs (traffic from SG-web)
NACL — Stateless, evaluated in order, supports deny rules
VPC Endpoints — Gateway for S3/DynamoDB (free), Interface for all others (paid)
Route propagation — Can auto-learn routes from VPN/Direct Connect
Egress-Only IGW — For IPv6 traffic (outbound only, like NAT for IPv6)

✅ Chapter Quiz#

How many IP addresses in a VPC subnet are reserved by AWS?
- A) 2
- B) 3
- C) 5
- D) 10
Which VPC component is stateful?
- A) NACL
- B) Security Group
- C) Route Table
- D) Internet Gateway
You need to connect 10 VPCs together in a hub-and-spoke topology. Which service?
- A) VPC Peering
- B) Transit Gateway
- C) Direct Connect
- D) VPN
What type of VPC Endpoint is used for S3?
- A) Interface Endpoint
- B) Gateway Endpoint
- C) PrivateLink
- D) Direct Connect
Which component allows private subnets to access the internet?
- A) Internet Gateway
- B) NAT Gateway
- C) VPC Peering
- D) Transit Gateway
A company needs to filter traffic between subnets based on source IP and port, with explicit deny rules. Which VPC component should be used?
- A) Security Group
- B) Network ACL
- C) Route Table
- D) Internet Gateway
How many IP addresses are reserved by AWS in each VPC subnet?
- A) 2
- B) 3
- C) 5
- D) 10
A company has a VPC with CIDR 10.0.0.0/16. They need a subnet that can support at least 250 EC2 instances. Which subnet size should be used?
- A) /24 (256 IPs)
- B) /25 (128 IPs)
- C) /26 (64 IPs)
- D) /27 (32 IPs)
Which AWS service provides managed VPN connectivity for remote offices with automatic failover across multiple connections?
- A) Direct Connect
- B) VPN CloudHub
- C) Transit Gateway VPN attachment
- D) Client VPN
A company needs to enable communication between a VPC and an on-premises network over a private, dedicated connection. Which service should be used?
- A) Site-to-Site VPN
- B) Direct Connect
- C) VPC Peering
- D) Transit Gateway
A company has two VPCs in the same account with overlapping CIDR blocks that need to communicate. Which solution should be used?
- A) VPC Peering
- B) AWS Transit Gateway
- C) VPC Peering with a NAT Gateway
- D) None — VPCs with overlapping CIDRs cannot be directly connected
An EC2 instance in a private subnet needs to access an S3 bucket without internet connectivity. Which VPC component provides this capability?
- A) NAT Gateway
- B) Internet Gateway
- C) VPC Gateway Endpoint for S3
- D) VPC Interface Endpoint
A web application uses an Application Load Balancer in a public subnet and EC2 instances in a private subnet. The EC2 instances need internet access for software updates. Which component must be configured?
- A) An Internet Gateway with a route from the private subnet
- B) A NAT Gateway in the public subnet with a route from the private subnet
- C) A VPC Peering connection to an internet-facing VPC
- D) A Direct Connect connection
What is the primary difference between a Security Group and a Network ACL?
- A) Security Groups are stateless; NACLs are stateful
- B) Security Groups are stateful; NACLs are stateless
- C) Both are stateful
- D) Both are stateless
A company needs a dedicated, private, high-bandwidth connection from its on-premises data center to AWS. Which service should be used?
- A) Site-to-Site VPN
- B) AWS Direct Connect
- C) VPC Peering
- D) AWS Client VPN
How many usable IP addresses are available in a subnet with a /28 CIDR block?
- A) 16
- B) 14
- C) 11
- D) 10
Which types of VPC Endpoints are available? (Select TWO)
- A) Gateway Endpoint
- B) Interface Endpoint
- C) Peering Endpoint
- D) Transit Endpoint
- E) VPN Endpoint
An organization has 25 VPCs across multiple AWS accounts and regions. The network team needs to connect all VPCs in a hub-and-spoke topology. Which AWS service should be used?
- A) Full mesh VPC Peering
- B) AWS Transit Gateway
- C) AWS Direct Connect Gateway
- D) AWS Client VPN
A subnet with a route table entry of 0.0.0.0/0 pointing to an Internet Gateway is classified as what type of subnet?
- A) Private subnet
- B) Public subnet
- C) VPN-only subnet
- D) Isolated subnet
A company needs to resolve on-premises DNS names from resources within a VPC. Which AWS service should be configured?
- A) Amazon Route 53 Resolver
- B) VPC Peering
- C) AWS Direct Connect
- D) AWS Cloud Map
A network engineer needs to capture and analyze IP traffic information between EC2 instances in a VPC for troubleshooting. Which AWS feature should be used?
- A) AWS CloudTrail
- B) VPC Flow Logs
- C) AWS Config
- D) Amazon GuardDuty
What is the purpose of an Egress-Only Internet Gateway?
- A) To allow inbound IPv4 traffic only
- B) To allow outbound-only internet access for IPv6 workloads
- C) To allow inbound and outbound IPv4 traffic
- D) To allow inbound-only internet access for IPv6 workloads
A company needs to connect its VPC to an on-premises data center with a dedicated 10 Gbps connection that provides consistent network performance. Which service should be selected?
- A) Site-to-Site VPN
- B) AWS Direct Connect
- C) VPC Peering
- D) AWS Transit Gateway
A security group rule allows inbound SSH (port 22) from 0.0.0.0/0 to an EC2 instance. What is the security risk of this configuration?
- A) No risk — Security Groups are stateful and deny all inbound traffic by default
- B) It allows SSH access from any IP address, creating a significant security risk
- C) It only allows SSH access from within the same VPC
- D) It blocks all SSH traffic because Security Groups only support allow rules
A solutions architect needs to place database servers in subnets that do not have direct internet access. Which subnet configuration is correct?
- A) Public subnet with a route to an Internet Gateway
- B) Private subnet without a route to an Internet Gateway
- C) Public subnet with a route to a NAT Gateway
- D) Isolated subnet with a route to a Virtual Private Gateway

