Amazon VPC - Virtual Private Cloud
Chapter 11: Amazon VPC - Virtual Private Cloud
Section titled “Chapter 11: Amazon VPC - Virtual Private Cloud”Building Your AWS Network Infrastructure
Section titled “Building Your AWS Network Infrastructure”11.1 Overview
Section titled “11.1 Overview”Amazon VPC (Virtual Private Cloud) lets you provision a logically isolated section of AWS where you can launch AWS resources in a virtual network that you define.
VPC Overview+------------------------------------------------------------------+| || +------------------------+ || | VPC | || | 10.0.0.0/16 | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Public | | Private | | Private | || | Subnet | | Subnet | | Subnet | || |10.0.1.0/24| |10.0.2.0/24| |10.0.3.0/24| || +----------+ +----------+ +----------+ || | | | || v v v || +----------+ +----------+ +----------+ || | Internet | | NAT | | VPC | || | Gateway | | Gateway | | Endpoints| || +----------+ +----------+ +----------+ || |+------------------------------------------------------------------+11.2 VPC Components
Section titled “11.2 VPC Components”Core Components
Section titled “Core Components” VPC Core Components+------------------------------------------------------------------+| || 1. VPC (Virtual Private Cloud) || +----------------------------------------------------------+ || | - Isolated network in AWS | || | - CIDR block (e.g., 10.0.0.0/16) | || | - Regional scope | || +----------------------------------------------------------+ || || 2. Subnet || +----------------------------------------------------------+ || | - Sub-range of VPC CIDR | || | - AZ-specific (one subnet = one AZ) | || | - Public or Private | || +----------------------------------------------------------+ || || 3. Route Table || +----------------------------------------------------------+ || | - Routes traffic within VPC | || | - Main route table (default) | || | - Custom route tables per subnet | || +----------------------------------------------------------+ || || 4. Internet Gateway (IGW) || +----------------------------------------------------------+ || | - Connects VPC to internet | || | - Horizontally scaled, redundant | || | - Required for public subnets | || +----------------------------------------------------------+ || || 5. NAT Gateway / NAT Instance || +----------------------------------------------------------+ || | - Allows private subnet internet access | || | - NAT Gateway: Managed service | || | - NAT Instance: EC2-based (legacy) | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+CIDR Block Planning
Section titled “CIDR Block Planning” CIDR Block Sizing+------------------------------------------------------------------+| || CIDR Notation: IP/Prefix Length || +----------------------------------------------------------+ || | | || | /16 = 65,536 IPs (10.0.0.0 - 10.0.255.255) | || | /20 = 4,096 IPs (10.0.0.0 - 10.0.15.255) | || | /24 = 256 IPs (10.0.1.0 - 10.0.1.255) | || | /28 = 16 IPs (10.0.1.0 - 10.0.1.15) | || | | || | Reserved IPs per subnet (5 IPs): | || | - 10.0.1.0 : Network address | || | - 10.0.1.1 : VPC router | || | - 10.0.1.2 : DNS server | || | - 10.0.1.3 : Reserved for future use | || | - 10.0.1.255 : Broadcast address | || | | || | Usable IPs: 256 - 5 = 251 per /24 subnet | || +----------------------------------------------------------+ || || Example VPC Design: || +----------------------------------------------------------+ || | | || | VPC: 10.0.0.0/16 (65,536 IPs) | || | | || | Public Subnets: | || | - 10.0.0.0/20 (AZ-a) - 4,091 usable IPs | || | - 10.0.16.0/20 (AZ-b) - 4,091 usable IPs | || | - 10.0.32.0/20 (AZ-c) - 4,091 usable IPs | || | | || | Private Subnets: | || | - 10.0.128.0/20 (AZ-a) - 4,091 usable IPs | || | - 10.0.144.0/20 (AZ-b) - 4,091 usable IPs | || | - 10.0.160.0/20 (AZ-c) - 4,091 usable IPs | || | | || | Reserved for future: | || | - 10.0.64.0/18 - 16,384 IPs | || | - 10.0.192.0/18 - 16,384 IPs | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.3 Public vs Private Subnets
