Episode 76: VPC Basics (Subnets, Route Tables, Gateways)
A Virtual Private Cloud, or VPC, is AWS’s way of giving customers their own logically isolated portion of the cloud. Within this environment, you control the addressing, routing, and access, much like you would in an on-premises data center. The importance of isolation cannot be overstated—without it, workloads would all sit on the same flat network, exposing them to unnecessary risk and interference. A VPC allows you to decide which resources can talk to the internet, which remain private, and how different tiers of your application connect. It’s essentially your private slice of AWS networking, providing both security and flexibility. By treating the VPC as the foundational blueprint for cloud architecture, you ensure workloads remain organized, secure, and scalable from day one.
When creating a VPC, you must select a CIDR block, which defines the IP address space available. This block, often something like 10.0.0.0/16, determines how many subnets and hosts you can create. It’s important to choose a range that won’t overlap with existing corporate networks, especially if hybrid connectivity is planned. Overlapping addresses complicate routing and can break communication between on-premises and cloud environments. IPv4 remains the default choice for most VPCs, but IPv6 is increasingly supported, offering vast address space and simplified connectivity models. While IPv4 requires conservation and careful planning, IPv6 virtually eliminates address exhaustion concerns. Understanding the basics of CIDR notation and address planning is the first step toward building a VPC that scales smoothly and integrates seamlessly with broader networks.
Availability Zones, or AZs, form another cornerstone of VPC design. Each Region contains multiple AZs, which are isolated data centers with independent power, networking, and cooling. By spreading resources across AZs, you protect against localized failures, achieving higher availability. Subnets, which are slices of your VPC’s IP range, map directly to individual AZs. This mapping enforces fault isolation, as a subnet cannot span multiple AZs. For example, you might place web servers in one subnet within AZ A, while database replicas reside in a subnet in AZ B. This design ensures that even if one AZ experiences an outage, the overall application remains resilient. Thinking in terms of AZs and subnets creates a network layout that is both logical and fault-tolerant.
Subnets themselves represent subdivisions of the VPC’s IP space, each dedicated to a specific purpose. Public subnets are designed for resources that need internet access, such as load balancers or bastion hosts, and they are connected to an Internet Gateway. Private subnets, by contrast, hold resources that should not be directly reachable from the internet, like databases or internal services. By separating workloads into different subnets, you enforce security and clarity: users reach the front end in the public subnet, while sensitive operations occur safely within private subnets. This segmentation mirrors the traditional practice of separating tiers in data centers, now implemented virtually in the cloud. Proper subnetting is one of the simplest but most powerful tools for achieving both security and performance in AWS networking.
Route tables define how traffic flows within and outside the VPC. Every subnet must be associated with a route table, which lists destinations and their corresponding targets. For example, the default route in a public subnet often points to an Internet Gateway, allowing outbound traffic. In a private subnet, that same default route may point to a NAT Gateway, enabling instances to reach the internet without being exposed to inbound connections. Route tables rely on lookup rules, selecting the most specific match, a principle known as longest-prefix match. This behavior ensures that traffic is routed accurately, even when overlapping rules exist. Understanding how to associate route tables with subnets and configure their targets is essential to making your VPC behave as intended.
An Internet Gateway, or IGW, provides the pathway between your VPC and the wider internet. Attaching an IGW to a VPC is what makes resources in a public subnet accessible to external users. However, merely attaching an IGW is not enough—you must also update route tables and configure security groups to allow inbound and outbound traffic. Without those steps, instances remain unreachable. The IGW represents the front door of your VPC, and like any front door, it should be managed carefully. While it enables necessary connectivity, it must be combined with firewalls, IAM controls, and monitoring to ensure only authorized traffic passes through. For public-facing applications, the IGW is indispensable, but it also requires thoughtful configuration to avoid unnecessary exposure.
For private subnets, which do not allow direct inbound internet traffic, a NAT Gateway provides outbound internet access. This enables instances in private subnets to download updates, reach APIs, or perform other outbound tasks without being directly accessible from the internet. NAT Gateways are managed services that scale automatically and are highly available within an AZ. For resilience, best practice is to deploy one NAT Gateway per AZ and configure route tables accordingly. For example, application servers in private subnets can fetch patches or contact external APIs through a NAT Gateway, but outside users cannot initiate connections back. This design preserves security while maintaining necessary functionality, demonstrating how AWS balances isolation with practical connectivity.
