Full Stack • Java • System Design • Cloud • AI Engineering

AWS2026-06-17

AWS VPC Overview

Master AWS VPC concepts with visual diagrams covering subnets, NAT, VPN, route tables, security groups, NACLs, and VPC endpoints. Complete guide with data flows and architecture patterns.

Q1: What is a VPC in AWS?

graph TB
    AWS[AWS Cloud] --> Region[AWS Region<br/>us-east-1]
    
    Region --> VPC1[VPC 1<br/>10.0.0.0 Slash 16]
    Region --> VPC2[VPC 2<br/>172.16.0.0 Slash 16]
    
    VPC1 --> AZ1[Availability Zone 1a]
    VPC1 --> AZ2[Availability Zone 1b]
    VPC1 --> AZ3[Availability Zone 1c]
    
    AZ1 --> Sub1[Subnet 1<br/>10.0.1.0 Slash 24]
    AZ2 --> Sub2[Subnet 2<br/>10.0.2.0 Slash 24]
    AZ3 --> Sub3[Subnet 3<br/>10.0.3.0 Slash 24]
    
    style VPC1 fill:#FF9900
    style Region fill:#232F3E

VPC Fundamentals:

  • Virtual Private Cloud is a logically isolated virtual network dedicated to your AWS account
  • Spans multiple Availability Zones within a single AWS Region for high availability
  • You control IP address range, subnets, route tables, and network gateways
  • Provides complete control over network configuration and security
  • Multiple VPCs can exist in same region, each with different CIDR blocks
  • Resources like EC2, RDS, Lambda can be launched into VPC subnets
  • Default VPC created automatically, but custom VPCs recommended for production

Q2: VPC Components

graph TB
    VPC[VPC<br/>Virtual Private Cloud] --> IGW[Internet Gateway<br/>Public Internet Access]
    VPC --> Subnets[Subnets<br/>Public & Private]
    VPC --> RT[Route Tables<br/>Traffic Routing]
    VPC --> NACL[NACLs<br/>Subnet-level Firewall]
    VPC --> SG[Security Groups<br/>Instance-level Firewall]
    VPC --> NAT[NAT Gateway<br/>Private to Internet]
    VPC --> VPN[VPN Gateway<br/>On-premise Connection]
    VPC --> Endpoints[VPC Endpoints<br/>Private AWS Services]
    
    style VPC fill:#FF9900

Core Components:

  • Internet Gateway: Enables communication between VPC and internet (horizontally scaled, redundant)
  • Subnets: Segment VPC into smaller networks, each in single Availability Zone
  • Route Tables: Define rules for routing traffic between subnets and to internet
  • NACLs: Stateless firewall at subnet level with allow and deny rules
  • Security Groups: Stateful firewall at instance level with only allow rules
  • NAT Gateway: Allows private subnet instances to access internet (outbound only)
  • VPN Gateway: Connects on-premise network to VPC over encrypted tunnel
  • VPC Endpoints: Private connection to AWS services without internet gateway

Q3: Public vs Private Subnets

graph TB
    Internet[Internet] --> IGW[Internet Gateway]
    
    IGW --> VPC[VPC: 10.0.0.0 Slash 16]
    
    VPC --> Public[Public Subnet<br/>10.0.1.0 Slash 24]
    VPC --> Private[Private Subnet<br/>10.0.2.0 Slash 24]
    
    Public --> Web[Web Servers<br/>EC2 Instances]
    Private --> App[App Servers<br/>EC2 Instances]
    Private --> DB[Database Servers<br/>RDS]
    
    Private --> NAT[NAT Gateway<br/>in Public Subnet]
    NAT --> IGW
    
    style Public fill:#4CAF50
    style Private fill:#FF9800

Subnet Types:

  • Public Subnet: Has route to Internet Gateway, instances get public IP addresses
  • Used for internet-facing resources like web servers, load balancers, bastion hosts
  • Private Subnet: No direct route to Internet Gateway, instances use private IPs only
  • Used for internal resources like application servers, databases, cache layers
  • Private instances access internet via NAT Gateway in public subnet
  • Best practice: Multi-tier architecture with web in public, app/DB in private
  • Each subnet exists in single AZ, create subnets in multiple AZs for high availability
  • NAT Gateway must be in public subnet to provide internet access for private subnets