📝 Answer Key

C — 5 IPs: network (x.0), gateway (x.1), 2 DNS (x.2, x.3), broadcast (x.255).
B — Security Group is stateful. NACL is stateless.
B — Transit Gateway is designed for hub-and-spoke VPC connectivity.
B — Gateway Endpoint is used for S3 and DynamoDB (free of charge).
B — NAT Gateway in the public subnet provides internet access to private subnets.
B — Network ACLs are stateless and support explicit allow and deny rules for inbound/outbound traffic.
C — AWS reserves 5 IP addresses per subnet (network, gateway, 2 AWS DNS, broadcast).
A — /24 provides 256 IPs (251 usable after AWS reserves 5), sufficient for 250 instances.
B — VPN CloudHub connects multiple remote offices with automatic failover between VPN connections.
B — Direct Connect provides a dedicated, private, high-bandwidth connection to on-premises.
D — VPCs with overlapping CIDR blocks cannot be connected via VPC Peering or Transit Gateway.
C — A VPC Gateway Endpoint for S3 provides private connectivity to S3 without internet access or NAT.
B — A NAT Gateway in the public subnet with a route from the private subnet enables outbound internet access.
B — Security Groups are stateful (return traffic auto-allowed); NACLs are stateless (return traffic must be explicitly allowed).
B — AWS Direct Connect provides a dedicated private connection with consistent performance up to 100 Gbps.
C — A /28 subnet has 16 total IPs minus 5 reserved = 11 usable IP addresses.
A, B — Gateway Endpoints (S3, DynamoDB — free) and Interface Endpoints (other services — paid via PrivateLink).
B — AWS Transit Gateway is designed for hub-and-spoke connectivity across many VPCs and accounts.
B — A subnet with a route to an Internet Gateway is a public subnet.
A — Amazon Route 53 Resolver provides hybrid DNS resolution between VPCs and on-premises networks.
B — VPC Flow Logs capture IP traffic information (src, dst, ports, protocol, action) for troubleshooting.
B — An Egress-Only Internet Gateway provides outbound-only internet access for IPv6 traffic.
B — AWS Direct Connect provides dedicated, consistent, high-bandwidth connectivity for hybrid architectures.
B — SSH from 0.0.0.0/0 allows any IP to attempt SSH connections, creating a significant attack surface.
B — Private subnets route traffic through NAT for outbound internet and have no direct IGW route.

📚 Additional Resources#

Next → ELB & Auto Scaling