IPv6 introduces the concept of an egress-only Internet Gateway. Unlike a standard IGW, which supports inbound and outbound traffic, an egress-only IGW ensures outbound IPv6 connectivity without exposing resources to inbound connections. This mirrors the role of a NAT Gateway for IPv4 but is simpler because IPv6 addresses are globally routable. For instance, an analytics application using IPv6 could send data to an external endpoint without the risk of being directly reached from the internet. This model reflects AWS’s efforts to make IPv6 adoption practical and secure, ensuring parity with familiar IPv4 patterns. Understanding the distinctions between IGW, NAT Gateway, and egress-only IGW is crucial for mastering VPC design across both address families.
Every VPC has a local route, which allows all subnets within it to communicate by default. This means that instances in different subnets can reach each other unless security groups or network ACLs block them. Beyond this local route, AWS uses longest-prefix match to determine where traffic should flow. For example, if a route table contains both 0.0.0.0/0 and 10.0.1.0/24, traffic to 10.0.1.15 will follow the more specific route. This principle prevents ambiguity and ensures that routing decisions are deterministic. By combining local routes with explicit targets, VPCs provide flexible yet predictable network behavior. Learners should see this as AWS’s way of balancing simplicity with the ability to support complex architectures.
Elastic Network Interfaces, or ENIs, represent virtual network cards that can be attached to EC2 instances. Each ENI includes attributes like private IPs, public IPs, MAC addresses, and security group associations. ENIs allow for flexible networking scenarios, such as assigning multiple IP addresses to a single instance or moving a network interface between instances for failover. For example, a standby EC2 instance can assume the ENI of a failed instance, preserving its IP address and connections. This abstraction simplifies network management, making workloads more resilient and adaptable. ENIs act as building blocks, enabling advanced networking features without requiring changes to the underlying infrastructure.
DHCP option sets allow administrators to configure default behaviors for instances launched in a VPC. These options include DNS servers, domain names, and even NTP servers for time synchronization. By default, AWS provides its own DNS, but organizations can override settings to point to custom resolvers or internal domains. For example, an enterprise might direct all instances to use its corporate DNS to resolve internal hostnames. This feature provides subtle but important control, ensuring that networking within the VPC aligns with organizational standards. DHCP options exemplify how VPCs mimic traditional data center functionality while maintaining cloud flexibility.
VPC Endpoints provide private connections to AWS services without routing traffic through the public internet. There are two main types: gateway endpoints and interface endpoints. Gateway endpoints connect directly to services like S3 and DynamoDB, while interface endpoints use Elastic Network Interfaces to connect to other services through PrivateLink. For example, a private subnet can access S3 via a gateway endpoint without needing a NAT Gateway or IGW, saving cost and reducing exposure. Interface endpoints, meanwhile, allow private connectivity to services like SNS or API Gateway. These options extend the principle of least privilege into service connectivity, ensuring data never leaves the secure AWS backbone unnecessarily.
When starting with AWS, every account comes with a default VPC, preconfigured with subnets, an Internet Gateway, and route tables for immediate use. While convenient for learning or testing, production environments almost always require custom VPCs to meet specific networking and security needs. Custom VPCs allow control over IP ranges, subnet design, routing policies, and connectivity options. For example, a financial services firm might design a custom VPC to align with corporate IP addressing and compliance requirements. Understanding the differences between default and custom VPCs helps learners appreciate why enterprises rarely rely on defaults for critical workloads.
