AWS VPC networking is where cloud infrastructure theory becomes practical architecture. A well-designed VPC is secure, scalable, and cost-effective. Let's walk through how to design one.
The VPC
A VPC (Virtual Private Cloud) is your logically isolated network within AWS. You define:
- The IP address range (CIDR block) — e.g.,
10.0.0.0/16 - Subnets (subdivisions of the CIDR, in specific AZs)
- Route tables (what traffic goes where)
- Gateways (Internet Gateway, NAT Gateway, VPN Gateway)
Subnet Design: The Three-Tier Pattern
A standard production VPC has three subnet tiers, each replicated across at least two AZs:
VPC: 10.0.0.0/16 (us-east-1)
Public subnets (internet-facing):
10.0.1.0/24 (us-east-1a) ← ALB, NAT Gateway, Bastion
10.0.2.0/24 (us-east-1b)
10.0.3.0/24 (us-east-1c)
Private subnets (application tier):
10.0.11.0/24 (us-east-1a) ← EC2, ECS, Lambda, EKS nodes
10.0.12.0/24 (us-east-1b)
10.0.13.0/24 (us-east-1c)
Database subnets (data tier):
10.0.21.0/24 (us-east-1a) ← RDS, ElastiCache, Redshift
10.0.22.0/24 (us-east-1b)
10.0.23.0/24 (us-east-1c)Internet Gateway and Public Subnets
An Internet Gateway (IGW) enables communication between your VPC and the internet. To make a subnet "public":
- Attach an Internet Gateway to the VPC
- Add a route in the subnet's route table:
0.0.0.0/0 → igw-id - Assign public IP addresses to instances (or Elastic IPs)
Public subnet resources (ALB, NAT Gateways) are reachable from and can reach the internet.
NAT Gateway and Private Subnets
Private subnet resources need to reach the internet (to download packages, call APIs) but should not be reachable from the internet. NAT Gateway enables this:
- Deploy a NAT Gateway in a public subnet (it gets a public IP)
- Add a route in private subnet route table:
0.0.0.0/0 → nat-gateway-id - Private resources send outbound traffic → NAT translates their private IP to public IP
NAT Gateway is per-AZ for HA. Use one NAT per AZ to avoid cross-AZ traffic charges:
Public subnet AZ-a: NAT Gateway A (Elastic IP: 54.x.x.x)
Public subnet AZ-b: NAT Gateway B (Elastic IP: 54.x.x.y)
Private AZ-a route table:
10.0.0.0/16 → local
0.0.0.0/0 → NAT Gateway A
Private AZ-b route table:
10.0.0.0/16 → local
0.0.0.0/0 → NAT Gateway BVPC Endpoints
Private connections to AWS services without traffic going through NAT Gateway or the internet — saving cost and improving security:
Gateway Endpoints
Free. Supports S3 and DynamoDB. Add an entry to route tables — traffic is routed to the endpoint privately.
Interface Endpoints (PrivateLink)
An ENI with a private IP in your subnet. Supports most AWS services: SQS, SNS, ECR, CloudWatch, Secrets Manager, SSM. Per-hour and per-GB charges apply.
# With S3 Gateway Endpoint:
Private instance → S3 endpoint (route table) → S3
# No NAT charge, traffic stays on AWS network
# Without:
Private instance → NAT Gateway → Internet Gateway → S3
# NAT Gateway charges: $0.045/GB processedCIDR Planning Guidelines
- Plan for growth — use
/16(65,536 addresses) for a production VPC - Reserve non-overlapping CIDRs for each VPC if you plan to peer them
- Don't use ranges that overlap with on-premises networks
- Common convention:
10.X.0.0/16per environment (10.1.x for prod, 10.2.x for staging) - AWS reserves 5 IPs per subnet (first 4 + last)
Security Layer Summary
| Layer | Tool | Scope |
|---|---|---|
| Instance | Security Group | Per ENI, stateful |
| Subnet | Network ACL | Per subnet, stateless |
| VPC | Flow Logs, VPC Endpoints | Visibility and private access |
| Edge | WAF, CloudFront, Shield | L7 filtering, DDoS |
| Transit | Transit Gateway, VPN | Cross-VPC and on-premises |
Next: Network troubleshooting — the commands and mental models for diagnosing connectivity problems.