AWS VPC

What is Amazon VPC?

Amazon Virtual Private Cloud (VPC) is the foundational networking service on AWS—an isolated virtual network where you launch AWS resources such as EC2, RDS, EKS, and Lambda (when configured in VPC). VPC gives you control over IP addressing, subnets, routing, connectivity, and security boundaries.

This post summarizes modern VPC capabilities, recommended architectures, practical examples (AWS CLI and Terraform), security and monitoring guidance, and a concise top‑20 FAQ for architects.

Core components

• Subnets: logical CIDR subdivisions within a VPC (public, private, or isolated).
• Route tables: determine how traffic flows between subnets, gateways, and peered networks.
• Internet Gateway (IGW): provides internet access for public subnets.
• NAT Gateway / NAT instance: allows private IPv4 resources to initiate outbound internet connections.
• Elastic IPs (EIP): static public IPs for NAT/IGW.
• Security Groups: stateful virtual firewalls attached to ENIs.
• Network ACLs (NACLs): stateless subnet‑level packet filters evaluated in order.
• VPC Endpoints (Interface & Gateway): privately connect to AWS services without Internet.
• VPC Peering / Transit Gateway: connect VPCs (peering for few VPCs; Transit Gateway for large, multi‑account topologies).
• VPN / Direct Connect: hybrid connectivity to on‑prem networks.
• Flow Logs: capture network traffic metadata to CloudWatch or S3 for analysis.

Design patterns and common architectures

• Public + Private multi‑AZ: public subnets for load balancers/NAT, private subnets for application/data tiers across AZs.
• Bastion / Session Manager: prefer AWS Systems Manager Session Manager over bastion hosts to avoid open SSH ports.
• Centralized services VPC: host shared services (NAT, logging, security tools) and share via Transit Gateway or VPC Peering.
• Multi‑account networking: use AWS Transit Gateway + Resource Access Manager (RAM) to scale hub‑and‑spoke networks.
• Private S3/DynamoDB access: use Gateway endpoints for S3/DynamoDB; use Interface endpoints (PrivateLink) for other services and SaaS integrations.

Example 1 — quick AWS CLI: create VPC, subnet, IGW, and route

# create VPC
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query 'Vpc.VpcId' --output text)
aws ec2 create-tags --resources $VPC_ID --tags Key=Name,Value=razorops-vpc

# create public subnet
SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --availability-zone us-east-1a --query 'Subnet.SubnetId' --output text)

# internet gateway + attach
IGW_ID=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)
aws ec2 attach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID

# create route table + public route
RTB_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query 'RouteTable.RouteTableId' --output text)
aws ec2 create-route --route-table-id $RTB_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID
aws ec2 associate-route-table --route-table-id $RTB_ID --subnet-id $SUBNET_ID

Example 2 — minimal Terraform (VPC + two subnets + NAT Gateway)

resource "aws_vpc" "main" {
   cidr_block = "10.0.0.0/16"
   enable_dns_support = true
   enable_dns_hostnames = true
   tags = { Name = "razorops-vpc" }
}

resource "aws_subnet" "public" {
   vpc_id = aws_vpc.main.id
   cidr_block = "10.0.1.0/24"
   map_public_ip_on_launch = true
   availability_zone = "us-east-1a"
}

resource "aws_subnet" "private" {
   vpc_id = aws_vpc.main.id
   cidr_block = "10.0.2.0/24"
   availability_zone = "us-east-1a"
}

resource "aws_eip" "nat" { vpc = true }
resource "aws_nat_gateway" "natgw" {
   allocation_id = aws_eip.nat.id
   subnet_id     = aws_subnet.public.id
}

Security: groups, NACLs, and best practices

• Principle of least privilege: restrict Security Group egress/ingress to required ports and CIDRs; prefer security groups over NACLs for host‑level controls.
• Avoid wide 0.0.0.0/0 security group openings; for management plane use Session Manager or restricted bastions.
• Use NACLs only for coarse, stateless controls or DoS mitigation; remember ordering matters.
• Isolate workloads by using separate subnets and security boundaries per environment (prod/stage/dev) or account.
• Use AWS Network Firewall or third‑party appliances (via Gateway Load Balancer) for centralized inspection when needed.