Section titled “11.3 Public vs Private Subnets” Public vs Private Subnet+------------------------------------------------------------------+| || Public Subnet || +----------------------------------------------------------+ || | | || | Route Table: | || | +----------------------------------------------------+ | || | | Destination | Target | | || | |-----------------|----------------------------------| | || | | 10.0.0.0/16 | local | | || | | 0.0.0.0/0 | igw-xxxxxx (Internet Gateway) | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Direct internet access | || | - Public IP addresses | || | - Used for: Load balancers, bastion hosts | || +----------------------------------------------------------+ || || Private Subnet || +----------------------------------------------------------+ || | | || | Route Table: | || | +----------------------------------------------------+ | || | | Destination | Target | | || | |-----------------|----------------------------------| | || | | 10.0.0.0/16 | local | | || | | 0.0.0.0/0 | nat-xxxxxx (NAT Gateway) | | || | +----------------------------------------------------+ | || | | || | Features: | || | - No direct internet access | || | - Private IP addresses only | || | - Outbound via NAT Gateway | || | - Used for: Databases, application servers | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.4 VPC Architecture Patterns
Section titled “11.4 VPC Architecture Patterns”Three-Tier Architecture
Section titled “Three-Tier Architecture” Three-Tier VPC Architecture+------------------------------------------------------------------+| || Internet || | || v || +----------+ || | Internet | || | Gateway | || +----------+ || | || v || +----------------------------------------------------------------+| | VPC (10.0.0.0/16) || | || | +----------------------------------------------------------+ || | | Availability Zone A | || | | +------------+ +------------+ +------------+ | || | | | Public | | Private | | Private | | || | | | Subnet | | Subnet | | Subnet | | || | | | (Web Tier) | | (App Tier) | | (DB Tier) | | || | | | 10.0.0.0/24| |10.0.1.0/24 | |10.0.2.0/24 | | || | | +------------+ +------------+ +------------+ | || | | | | | | || | | v v v | || | | +----------+ +----------+ +----------+ | || | | | ALB | | EC2 | | RDS | | || | | | | | App | | DB | | || | | +----------+ +----------+ +----------+ | || | +----------------------------------------------------------+ || | || | +----------------------------------------------------------+ || | | Availability Zone B | || | | +------------+ +------------+ +------------+ | || | | | Public | | Private | | Private | | || | | | Subnet | | Subnet | | Subnet | | || | | | (Web Tier) | | (App Tier) | | (DB Tier) | | || | | | 10.0.3.0/24| |10.0.4.0/24 | |10.0.5.0/24 | | || | | +------------+ +------------+ +------------+ | || | +----------------------------------------------------------+ || | || +----------------------------------------------------------------+| || Traffic Flow: Internet -> ALB (Public) -> EC2 (Private) -> RDS || |+------------------------------------------------------------------+Hub-and-Spoke Architecture
Section titled “Hub-and-Spoke Architecture” Hub-and-Spoke (Transit Gateway)+------------------------------------------------------------------+| || +------------------------+ || | Transit Gateway | || | (Hub) | || +------------------------+ || | || +---------------------+---------------------+ || | | | || v v v || +----------+ +----------+ +----------+ || | VPC | | VPC | | VPC | || | Shared | | Dev | | Prod | || | Services | | | | | || | | | | | | || | - DNS | | - Dev | | - Prod | || | - AD | | Apps | | Apps | || | - Secrets| | | | | || +----------+ +----------+ +----------+ || || Benefits: || - Centralized services || - Network isolation || - Simplified connectivity || |+------------------------------------------------------------------+11.5 Security Groups vs NACLs
Section titled “11.5 Security Groups vs NACLs” Security Layers in VPC+------------------------------------------------------------------+| || Layer 1: Network ACL (Stateless) || +----------------------------------------------------------+ || | | || | Subnet Level | || | +----------------------------------------------------+ | || | | | | || | | Inbound Rules: | | || | | Rule # | Type | Port | Source | Allow/Deny | | || | | 100 | HTTP | 80 | 0.0.0.0/0| ALLOW | | || | | 110 | HTTPS | 443 | 0.0.0.0/0| ALLOW | | || | | * | All | All | 0.0.0.0/0| DENY | | || | | | | || | | Outbound Rules: | | || | | Rule # | Type | Port | Dest | Allow/Deny | | || | | 100 | All | All | 0.0.0.0/0| ALLOW | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Stateless (return traffic needs rule) | || | - Processed in order (lowest number first) | || | - Allow AND Deny rules | || | - Applies to entire subnet | || +----------------------------------------------------------+ || || Layer 2: Security Group (Stateful) || +----------------------------------------------------------+ || | | || | Instance Level | || | +----------------------------------------------------+ | || | | | | || | | Inbound Rules: | | || | | Type | Port | Source | | || | | HTTP | 80 | 0.0.0.0/0 | | || | | SSH | 22 | sg-xxxxxx (Bastion SG) | | || | | | | || | | Outbound Rules: | | || | | All traffic allowed by default | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Stateful (return traffic auto-allowed) | || | - Allow rules only | || | - Can reference other security groups | || | - Applies to individual instances | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+Comparison Table
