Vpc
Chapter 11: Amazon VPC - Virtual Private Cloud
Section titled “Chapter 11: Amazon VPC - Virtual Private Cloud”Building Your AWS Network Infrastructure
Section titled “Building Your AWS Network Infrastructure”11.1 Overview
Section titled “11.1 Overview”Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
VPC Overview+------------------------------------------------------------------+| || +------------------------+ || | VPC | || | 10.0.0.0/16 | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Public | | Private | | Private | || | Subnet | | Subnet | | Subnet | || |10.0.1.0/24| |10.0.2.0/24| |10.0.3.0/24| || +----------+ +----------+ +----------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Internet | | NAT | | VPC | || | Gateway | | Gateway | | Endpoints| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+11.2 VPC Components
Section titled “11.2 VPC Components”Core Components
Section titled “Core Components” VPC Core Components+------------------------------------------------------------------+| || 1. VPC (Virtual Private Cloud) || +----------------------------------------------------------+ || | - Isolated network in AWS | || | - CIDR block (e.g., 10.0.0.0/16) | || | - Regional scope | || +----------------------------------------------------------+ || || 2. Subnet || +----------------------------------------------------------+ || | - Sub-range of VPC CIDR | || | - AZ-specific (one subnet = one AZ) | || | - Public or Private | || +----------------------------------------------------------+ || || 3. Route Table || +----------------------------------------------------------+ || | - Routes traffic within VPC | || | - Main route table (default) | || | - Custom route tables per subnet | || +----------------------------------------------------------+ || || 4. Internet Gateway (IGW) || +----------------------------------------------------------+ || | - Connects VPC to internet | || | - Horizontally scaled, redundant | || | - Required for public subnets | || +----------------------------------------------------------+ || || 5. NAT Gateway / NAT Instance || +----------------------------------------------------------+ || | - Allows private subnet internet access | || | - NAT Gateway: Managed service | || | - NAT Instance: EC2-based (legacy) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CIDR Block Planning
Section titled “CIDR Block Planning” CIDR Block Sizing+------------------------------------------------------------------+| || CIDR Notation: IP/Prefix Length || +----------------------------------------------------------+ || | | || | /16 = 65,536 IPs (10.0.0.0 - 10.0.255.255) | || | /20 = 4,096 IPs (10.0.0.0 - 10.0.15.255) | || | /24 = 256 IPs (10.0.1.0 - 10.0.1.255) | || | /28 = 16 IPs (10.0.1.0 - 10.0.1.15) | || | | || | Reserved IPs per subnet (5 IPs): | || | - 10.0.1.0 : Network address | || | - 10.0.1.1 : VPC router | || | - 10.0.1.2 : DNS server | || | - 10.0.1.3 : Reserved for future use | || | - 10.0.1.255 : Broadcast address | || | | || | Usable IPs: 256 - 5 = 251 per /24 subnet | || +----------------------------------------------------------+ || || Example VPC Design: || +----------------------------------------------------------+ || | | || | VPC: 10.0.0.0/16 (65,536 IPs) | || | | || | Public Subnets: | || | - 10.0.0.0/20 (AZ-a) - 4,091 usable IPs | || | - 10.0.16.0/20 (AZ-b) - 4,091 usable IPs | || | - 10.0.32.0/20 (AZ-c) - 4,091 usable IPs | || | | || | Private Subnets: | || | - 10.0.128.0/20 (AZ-a) - 4,091 usable IPs | || | - 10.0.144.0/20 (AZ-b) - 4,091 usable IPs | || | - 10.0.160.0/20 (AZ-c) - 4,091 usable IPs | || | | || | Reserved for future: | || | - 10.0.64.0/18 - 16,384 IPs | || | - 10.0.192.0/18 - 16,384 IPs | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.3 Public vs Private Subnets
Section titled “11.3 Public vs Private Subnets” Public vs Private Subnet+------------------------------------------------------------------+| || Public Subnet || +----------------------------------------------------------+ || | | || | Route Table: | || | +----------------------------------------------------+ | || | | Destination | Target | | || | |-----------------|----------------------------------| | || | | 10.0.0.0/16 | local | | || | | 0.0.0.0/0 | igw-xxxxxx (Internet Gateway) | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Direct internet access | || | - Public IP addresses | || | - Used for: Load balancers, bastion hosts | || +----------------------------------------------------------+ || || Private Subnet || +----------------------------------------------------------+ || | | || | Route Table: | || | +----------------------------------------------------+ | || | | Destination | Target | | || | |-----------------|----------------------------------| | || | | 10.0.0.0/16 | local | | || | | 0.0.0.0/0 | nat-xxxxxx (NAT Gateway) | | || | +----------------------------------------------------+ | || | | || | Features: | || | - No direct internet access | || | - Private IP addresses only | || | - Outbound via NAT Gateway | || | - Used for: Databases, application servers | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.4 VPC Architecture Patterns