Observability and incident response

• Enable VPC Flow Logs (to CloudWatch Logs or S3) for traffic analysis and forensic investigations.
• Integrate with AWS GuardDuty and Security Hub for threat detection and alerts.
• Use VPC Reachability Analyzer to validate routing and connectivity between resources.

Cost considerations

• NAT Gateway is charged per hour and per GB processed—consider using a NAT Gateway per AZ for HA and weigh costs vs. a centralized egress VPC.
• Interface endpoints incur hourly and data processing costs; Gateway endpoints for S3/DynamoDB are free (data transfer still applies).

Migration and hybrid connectivity

• For stable, high‑bandwidth hybrid links use AWS Direct Connect (with Private VIF) to your Transit Gateway or VGW.
• Start with VPN Site‑to‑Site for proof‑of‑concept and migrate to Direct Connect as throughput and SLAs demand.

Related Razorops posts

• AWS Lambda
• Amazon S3
• Amazon DynamoDB
• Amazon SQS
• AWS SNS
• AWS Step Functions
• Amazon Kinesis

Top 20 AWS Solutions Architect — VPC & Networking FAQ (brief answers)

1. Q: What is a VPC? — An isolated virtual network in AWS where you launch resources.
2. Q: Public vs Private subnet? — Public subnets have routes to an IGW; private subnets do not.
3. Q: When to use NAT Gateway vs NAT instance? — Use NAT Gateway for managed HA and scale; NAT instance only for custom packet inspection or legacy reasons.
4. Q: What is Transit Gateway? — AWS hub for connecting many VPCs and on‑prem networks at scale.
5. Q: How to access S3 privately from VPC? — Use an S3 Gateway Endpoint (no internet required).
6. Q: Security Group vs NACL? — Security Groups are stateful, instance‑level; NACLs are stateless, subnet‑level.
7. Q: How to connect VPCs across regions/accounts? — Use VPC Peering (pairwise) or Transit Gateway (large scale); or use AWS PrivateLink for service endpoints.
8. Q: Are VPC endpoints free? — Interface endpoints and data processing have costs; Gateway endpoints for S3/DynamoDB are free (check current pricing).
9. Q: How to restrict internet egress? — Use route tables, NAT gateways, and egress‑only gateways for IPv6; apply security group and firewall rules.
10. Q: How to log VPC traffic? — Enable VPC Flow Logs to CloudWatch or S3.
11. Q: How to secure management access? — Use AWS Systems Manager Session Manager or jump hosts with restricted security groups.
12. Q: How to achieve high availability for networking? — Place resources across multiple AZs and use AZ‑localized NAT Gateways and subnets.
13. Q: How to handle DNS inside VPC? — Use Route 53 Private Hosted Zones and enable DNS hostnames/resolution on the VPC.
14. Q: How to handle IP addressing at scale? — Plan CIDR allocations per account and region; use AWS RAM and Transit Gateway to avoid overlaps.
15. Q: What is AWS PrivateLink? — Private connectivity to services via interface endpoints (ENIs) inside your VPC.
16. Q: How to test network reachability? — Use VPC Reachability Analyzer and traceroute from reachable hosts.
17. Q: How to secure cross‑account events/traffic? — Use resource policies, IAM roles, and Transit Gateway policies where applicable.
18. Q: How to reduce egress costs? — Use Gateway endpoints for S3, avoid unnecessary cross‑AZ/region transfers, and consolidate egress.
19. Q: How to scale network inspection? — Use Gateway Load Balancer with inspection appliances or AWS Network Firewall.
20. Q: When not to use VPC peering? — Avoid peering for many VPCs; use Transit Gateway for mesh scaling and easier central management.