Section titled “Comparison Table” Security Group vs NACL Comparison+------------------------------------------------------------------+| || Feature | Security Group | NACL || ---------------------|-------------------|----------------------|| Level | Instance | Subnet || State | Stateful | Stateless || Rules | Allow only | Allow and Deny || Order | No order | Numbered order || Default | Deny all inbound | Allow all (default) || Association | Multiple SGs | One NACL per subnet || Reference | Can ref SG IDs | IP/CIDR only || |+------------------------------------------------------------------+11.6 VPC Peering
Section titled “11.6 VPC Peering” VPC Peering+------------------------------------------------------------------+| || VPC Peering Connection || +----------------------------------------------------------+ || | | || | VPC A (10.0.0.0/16) VPC B (10.1.0.0/16) | || | +------------------+ +------------------+ | || | | | | | | || | | +------------+ | | +------------+ | | || | | | EC2 | | | | EC2 | | | || | | | 10.0.1.10 | | | | 10.1.1.10 | | | || | | +------------+ | | +------------+ | | || | | | | | | | | || | | +----------+---------+--------+ | | || | | | Peering | | | || | | | Connection | | || | +------------------+ +------------------+ | || | | || +----------------------------------------------------------+ || || Route Tables: || +----------------------------------------------------------+ || | VPC A Route Table: | || | Destination | Target | || | 10.0.0.0/16 | local | || | 10.1.0.0/16 | pcx-xxxxxx (peering connection) | || | | || | VPC B Route Table: | || | Destination | Target | || | 10.1.0.0/16 | local | || | 10.0.0.0/16 | pcx-xxxxxx (peering connection) | || +----------------------------------------------------------+ || || Limitations: || - No transitive peering || - No overlapping CIDR blocks || - Same region or inter-region (with limitations) || |+------------------------------------------------------------------+11.7 VPC Endpoints
Section titled “11.7 VPC Endpoints” VPC Endpoints+------------------------------------------------------------------+| || Gateway Endpoints || +----------------------------------------------------------+ || | | || | Services: S3, DynamoDB | || | | || | VPC | || | +----------------------------------------------------+ | || | | | | || | | Private Subnet | | || | | +------------+ | | || | | | EC2 | | | || | | +------------+ | | || | | | | | || | | v | | || | | +------------+ +------------+ | | || | | | Route Table|---->| Gateway |-----> S3 | | || | | +------------+ | Endpoint | | | || | | +------------+ | | || | +----------------------------------------------------+ | || | | || | Features: | || | - No private IP | || | - Added to route table | || | - No additional cost | || +----------------------------------------------------------+ || || Interface Endpoints (PrivateLink) || +----------------------------------------------------------+ || | | || | Services: Most AWS services | || | | || | VPC | || | +----------------------------------------------------+ | || | | | | || | | Private Subnet | | || | | +------------+ | | || | | | EC2 | | | || | | +------------+ | | || | | | | | || | | v | | || | | +------------+ +------------+ | | || | | | ENI |---->| Interface |-----> AWS Service|| | | | (Private IP)| | Endpoint | | || | | +------------+ +------------+ | | || | +----------------------------------------------------+ | || | | || | Features: | || | - Private IP in your subnet | || | - Uses ENI | || | - Hourly + data processing cost | || | - Security groups apply | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.8 VPC Flow Logs