Section titled “11.4 VPC Architecture Patterns”Three-Tier Architecture
Section titled “Three-Tier Architecture” Three-Tier VPC Architecture+------------------------------------------------------------------+| || Internet || | || v || +----------+ || | Internet | || | Gateway | || +----------+ || | || v || +----------------------------------------------------------------+| | VPC (10.0.0.0/16) || | || | +----------------------------------------------------------+ || | | Availability Zone A | || | | +------------+ +------------+ +------------+ | || | | | Public | | Private | | Private | | || | | | Subnet | | Subnet | | Subnet | | || | | | (Web Tier) | | (App Tier) | | (DB Tier) | | || | | | 10.0.0.0/24| |10.0.1.0/24 | |10.0.2.0/24 | | || | | +------------+ +------------+ +------------+ | || | | | | | | || | | v v v | || | | +----------+ +----------+ +----------+ | || | | | ALB | | EC2 | | RDS | | || | | | | | App | | DB | | || | | +----------+ +----------+ +----------+ | || | +----------------------------------------------------------+ || | || | +----------------------------------------------------------+ || | | Availability Zone B | || | | +------------+ +------------+ +------------+ | || | | | Public | | Private | | Private | | || | | | Subnet | | Subnet | | Subnet | | || | | | (Web Tier) | | (App Tier) | | (DB Tier) | | || | | | 10.0.3.0/24| |10.0.4.0/24 | |10.0.5.0/24 | | || | | +------------+ +------------+ +------------+ | || | +----------------------------------------------------------+ || | || +----------------------------------------------------------------+| || Traffic Flow: Internet -> ALB (Public) -> EC2 (Private) -> RDS || |+------------------------------------------------------------------+Hub-and-Spoke Architecture
Section titled “Hub-and-Spoke Architecture” Hub-and-Spoke (Transit Gateway)+------------------------------------------------------------------+| || +------------------------+ || | Transit Gateway | || | (Hub) | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | VPC | | VPC | | VPC | || | Shared | | Dev | | Prod | || | Services | | | | | || | | | | | | || | - DNS | | - Dev | | - Prod | || | - AD | | Apps | | Apps | || | - Secrets| | | | | || +----------+ +----------+ +----------+ || || Benefits: || - Centralized services || - Network isolation || - Simplified connectivity || |+------------------------------------------------------------------+11.5 Security Groups vs NACLs
Section titled “11.5 Security Groups vs NACLs” Security Layers in VPC+------------------------------------------------------------------+| || Layer 1: Network ACL (Stateless) || +----------------------------------------------------------+ || | | || | Subnet Level | || | +----------------------------------------------------+ | || | | | | || | | Inbound Rules: | | || | | Rule # | Type | Port | Source | Allow/Deny | | || | | 100 | HTTP | 80 | 0.0.0.0/0| ALLOW | | || | | 110 | HTTPS | 443 | 0.0.0.0/0| ALLOW | | || | | * | All | All | 0.0.0.0/0| DENY | | || | | | | || | | Outbound Rules: | | || | | Rule # | Type | Port | Dest | Allow/Deny | | || | | 100 | All | All | 0.0.0.0/0| ALLOW | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Stateless (return traffic needs rule) | || | - Processed in order (lowest number first) | || | - Allow AND Deny rules | || | - Applies to entire subnet | || +----------------------------------------------------------+ || || Layer 2: Security Group (Stateful) || +----------------------------------------------------------+ || | | || | Instance Level | || | +----------------------------------------------------+ | || | | | | || | | Inbound Rules: | | || | | Type | Port | Source | | || | | HTTP | 80 | 0.0.0.0/0 | | || | | SSH | 22 | sg-xxxxxx (Bastion SG) | | || | | | | || | | Outbound Rules: | | || | | All traffic allowed by default | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Stateful (return traffic auto-allowed) | || | - Allow rules only | || | - Can reference other security groups | || | - Applies to individual instances | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Comparison Table
Section titled “Comparison Table” Security Group vs NACL Comparison+------------------------------------------------------------------+| || Feature | Security Group | NACL || ---------------------|-------------------|----------------------|| Level | Instance | Subnet || State | Stateful | Stateless || Rules | Allow only | Allow and Deny || Order | No order | Numbered order || Default | Deny all inbound | Allow all (default) || Association | Multiple SGs | One NACL per subnet || Reference | Can ref SG IDs | IP/CIDR only || |+------------------------------------------------------------------+11.6 VPC Peering