Q4: NAT Gateway Flow

sequenceDiagram
    participant PS as Private Subnet<br/>App Server
    participant NAT as NAT Gateway<br/>Public Subnet
    participant IGW as Internet Gateway
    participant Internet
    
    Note over PS: Need to download patches
    PS->>NAT: Outbound request<br/>Source: 10.0.2.10
    NAT->>NAT: Translate to Elastic IP<br/>54.123.45.67
    NAT->>IGW: Forward request
    IGW->>Internet: Route to destination
    
    Internet->>IGW: Response
    IGW->>NAT: Forward response
    NAT->>NAT: Translate back to<br/>10.0.2.10
    NAT->>PS: Deliver response
    
    Note over Internet,PS: Inbound connections blocked

NAT Gateway Characteristics:

  • Enables private subnet instances to initiate outbound connections to internet
  • Translates private IP to public Elastic IP for outbound traffic
  • Blocks all inbound connections from internet for security
  • Managed service—AWS handles availability, bandwidth scaling, and maintenance
  • Must be created in public subnet with Elastic IP address
  • Update private subnet route table to route 0.0.0.0/0 to NAT Gateway
  • Use one NAT Gateway per AZ for high availability (costs apply per gateway)
  • Alternative: NAT Instance (EC2) is cheaper but requires manual management

Q5: VPN vs Direct Connect

graph TB
    subgraph OnPremise[On-Premise Data Center]
        Corp[Corporate Network]
    end
    
    subgraph AWS[AWS Cloud]
        VPC[VPC]
        VPG[Virtual Private Gateway]
    end
    
    Corp -->|VPN Connection<br/>Public Internet<br/>Max 4 Gbps| VPG
    Corp -->|Direct Connect<br/>Dedicated Fiber<br/>1-10 Gbps| DC[Direct Connect<br/>Location]
    
    DC --> VPG
    VPG --> VPC
    
    style Corp fill:#FF9800
    style DC fill:#4CAF50

Connection Options:

  • VPN: Encrypted connection over public internet, quick to set up (minutes to hours)
  • Maximum throughput 4 Gbps, variable latency due to internet routing
  • Lower cost, good for temporary or low-bandwidth needs
  • Direct Connect: Dedicated fiber-optic connection bypassing public internet
  • Throughput 1-10 Gbps (or higher), consistent low latency and predictable performance
  • Higher cost, takes weeks to provision, requires physical connection at Direct Connect location
  • Best for high-bandwidth, mission-critical workloads requiring consistent performance
  • Can use both: Direct Connect for primary, VPN as backup failover connection

Q6: Route Tables

graph TB
    VPC[VPC: 10.0.0.0 Slash 16] --> MainRT[Main Route Table]
    VPC --> CustomRT[Custom Route Table]
    
    MainRT --> Rule1[Destination: 10.0.0.0 Slash 16<br/>Target: local]
    
    CustomRT --> Rule2[Destination: 10.0.0.0 Slash 16<br/>Target: local]
    CustomRT --> Rule3[Destination: 0.0.0.0 Slash 0<br/>Target: Internet Gateway]
    
    MainRT --> PrivateSub[Private Subnet<br/>No Internet Access]
    CustomRT --> PublicSub[Public Subnet<br/>Internet Access]
    
    style CustomRT fill:#4CAF50
    style MainRT fill:#FF9800

Route Table Concepts:

  • Contains rules (routes) determining where network traffic is directed
  • Each route has destination CIDR block and target (gateway, instance, etc.)
  • Local route (VPC CIDR) automatically added, enables communication within VPC
  • Default route 0.0.0.0/0 points to Internet Gateway for public subnets
  • Main route table automatically associated with all subnets by default
  • Best practice: Keep main route table private, create custom for public subnets
  • Each subnet must be associated with exactly one route table
  • Most specific route (longest prefix match) takes precedence when multiple routes match

Q7: Security Groups vs NACLs

graph TB
    Internet[Internet] --> NACL[NACL<br/>Subnet Level]
    
    NACL --> Subnet[Subnet]
    
    Subnet --> SG1[Security Group 1<br/>Instance Level]
    Subnet --> SG2[Security Group 2<br/>Instance Level]
    