Section titled “11.8 VPC Flow Logs” VPC Flow Logs+------------------------------------------------------------------+| || Flow Log Record Format || +----------------------------------------------------------+ || | | || | ${version} ${account-id} ${interface-id} ${srcaddr} | || | ${dstaddr} ${srcport} ${dstport} ${protocol} | || | ${packets} ${bytes} ${start} ${end} ${action} | || | ${log-status} | || | | || | Example: | || | 2 123456789012 eni-abc123 10.0.1.10 10.0.2.20 443 80 | || | 6 10 2000 1609459200 1609459260 ACCEPT OK | || | | || | Fields Explained: | || | - version: Flow log version | || | - interface-id: ENI ID | || | - srcaddr/srcport: Source IP and port | || | - dstaddr/dstport: Destination IP and port | || | - protocol: Protocol number (6=TCP, 17=UDP) | || | - action: ACCEPT or REJECT | || | - log-status: OK, NODATA, SKIPDATA | || +----------------------------------------------------------+ || || Flow Log Levels: || +----------------------------------------------------------+ || | - VPC Level: All ENIs in VPC | || | - Subnet Level: All ENIs in subnet | || | - ENI Level: Specific network interface | || +----------------------------------------------------------+ || || Destinations: || +----------------------------------------------------------+ || | - CloudWatch Logs (default) | || | - S3 Bucket | || | - Kinesis Data Firehose | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.9 Practical Configuration
Section titled “11.9 Practical Configuration”VPC with Terraform
Section titled “VPC with Terraform”# ============================================================# VPC Configuration# ============================================================
# Create VPCresource "aws_vpc" "main" { cidr_block = "10.0.0.0/16" enable_dns_hostnames = true enable_dns_support = true
tags = { Name = "main-vpc" }}
# ============================================================# Internet Gateway# ============================================================
resource "aws_internet_gateway" "main" { vpc_id = aws_vpc.main.id
tags = { Name = "main-igw" }}
# ============================================================# Public Subnets# ============================================================
resource "aws_subnet" "public" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index) availability_zone = data.aws_availability_zones.available.names[count.index] map_public_ip_on_launch = true
tags = { Name = "public-subnet-${count.index + 1}" Type = "public" }}
# ============================================================# Private Subnets# ============================================================
resource "aws_subnet" "private" { count = 3 vpc_id = aws_vpc.main.id cidr_block = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index + 128) availability_zone = data.aws_availability_zones.available.names[count.index]
tags = { Name = "private-subnet-${count.index + 1}" Type = "private" }}
# ============================================================# NAT Gateway# ============================================================
# Elastic IP for NAT Gatewayresource "aws_eip" "nat" { count = 3 domain = "vpc"
tags = { Name = "nat-eip-${count.index + 1}" }}
# NAT Gatewayresource "aws_nat_gateway" "main" { count = 3 allocation_id = aws_eip.nat[count.index].id subnet_id = aws_subnet.public[count.index].id
tags = { Name = "nat-gateway-${count.index + 1}" }
depends_on = [aws_internet_gateway.main]}
# ============================================================# Route Tables# ============================================================
# Public Route Tableresource "aws_route_table" "public" { vpc_id = aws_vpc.main.id
route { cidr_block = "0.0.0.0/0" gateway_id = aws_internet_gateway.main.id }
tags = { Name = "public-rt" }}
# Private Route Tables (one per AZ)resource "aws_route_table" "private" { count = 3 vpc_id = aws_vpc.main.id
route { cidr_block = "0.0.0.0/0" nat_gateway_id = aws_nat_gateway.main[count.index].id }
tags = { Name = "private-rt-${count.index + 1}" }}
# Route Table Associationsresource "aws_route_table_association" "public" { count = 3 subnet_id = aws_subnet.public[count.index].id route_table_id = aws_route_table.public.id}
resource "aws_route_table_association" "private" { count = 3 subnet_id = aws_subnet.private[count.index].id route_table_id = aws_route_table.private[count.index].id}
# ============================================================# Security Groups# ============================================================
# Web Server Security Groupresource "aws_security_group" "web" { name = "web-sg" description = "Security group for web servers" vpc_id = aws_vpc.main.id
ingress { description = "HTTP from ALB" from_port = 80 to_port = 80 protocol = "tcp" security_groups = [aws_security_group.alb.id] }