Section titled “11.6 VPC Peering” VPC Peering+------------------------------------------------------------------+| || VPC Peering Connection || +----------------------------------------------------------+ || | | || | VPC A (10.0.0.0/16) VPC B (10.1.0.0/16) | || | +------------------+ +------------------+ | || | | | | | | || | | +------------+ | | +------------+ | | || | | | EC2 | | | | EC2 | | | || | | | 10.0.1.10 | | | | 10.1.1.10 | | | || | | +------------+ | | +------------+ | | || | | | | | | | | || | | +----------+---------+--------+ | | || | | | Peering | | | || | | | Connection | | || | +------------------+ +------------------+ | || | | || +----------------------------------------------------------+ || || Route Tables: || +----------------------------------------------------------+ || | VPC A Route Table: | || | Destination | Target | || | 10.0.0.0/16 | local | || | 10.1.0.0/16 | pcx-xxxxxx (peering connection) | || | | || | VPC B Route Table: | || | Destination | Target | || | 10.1.0.0/16 | local | || | 10.0.0.0/16 | pcx-xxxxxx (peering connection) | || +----------------------------------------------------------+ || || Limitations: || - No transitive peering || - No overlapping CIDR blocks || - Same region or inter-region (with limitations) || |+------------------------------------------------------------------+11.7 VPC Endpoints
Section titled “11.7 VPC Endpoints” VPC Endpoints+------------------------------------------------------------------+| || Gateway Endpoints || +----------------------------------------------------------+ || | | || | Services: S3, DynamoDB | || | | || | VPC | || | +----------------------------------------------------+ | || | | | | || | | Private Subnet | | || | | +------------+ | | || | | | EC2 | | | || | | +------------+ | | || | | | | | || | | v | | || | | +------------+ +------------+ | | || | | | Route Table|---->| Gateway |-----> S3 | | || | | +------------+ | Endpoint | | | || | | +------------+ | | || | +----------------------------------------------------+ | || | | || | Features: | || | - No private IP | || | - Added to route table | || | - No additional cost | || +----------------------------------------------------------+ || || Interface Endpoints (PrivateLink) || +----------------------------------------------------------+ || | | || | Services: Most AWS services | || | | || | VPC | || | +----------------------------------------------------+ | || | | | | || | | Private Subnet | | || | | +------------+ | | || | | | EC2 | | | || | | +------------+ | | || | | | | | || | | v | | || | | +------------+ +------------+ | | || | | | ENI |---->| Interface |-----> AWS Service|| | | | (Private IP)| | Endpoint | | || | | +------------+ +------------+ | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Private IP in your subnet | || | - Uses ENI | || | - Hourly + data processing cost | || | - Security groups apply | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.8 VPC Flow Logs
Section titled “11.8 VPC Flow Logs” VPC Flow Logs+------------------------------------------------------------------+| || Flow Log Record Format || +----------------------------------------------------------+ || | | || | ${version} ${account-id} ${interface-id} ${srcaddr} | || | ${dstaddr} ${srcport} ${dstport} ${protocol} | || | ${packets} ${bytes} ${start} ${end} ${action} | || | ${log-status} | || | | || | Example: | || | 2 123456789012 eni-abc123 10.0.1.10 10.0.2.20 443 80 | || | 6 10 2000 1609459200 1609459260 ACCEPT OK | || | | || | Fields Explained: | || | - version: Flow log version | || | - interface-id: ENI ID | || | - srcaddr/srcport: Source IP and port | || | - dstaddr/dstport: Destination IP and port | || | - protocol: Protocol number (6=TCP, 17=UDP) | || | - action: ACCEPT or REJECT | || | - log-status: OK, NODATA, SKIPDATA | || +----------------------------------------------------------+ || || Flow Log Levels: || +----------------------------------------------------------+ || | - VPC Level: All ENIs in VPC | || | - Subnet Level: All ENIs in subnet | || | - ENI Level: Specific network interface | || +----------------------------------------------------------+ || || Destinations: || +----------------------------------------------------------+ || | - CloudWatch Logs (default) | || | - S3 Bucket | || | - Kinesis Data Firehose | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.9 Practical Configuration
Section titled “11.9 Practical Configuration”VPC with Terraform
Section titled “VPC with Terraform”# ============================================================# VPC Configuration# ============================================================
# Create VPCresource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true
tags = { Name = "main-vpc" }}
# ============================================================# Internet Gateway# ============================================================
resource "aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id
tags = { Name = "main-igw" }}
