DEV Community

Aakash Choudhary
Aakash Choudhary

Posted on

How Does Networking Work in AWS?

#aws #networking #vpc

Flow of traffic request in VPC

There have been times when I tried downloading something inside my EC2 instance and kept hitting a “timeout”. No errors, just silence. I had no idea what was wrong. That’s when I realized, this wasn’t a software bug. It was a networking blind spot. I tried to debug this, and came across that many people stuck in this at some point.

Thats why, i thought to breakdown the architecture behind the networking of AWS in VPC. What are public and private subnet? How can an application in private subnet is able to access the internet! How two different VPC communciate with each other?

Stick with me for 4min to explore about this below.

What is VPC?

A VPC (Virtual Private Cloud) is like your own private club on AWS. You host or deploy your applications here — and the best part? It’s isolated from everyone else’s setup!
Let’s say I’m deploying a Node.js app in my VPC, and you my friend, are doing the same in your VPC. We can both run the same app, but with completely different network configurations, IP ranges, and access rules.

How Do You Connect to Resources in a VPC?

Now wait!! If this is a “private” cloud, then how do we actually access it?

Great question. Like any private club, you need a valid identity to get in. Yes, we need to be validated to access this VPC resources. That’s where IAM (Identity and Access Management) comes in.

Why IAM?

Yes, why does IAM comes into networking part?

Let’s break it down:

I’m on my local laptop, trying to connect to an EC2 instance running in a VPC (say, Vx). AWS exposes public API endpoints for most services, like EC2, RDS, SSM, etc.

When I use the AWS CLI to interact with these services, I send a request to AWS’s public APIs. But AWS won’t just let anyone in.

So, I authenticate using my IAM Access Key and Secret Key.

This verifies:

  • Who I am
  • What I can access
  • Which actions I’m allowed to

Now we know the use of IAM. Its used to validate who can access what, and in what cloud( VPC, and even breaking down to who can perform what operation on what service)

Okay, So We Know VPC and why IAM is used… But

Types of Subnet

What’s a Subnet?

Now, there may be cases where i have a frontend application on my private cloud, which is static. I want to show it to the world!! right?

What i need to do is to keep this in some place, where its accessible to world. For the world to access it, it need to have some internet connectivity.

Internet Gateway

IGW is a component which is used to connect to internet( consider this as the internet provider for this cloud).

Whoooo!! What if i have a database, and i dont want to expose it to the world?

Yess, great question! So, now, to break this down, we have two types of Subnet.

  • Public Subnet
  • Private Subnet

Public Subnet Example

Let’s say I’ve got a frontend app that’s static (like a React site). I want the world to access it.

To do that, I’ll place it in a public subnet, a subnet that’s connected to an Internet Gateway (IGW). Think of IGW as your WiFi provider, giving internet access to your subnet.

If it’s connected to IGW via route tables, then that subnet can send/receive traffic from the internet.

Private Subnet Example

Now, let’s say I have a database. I don’t want people from the outside world to peek into it. So, I put it in a private subnet.

Private subnets have no direct route to an Internet Gateway. So they’re hidden, kind of like the secret basement of your VPC club.

But… sometimes, your DB or EC2 in a private subnet needs to initiate outbound connections (say, to fetch updates or call an API).

So what do they do?

They ask their friendly neighbor (a **_public subnet_**) for help, specifically via a **_NAT Gateway_**.

What is NAT Gateway?

The NAT Gateway lives in a public subnet and helps private subnet resources reach out to the internet, but only outbound.

Think of it like a door that lets you exit, but no one from the internet can enter.

Inbound vs Outbound

  • Outbound: You can call the internet (like fetching data from an API)
  • Inbound: The internet can reach you (this is blocked for private subnets unless you do something special)

Architecture of Networking

Breaking Down Subnet Architecture

  • A VPC is assigned a CIDR block, like 172.31.0.0/16.
  • This CIDR block defines the total range of IPs you can use in that network
  • Subnets are chunks of this CIDR block. Like slicing a pizza into small slices so that each friend gets one!
  • Resources like EC2 instances are deployed into subnets and assigned an IP.

How Does a Subnet Know Where to Send Traffic?

That’s where Route Tables come in.

A Route Table defines rules like:

_Destination_→ 0.0.0.0/0

_Target_ → igw-044a2729e12072922 (this means: “send internet traffic to the Internet Gateway”)

_Destination_ → 172.31.0.0/16

_Target_ → local (this means: “for internal traffic within the VPC”)
Enter fullscreen mode Exit fullscreen mode

Each subnet is associated with a route table. The routes tell the traffic, If you’re going to the internet, take this road/route.

So What Did We Just Cover?

  • VPC: Your private slice of the AWS cloud
  • Subnet: Smaller rooms inside your VPC (public or private)
  • Internet Gateway: The official internet provider for your VPC
  • NAT Gateway: Middleman that helps private subnets talk to the internet
  • Route Tables: Route for the traffic

Follow for More

If this helped or sparked an idea, drop a comment, a clap, or reach out!

Github Repo
My Portfolio
LinkedIn

Thank you for being a part of the community

Before you go:

Be sure to clap and follow the writer ️👏️️
Follow us: X | LinkedIn | YouTube | Newsletter | Podcast | Twitch
Start your own free AI-powered blog on Differ 🚀
For more content, visit plainenglish.io + stackademic.com
Enter fullscreen mode Exit fullscreen mode

Top comments (0)