Finally, tagging and naming conventions are essential for maintaining order as environments grow. With dozens or hundreds of VPCs, subnets, and gateways, clear tags ensure resources can be identified, grouped, and managed effectively. Tags also support cost allocation, making it easier to assign expenses to teams or projects. For instance, tagging all resources by application or environment allows operations teams to distinguish production from development. Naming conventions prevent confusion and errors, such as mistakenly applying changes to the wrong subnet. Good hygiene through tagging and naming is not a technical necessity but an operational best practice that pays dividends in large, complex environments.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
Planning IP addressing is one of the earliest and most important steps in VPC design. It is tempting to assign ranges quickly, but poor planning can create long-term headaches, especially if hybrid connectivity to on-premises networks is anticipated. Overlapping address ranges break routing and force costly redesigns. For example, if your corporate network already uses 10.0.0.0/16 and you assign the same to a VPC, traffic between them will be ambiguous. Best practice is to allocate non-overlapping blocks and leave growth headroom, ensuring subnets can be expanded later. Thinking ahead about future services, mergers, or multi-Region expansions helps prevent conflicts and avoids painful rework.
Subnet sizing is another critical decision. Each subnet must balance address space efficiency with room for scaling. A /24 subnet provides 251 usable addresses, while a /26 offers only 59, conserving space but limiting growth. Small subnets may suffice for dedicated workloads, such as a bastion host tier, but application tiers often need more breathing room. For example, an auto scaling group for web servers could quickly outgrow a /26 during peak demand. At the same time, overly large subnets waste IP space that might be better allocated elsewhere. Careful sizing ensures subnets remain both efficient and practical, aligning address space with workload needs.
Routing in VPCs relies on defining targets that determine where traffic flows. Common targets include Internet Gateways for public internet access, NAT Gateways for private outbound internet, Transit Gateways for connecting multiple VPCs, and VPC Endpoints for private service connectivity. Each target plays a specific role: IGWs open doors to the internet, NAT Gateways act as controlled exits, Transit Gateways act as hubs, and endpoints avoid external paths altogether. For instance, a private application may use a NAT Gateway for software updates while using a gateway endpoint to reach S3 securely. These routing targets form the nervous system of the VPC, directing traffic efficiently and securely.
High availability requires spreading workloads across multiple Availability Zones, and subnets are the mechanism for achieving this. For each tier—such as web, application, and database—you should deploy subnets in at least two AZs. This ensures that if one AZ goes down, resources in another AZ continue to operate. Load balancers can distribute traffic across subnets, while databases replicate between them for resilience. For example, a multi-AZ architecture might place application servers in two subnets behind an Elastic Load Balancer, while RDS uses synchronous replication across AZs. Multi-AZ design transforms VPCs from simple networks into fault-tolerant environments prepared for real-world failures.
Administrative access to private subnets requires special planning. Traditionally, bastion hosts were used—small public instances that administrators log into before connecting to private servers. Today, AWS Systems Manager’s Session Manager offers a more secure alternative, allowing access without exposing public endpoints or managing SSH keys. For example, instead of opening a port on a bastion, administrators can initiate secure, auditable sessions directly through the AWS Console or CLI. This shift reduces attack surfaces and simplifies management, aligning operational practices with modern security standards. It reflects AWS’s broader trend of replacing manual constructs with managed, more secure alternatives.
Visibility into network activity is provided through VPC Flow Logs, which capture IP-level metadata for traffic at the VPC, subnet, or ENI level. These logs reveal which connections succeed, which are denied, and how traffic flows through the environment. For example, troubleshooting why an application server cannot reach an S3 endpoint becomes easier when flow logs confirm whether traffic left the subnet or was blocked by a security group. Flow logs can feed into CloudWatch Logs, S3, or third-party SIEM systems for further analysis. They transform the VPC from an opaque black box into a transparent system, enabling better troubleshooting, auditing, and security monitoring.
VPC Endpoints come in two main flavors—PrivateLink interface endpoints and gateway endpoints—and choosing between them requires understanding workloads. Gateway endpoints are ideal for high-volume, low-cost access to services like S3 and DynamoDB, avoiding NAT or internet routing. PrivateLink interface endpoints connect securely to other services through ENIs, useful when accessing AWS APIs or partner services privately. For example, a financial institution might use a gateway endpoint to access S3 for logs and a PrivateLink endpoint to securely connect to a partner’s fraud-detection service. Selecting the right type optimizes both cost and security while ensuring private, controlled communication paths.