# ============================================================# Public Subnets# ============================================================
resource "aws_subnet" "public" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index) availability_zone = data.aws_availability_zones.available.names[count.index] map_public_ip_on_launch = true
tags = { Name = "public-subnet-${count.index + 1}" Type = "public" }}
# ============================================================# Private Subnets# ============================================================
resource "aws_subnet" "private" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index + 128) availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "private-subnet-${count.index + 1}" Type = "private" }}
# ============================================================# NAT Gateway# ============================================================
# Elastic IP for NAT Gatewayresource "aws_eip" "nat" { count = 3 domain = "vpc"
tags = { Name = "nat-eip-${count.index + 1}" }}
# NAT Gatewayresource "aws_nat_gateway" "main" { count = 3 allocation_id = aws_eip.nat[count.index].id subnet_id = aws_subnet.public[count.index].id
tags = { Name = "nat-gateway-${count.index + 1}" }
depends_on = [aws_internet_gateway.main]}
# ============================================================# Route Tables# ============================================================
# Public Route Tableresource "aws_route_table" "public" { vpc_id = aws_vpc.main.id
route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id }
tags = { Name = "public-rt" }}
# Private Route Tables (one per AZ)resource "aws_route_table" "private" { count = 3 vpc_id = aws_vpc.main.id
route { cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.main[count.index].id }
tags = { Name = "private-rt-${count.index + 1}" }}
# Route Table Associationsresource "aws_route_table_association" "public" { count = 3 subnet_id = aws_subnet.public[count.index].id route_table_id = aws_route_table.public.id}
resource "aws_route_table_association" "private" { count = 3 subnet_id = aws_subnet.private[count.index].id route_table_id = aws_route_table.private[count.index].id}
# ============================================================# Security Groups# ============================================================
# Web Server Security Groupresource "aws_security_group" "web" { name = "web-sg" description = "Security group for web servers" vpc_id = aws_vpc.main.id
ingress { description = "HTTP from ALB" from_port = 80 to_port = 80 protocol = "tcp" security_groups = [aws_security_group.alb.id] }
ingress { description = "HTTPS from ALB" from_port = 443 to_port = 443 protocol = "tcp" security_groups = [aws_security_group.alb.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "web-sg" }}
# ALB Security Groupresource "aws_security_group" "alb" { name = "alb-sg" description = "Security group for ALB" vpc_id = aws_vpc.main.id
ingress { description = "HTTP from internet" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
ingress { description = "HTTPS from internet" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "alb-sg" }}
# Database Security Groupresource "aws_security_group" "db" { name = "db-sg" description = "Security group for database" vpc_id = aws_vpc.main.id
ingress { description = "MySQL from app servers" from_port = 3306 to_port = 3306 protocol = "tcp" security_groups = [aws_security_group.web.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "db-sg" }}
# ============================================================# VPC Flow Logs# ============================================================
resource "aws_flow_log" "main" { iam_role_arn = aws_iam_role.flow_log.arn log_destination = aws_cloudwatch_log_group.flow_log.arn traffic_type = "ALL" vpc_id = aws_vpc.main.id
tags = { Name = "vpc-flow-logs" }}
resource "aws_cloudwatch_log_group" "flow_log" { name = "/aws/vpc/flow-logs" retention_in_days = 30}
# ============================================================# VPC Endpoint (S3)# ============================================================
resource "aws_vpc_endpoint" "s3" { vpc_id = aws_vpc.main.id service_name = "com.amazonaws.${var.region}.s3" vpc_endpoint_type = "Gateway"
route_table_ids = aws_route_table.private[*].id
tags = { Name = "s3-endpoint" }}11.10 Exam Tips
Section titled “11.10 Exam Tips”
- VPC CIDR: Plan for growth, use /16 for flexibility
- Subnets: One subnet = One AZ
- Public Subnet: Route to Internet Gateway
- Private Subnet: Route to NAT Gateway for outbound
- Security Groups: Stateful, instance-level, allow only
- NACLs: Stateless, subnet-level, allow/deny, numbered order
- VPC Peering: No transitive, no overlapping CIDRs
- Gateway Endpoints: S3, DynamoDB (free)
- Interface Endpoints: PrivateLink, costs money
- Flow Logs: Capture network traffic metadata
Next Chapter
Section titled “Next Chapter”Chapter 12: AWS Direct Connect & VPN
Last Updated: February 2026