VPC Networking for Developers

Learn Amazon VPC networking from a developer's perspective. This guide explains VPC architecture, subnets, route tables, internet gateways, NAT gateways, security groups, NACLs, VPC endpoints, and how Spring Boot applications communicate securely inside AWS.

Introduction

When developers deploy applications to AWS, they often focus on services such as:

EC2
ECS
EKS
Lambda
RDS
S3

However, all of these services run inside a network.

That network is called the Amazon Virtual Private Cloud (VPC).

Understanding VPC networking is essential because almost every production issue eventually involves networking, including:

Application cannot connect to the database
EC2 cannot access the internet
ECS cannot reach Amazon S3
Lambda cannot connect to Aurora
Security Group blocks traffic
Route Table misconfiguration
DNS resolution failures

This article explains Amazon VPC from a developer's perspective, focusing on how Spring Boot applications communicate securely within AWS.

Learning Objectives

After completing this article, you will understand:

What is Amazon VPC?
Public vs Private Subnets
CIDR Blocks
Internet Gateway
NAT Gateway
Route Tables
Security Groups
Network ACLs
VPC Endpoints
Elastic Network Interfaces (ENI)
DNS in AWS
Spring Boot Networking
Production Best Practices

What is Amazon VPC?

Amazon VPC (Virtual Private Cloud) is a logically isolated virtual network inside AWS.

It allows you to define:

IP address range
Subnets
Routing
Firewalls
Internet access
Private networking

Think of a VPC as your own private data center in AWS.

Why VPC?

Without a VPC:

Resources share public networking
Less control over security
Limited isolation

With a VPC:

Private networking
Fine-grained security
Controlled internet access
Isolated workloads

High-Level VPC Architecture

flowchart TD
    Internet

    InternetGateway

    PublicSubnet

    PrivateSubnet

    EC2

    RDS

    Internet --> InternetGateway
    InternetGateway --> PublicSubnet
    PublicSubnet --> EC2
    EC2 --> PrivateSubnet
    PrivateSubnet --> RDS

VPC Components

Component	Purpose
VPC	Virtual Network
Subnet	Network Segment
Route Table	Traffic Routing
Internet Gateway	Public Internet Access
NAT Gateway	Outbound Internet for Private Resources
Security Group	Instance Firewall
Network ACL	Subnet Firewall
ENI	Network Interface
VPC Endpoint	Private AWS Service Access

CIDR Block

Every VPC starts with a CIDR block.

Example:

10.0.0.0/16

This provides:

65,536 private IP addresses.

Example Network

VPC

10.0.0.0/16

↓

Public Subnet

10.0.1.0/24

↓

Private Subnet

10.0.2.0/24

Public Subnet

A subnet that has access to the internet.

Typical resources:

Bastion Host
NAT Gateway
Load Balancer

Private Subnet

No direct internet access.

Typical resources:

Spring Boot
ECS Tasks
EKS Pods
Aurora
Redis
Neptune

Public vs Private

Public	Private
Internet Access	No Direct Internet
Load Balancer	Spring Boot
NAT Gateway	Database
Bastion Host	Redis

Enterprise Architecture

flowchart TD

Internet

ALB

SpringBoot

Redis

Aurora

Internet --> ALB
ALB --> SpringBoot
SpringBoot --> Redis
SpringBoot --> Aurora

Internet Gateway

Internet Gateway (IGW) allows resources inside public subnets to communicate with the internet.

Flow:

Browser

↓

Internet Gateway

↓

Public EC2

NAT Gateway

Private servers sometimes need internet access.

Examples:

Download dependencies
OS updates
Docker images

Instead of exposing them publicly:

Use a NAT Gateway.

NAT Architecture

flowchart LR

PrivateEC2

NATGateway

InternetGateway

Internet

PrivateEC2 --> NATGateway
NATGateway --> InternetGateway
InternetGateway --> Internet

Route Tables

Route tables define where traffic should go.

Example:

Destination	Target
10.0.0.0/16	Local
0.0.0.0/0	Internet Gateway

Public Route Table

Destination

0.0.0.0/0

↓

Internet Gateway

Private Route Table

Destination

0.0.0.0/0

↓

NAT Gateway

Security Groups

Security Groups are virtual firewalls.

Rules are stateful.