ingress { description = "HTTPS from ALB" from_port = 443 to_port = 443 protocol = "tcp" security_groups = [aws_security_group.alb.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "web-sg" }}
# ALB Security Groupresource "aws_security_group" "alb" { name = "alb-sg" description = "Security group for ALB" vpc_id = aws_vpc.main.id
ingress { description = "HTTP from internet" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
ingress { description = "HTTPS from internet" from_port = 443 to_port = 443 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "alb-sg" }}
# Database Security Groupresource "aws_security_group" "db" { name = "db-sg" description = "Security group for database" vpc_id = aws_vpc.main.id
ingress { description = "MySQL from app servers" from_port = 3306 to_port = 3306 protocol = "tcp" security_groups = [aws_security_group.web.id] }
egress { from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] }
tags = { Name = "db-sg" }}
# ============================================================# VPC Flow Logs# ============================================================
resource "aws_flow_log" "main" { iam_role_arn = aws_iam_role.flow_log.arn log_destination = aws_cloudwatch_log_group.flow_log.arn traffic_type = "ALL" vpc_id = aws_vpc.main.id
tags = { Name = "vpc-flow-logs" }}
resource "aws_cloudwatch_log_group" "flow_log" { name = "/aws/vpc/flow-logs" retention_in_days = 30}
# ============================================================# VPC Endpoint (S3)# ============================================================
resource "aws_vpc_endpoint" "s3" { vpc_id = aws_vpc.main.id service_name = "com.amazonaws.${var.region}.s3" vpc_endpoint_type = "Gateway"
route_table_ids = aws_route_table.private[*].id
tags = { Name = "s3-endpoint" }}11.10 Why This Matters in DevOps/SRE
Section titled “11.10 Why This Matters in DevOps/SRE”VPC is the foundation of everything in AWS. Every EC2, RDS, ECS task, and Lambda function (in VPC mode) lives inside a VPC. Understanding networking is non-negotiable for DevOps/SRE.
VPC in Daily DevOps Work+------------------------------------------------------------------+| || Critical VPC Operations: || || 1. Network Architecture Design || +----------------------------------------------------------+ || | - Multi-account VPC strategy with Transit Gateway | || | - CIDR planning to avoid overlaps | || | - VPC endpoint strategy to reduce NAT costs | || +----------------------------------------------------------+ || || 2. Security Posture Management || +----------------------------------------------------------+ || | - Security group audit and cleanup | || | - NACL rules for subnet-level protection | || | - Flow log analysis for threat detection | || +----------------------------------------------------------+ || || 3. Connectivity Troubleshooting || +----------------------------------------------------------+ || | - Cross-VPC peering route issues | || | - NAT Gateway throughput bottlenecks | || | - DNS resolution failures in private subnets | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.11 Linux Systems Perspective
Section titled “11.11 Linux Systems Perspective”VPC Diagnostics from Arch Linux
Section titled “VPC Diagnostics from Arch Linux”# Install networking toolssudo pacman -S aws-cli-v2 jq nmap traceroute bind-tools
# VPC inventory script#!/bin/bash# ~/bin/vpc-audit.shset -euo pipefail
echo "=== VPC Inventory ==="aws ec2 describe-vpcs \ --query 'Vpcs[*].{VpcId:VpcId,CIDR:CidrBlock,Name:Tags[?Key==`Name`].Value|[0]}' \ --output table
echo ""echo "=== Subnet Map ==="aws ec2 describe-subnets \ --query 'Subnets[*].{SubnetId:SubnetId,VpcId:VpcId,AZ:AvailabilityZone,CIDR:CidrBlock,Public:MapPublicIpOnLaunch,AvailIPs:AvailableIpAddressCount,Name:Tags[?Key==`Name`].Value|[0]}' \ --output table
echo ""echo "=== Security Group Audit ==="# Find overly permissive security groups (0.0.0.0/0 ingress)aws ec2 describe-security-groups \ --query 'SecurityGroups[?IpPermissions[?IpRanges[?CidrIp==`0.0.0.0/0`]]].{GroupId:GroupId,GroupName:GroupName,VpcId:VpcId}' \ --output table
echo ""echo "=== NAT Gateway Status ==="aws ec2 describe-nat-gateways \ --query 'NatGateways[*].{NatGwId:NatGatewayId,State:State,SubnetId:SubnetId,PublicIP:NatGatewayAddresses[0].PublicIp}' \ --output table