AWS Reachability Analyzer provides a way to validate network paths within VPCs. Instead of relying on guesswork or manual packet testing, this tool checks whether a connection between two endpoints is possible given the current security groups, NACLs, and route tables. For instance, if a developer cannot connect an application server to a database, Reachability Analyzer can identify whether the issue lies in the route, subnet placement, or security configuration. This proactive validation saves time and reduces outages caused by misconfigured paths. It reinforces the lesson that even with flexible cloud networking, verification tools remain essential.
Hybrid architectures extend VPCs into on-premises networks, often through Transit Gateway attachments, VPN tunnels, or Direct Connect links. Designing VPC layouts with placeholders for these connections ensures smoother future integration. For example, allocating non-overlapping IP ranges and reserving subnets for hybrid gateways prevents conflicts later. Hybrid readiness reflects the reality that few organizations move entirely to the cloud at once. By planning with hybrid in mind, architects ensure their VPCs can grow into broader enterprise networks without costly redesigns.
Soft limits and quotas are another operational consideration. VPCs, subnets, and NAT Gateways all have default limits, which may need raising in large environments. For instance, a Region may initially limit you to five VPCs or 200 subnets, insufficient for large deployments. Tracking these constraints early prevents unexpected roadblocks mid-project. AWS Service Quotas provides visibility and management for these limits, turning them from hidden pitfalls into predictable planning factors. By acknowledging quotas as part of design, teams prevent scale from colliding with administrative ceilings.
Guardrails help enforce consistent, secure VPC usage across organizations. Service Control Policies in AWS Organizations can block risky configurations, such as creating VPCs with public-facing subnets. AWS Config rules can enforce compliance, such as ensuring all VPCs must have Flow Logs enabled or that no security group allows unrestricted SSH access. These automated checks reduce reliance on manual oversight, embedding best practices into infrastructure governance. For example, a company might use Config to prevent developers from accidentally leaving a database subnet without encryption enabled. Guardrails make governance continuous rather than reactive.
Documented reference architectures provide blueprints for common application types, reducing trial and error. For example, AWS offers reference designs for three-tier web applications, hybrid connectivity, and analytics pipelines. These patterns illustrate how to structure subnets, route tables, and gateways for specific use cases, saving time and ensuring alignment with best practices. Leveraging reference architectures is like using an architectural plan when constructing a building—it ensures safety, efficiency, and consistency while leaving room for customization. For learners, studying these patterns builds intuition about how networking pieces fit together.
Common pitfalls in VPCs often stem from misconfigured routes or missing components. Forgetting to add a route to the IGW leaves public instances unreachable. Placing resources in the wrong AZ can break redundancy. Omitting a NAT Gateway can strand private subnets without internet access. These mistakes highlight the importance of verifying connectivity at each layer: subnets, routes, gateways, and security groups. By learning from these pitfalls, administrators can avoid hours of troubleshooting and design their VPCs more reliably from the outset.
Cost management is another consideration. NAT Gateways, while essential for private subnet connectivity, can become expensive in data-transfer-heavy environments. Endpoints also carry hourly and data costs, which can add up if deployed excessively. Even IP addresses have costs in some contexts, such as Elastic IPs not attached to running instances. For example, overusing NAT Gateways for high-throughput data transfers to S3 could lead to unnecessary charges when a gateway endpoint would be cheaper. Cost awareness ensures networking choices remain efficient not only technically but financially.
From an exam perspective, VPC questions often test your ability to map requirements to the correct subnet and routing target. If the scenario involves public internet access, the answer is an Internet Gateway. For private outbound access, a NAT Gateway or egress-only IGW applies. When the question highlights hybrid or private connectivity, Transit Gateways or VPC Endpoints are the right choice. Recognizing these mappings is less about memorization and more about matching connectivity needs with AWS’s networking building blocks. This skill is equally valuable in real-world design, ensuring solutions remain functional and secure.
In conclusion, mastering VPC design begins with careful IP planning, structured subnetting, and clear routing. High availability comes from multi-AZ layouts, while tools like Flow Logs and Reachability Analyzer provide visibility and validation. Security is enforced through private access, guardrails, and endpoint design, while cost awareness ensures efficiency. By avoiding pitfalls and applying best practices, VPCs become reliable foundations for cloud architectures. Whether for exam preparation or production design, the principles remain the same: plan deliberately, separate tiers, wire routes clearly, and always verify paths.