    SG1 --> EC2_1[Web Server<br/>EC2]
    SG2 --> EC2_2[Database<br/>EC2]
    
    style NACL fill:#FF9800
    style SG1 fill:#4CAF50
    style SG2 fill:#4CAF50

Security Layers:

  • NACLs (Network ACLs): Subnet-level firewall, stateless (must define inbound and outbound)
  • Support both allow and deny rules, processed in numbered order (lowest first)
  • Apply to all instances in subnet automatically
  • Security Groups: Instance-level firewall, stateful (return traffic automatically allowed)
  • Only allow rules (no deny), all rules evaluated before allowing traffic
  • Can reference other security groups (e.g., allow traffic from web tier SG)
  • Best practice: Use Security Groups as primary defense, NACLs as additional subnet-level protection
  • Security Groups are more commonly used and easier to manage than NACLs

Q8: VPC Endpoints

graph TB
    subgraph VPC[VPC]
        subgraph Private[Private Subnet]
            EC2[EC2 Instances]
        end
        
        Endpoint[VPC Endpoint]
    end
    
    EC2 -.Without Endpoint.-> NAT[NAT Gateway]
    NAT -.Expensive.-> IGW[Internet Gateway]
    IGW -.Public Internet.-> S3_Old[S3]
    
    EC2 -->|With Endpoint<br/>Private| Endpoint
    Endpoint -->|AWS Network| S3[S3 Bucket]
    Endpoint -->|AWS Network| DDB[DynamoDB]
    
    style Endpoint fill:#4CAF50
    style NAT fill:#F44336

VPC Endpoint Benefits:

  • Enable private connections between VPC and AWS services without internet access
  • Traffic stays on AWS network, never traverses public internet
  • No need for Internet Gateway, NAT Gateway, or VPN connection
  • Gateway Endpoints: For S3 and DynamoDB, free of charge, added to route table
  • Interface Endpoints: For most other AWS services, uses Elastic Network Interface with private IP
  • More secure—no exposure to internet threats or bandwidth constraints
  • Cost-effective—eliminates NAT Gateway data processing charges
  • Better performance—lower latency using AWS private network

Complete VPC Architecture

graph TB
    Internet[Internet] --> IGW[Internet Gateway]
    
    IGW --> VPC[VPC: 10.0.0.0 Slash 16]
    
    VPC --> AZ1[Availability Zone 1a]
    VPC --> AZ2[Availability Zone 1b]
    
    AZ1 --> PubSub1[Public Subnet<br/>10.0.1.0 Slash 24]
    AZ1 --> PrivSub1[Private Subnet<br/>10.0.2.0 Slash 24]
    
    AZ2 --> PubSub2[Public Subnet<br/>10.0.3.0 Slash 24]
    AZ2 --> PrivSub2[Private Subnet<br/>10.0.4.0 Slash 24]
    
    PubSub1 --> Web1[Web Server]
    PubSub1 --> NAT1[NAT Gateway]
    PubSub2 --> Web2[Web Server]
    PubSub2 --> NAT2[NAT Gateway]
    
    PrivSub1 --> App1[App Server]
    PrivSub1 --> DB1[Database]
    PrivSub2 --> App2[App Server]
    PrivSub2 --> DB2[Database]
    
    PrivSub1 --> VPCEndpoint[VPC Endpoint]
    PrivSub2 --> VPCEndpoint
    
    VPCEndpoint --> S3[S3 Bucket]
    
    NAT1 --> IGW
    NAT2 --> IGW
    
    style VPC fill:#FF9900
    style PubSub1 fill:#4CAF50
    style PubSub2 fill:#4CAF50
    style PrivSub1 fill:#FF9800
    style PrivSub2 fill:#FF9800

Production Architecture Best Practices:

  • Deploy across multiple Availability Zones for high availability and fault tolerance
  • Public subnets host internet-facing resources (web servers, load balancers, NAT Gateways)
  • Private subnets host internal resources (application servers, databases)
  • One NAT Gateway per AZ for redundancy (if one AZ fails, others continue)
  • VPC Endpoints provide private access to S3 without internet routing
  • Security Groups control instance-level access, NACLs provide subnet-level protection
  • Route tables direct traffic appropriately (public to IGW, private to NAT)
  • This architecture provides security, scalability, and high availability for production workloads