# Flow log analysis — find rejected trafficaws logs filter-log-events \ --log-group-name /aws/vpc/flow-logs \ --filter-pattern "REJECT" \ --start-time $(date -d '1 hour ago' +%s000) \ --query 'events[*].message' \ --output text | head -2011.12 Troubleshooting Guide
Section titled “11.12 Troubleshooting Guide”| Issue | Cause | Solution |
|---|---|---|
| Instance can’t reach internet | Missing IGW route or NAT GW | Check route table for 0.0.0.0/0 route |
| Cross-VPC traffic failing | Missing peering routes | Add routes in both VPC route tables |
| DNS not resolving | DNS support disabled | Enable enableDnsHostnames and enableDnsSupport |
| Subnet out of IPs | CIDR too small | Use larger CIDR or add secondary CIDR |
| NAT GW high cost | All traffic through NAT | Use VPC endpoints for S3/DynamoDB/ECR |
| SSH from peered VPC fails | Security group only allows IP | Reference SG ID across peered VPCs |
# Connectivity debugging checklist# 1. Check route tableaws ec2 describe-route-tables \ --filters Name=association.subnet-id,Values=subnet-12345 \ --query 'RouteTables[0].Routes' --output table
# 2. Check security groupsaws ec2 describe-security-groups \ --group-ids sg-12345 \ --query 'SecurityGroups[0].IpPermissions' --output table
# 3. Check NACLsaws ec2 describe-network-acls \ --filters Name=association.subnet-id,Values=subnet-12345 \ --query 'NetworkAcls[0].Entries' --output table11.13 Common Mistakes & Anti-Patterns
Section titled “11.13 Common Mistakes & Anti-Patterns” VPC Anti-Patterns+------------------------------------------------------------------+| || ❌ Mistake 1: Overlapping CIDRs || +----------------------------------------------------------+ || | Problem: VPCs with same IP range can't peer | || | Impact: Blocked connectivity, redesign required | || | Fix: Plan CIDR allocation centrally before creating | || +----------------------------------------------------------+ || || ❌ Mistake 2: All Traffic Through NAT Gateway || +----------------------------------------------------------+ || | Problem: S3, DynamoDB, ECR traffic via expensive NAT | || | Impact: $0.045/GB charges add up fast | || | Fix: Use Gateway endpoints (S3, DDB) and Interface eps | || +----------------------------------------------------------+ || || ❌ Mistake 3: Default Security Group in Use || +----------------------------------------------------------+ || | Problem: Default SG allows all internal traffic | || | Impact: No network segmentation between resources | || | Fix: Create purpose-specific SGs, never use default | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+11.14 Interview Questions
Section titled “11.14 Interview Questions”Conceptual Questions
Section titled “Conceptual Questions”-
Q: Explain the difference between Security Groups and NACLs.
- A: Security Groups are stateful (return traffic auto-allowed), instance-level, allow-only rules. NACLs are stateless (need explicit inbound+outbound rules), subnet-level, support both allow and deny, processed in number order. Use SGs for primary security, NACLs as an additional subnet-level defense layer.
-
Q: How do VPC Endpoints reduce cost and improve security?
- A: Gateway endpoints (S3, DynamoDB) route traffic within AWS backbone, avoiding NAT Gateway charges ($0.045/GB). Interface endpoints (PrivateLink) create ENIs in your subnet with private IPs. Both eliminate internet traversal, use IAM policies for access control, and keep traffic within AWS.
Scenario-Based Questions
Section titled “Scenario-Based Questions”- Q: Design a VPC architecture for a company with 3 environments.
- A: Use separate VPCs per environment (dev: 10.0.0.0/16, staging: 10.1.0.0/16, prod: 10.2.0.0/16). Connect via Transit Gateway for shared services (DNS, monitoring). Each VPC has 3 public + 3 private subnets across 3 AZs. NAT Gateway per AZ in prod, shared NAT in dev/staging. VPC endpoints for S3/DynamoDB/ECR. Flow logs to centralized S3 bucket.
11.15 Exam Tips
Section titled “11.15 Exam Tips”
- VPC CIDR: Plan for growth, use /16 for flexibility
- Subnets: One subnet = One AZ
- Public Subnet: Route to Internet Gateway
- Private Subnet: Route to NAT Gateway for outbound
- Security Groups: Stateful, instance-level, allow only
- NACLs: Stateless, subnet-level, allow/deny, numbered order
- VPC Peering: No transitive, no overlapping CIDRs
- Gateway Endpoints: S3, DynamoDB (free)
- Interface Endpoints: PrivateLink, costs money
- Flow Logs: Capture network traffic metadata
Next Chapter
Section titled “Next Chapter”Chapter 12: AWS Direct Connect & VPN
Last Updated: March 2026