Example:

Allow

HTTP

80

Allow

HTTPS

443

Allow

SSH

22

Only from your IP.

Security Group Example

Spring Boot

Allow:

From:

Application Load Balancer

Only.

RDS Security Group

Allow:

Only from:

Spring Boot Security Group.

Never expose the database publicly.

Security Group Flow

flowchart LR

ALB

SpringBoot

Aurora

ALB --> SpringBoot
SpringBoot --> Aurora

Network ACL

NACL works at subnet level.

Unlike Security Groups:

Stateless
Allow rules
Deny rules

Used for additional network protection.

Security Group vs NACL

Security Group	NACL
Stateful	Stateless
Instance Level	Subnet Level
Allow Only	Allow & Deny

Elastic Network Interface

Every EC2 instance has an ENI.

Contains:

Private IP
Public IP
Security Groups
MAC Address

DNS Resolution

AWS automatically provides DNS.

Example:

mydb.cluster-abc123.us-east-1.rds.amazonaws.com

Spring Boot connects using DNS rather than IP addresses.

Spring Boot Networking

Typical flow:

flowchart LR

Browser

ALB

SpringBoot

Aurora

Browser --> ALB
ALB --> SpringBoot
SpringBoot --> Aurora

VPC Endpoint

Instead of sending traffic through the internet:

Use VPC Endpoints.

Examples:

Amazon S3
DynamoDB
Secrets Manager
SQS
SNS

Traffic stays inside AWS.

VPC Endpoint Architecture

flowchart LR

SpringBoot

VPCEndpoint

S3

SpringBoot --> VPCEndpoint
VPCEndpoint --> S3

Multi-AZ Networking

Deploy resources across multiple Availability Zones.

Benefits:

High Availability
Fault Tolerance
Disaster Recovery

Production Architecture

flowchart TD

Internet

ALB

SpringBootAZ1

SpringBootAZ2

AuroraMultiAZ

Internet --> ALB
ALB --> SpringBootAZ1
ALB --> SpringBootAZ2
SpringBootAZ1 --> AuroraMultiAZ
SpringBootAZ2 --> AuroraMultiAZ

Common Networking Issues

Cannot Connect to Database

Check:

Security Group
Route Table
Database Endpoint

Timeout

Check:

NACL
Security Group
Private/Public Subnet

DNS Failure

Verify:

VPC DNS Resolution
Route 53
Endpoint configuration

No Internet Access

Check:

Internet Gateway
NAT Gateway
Route Table

Best Practices

Keep databases in private subnets
Place ALB in public subnets
Use Security Groups instead of open access
Never allow SSH from 0.0.0.0/0
Enable VPC Flow Logs
Use NAT Gateway for outbound internet
Use VPC Endpoints for AWS services
Enable Multi-AZ deployments
Separate public and private resources
Monitor networking with CloudWatch

Developer Checklist

Before deploying a Spring Boot application:

VPC created
Public subnet configured
Private subnet configured
Internet Gateway attached
NAT Gateway configured
Route tables associated
Security Groups created
Database in private subnet
ALB in public subnet
Spring Boot in private subnet
VPC Endpoints configured (if required)

Interview Questions

What is Amazon VPC?

A logically isolated virtual network where AWS resources are deployed securely.

Difference between Public and Private Subnet?

A public subnet has a route to an Internet Gateway. A private subnet does not.

What is a NAT Gateway?

A managed service that enables outbound internet access for resources in private subnets without exposing them directly to the internet.

Difference between Security Group and Network ACL?

Security Groups are stateful and applied to instances. Network ACLs are stateless and applied to subnets.

Why should databases be in private subnets?

To prevent direct internet access and improve security.

What is a VPC Endpoint?

A private network connection that allows resources inside a VPC to access AWS services without traversing the public internet.

Summary

In this article, we explored Amazon VPC networking from a developer's perspective.

We covered:

Amazon VPC fundamentals
CIDR blocks
Public and private subnets
Internet Gateway
NAT Gateway
Route Tables
Security Groups
Network ACLs
VPC Endpoints
Spring Boot networking
Production architectures
Best practices

Understanding VPC networking is one of the most valuable skills for Java developers and solution architects because almost every AWS service relies on secure and well-designed network communication.

Loading likes...

Comments

Share a question, correction, or practical insight about this article.

Loading approved comments...