DEV Community: Afolabi Gabriel Olaoluwa

AWS VPC SEGMENTATION

Afolabi Gabriel Olaoluwa — Mon, 30 Jun 2025 23:28:35 +0000

Segmentation is the practice of dividing a Virtual Private Cloud (VPC) into smaller logical, isolated section to improve security, manageability, and performance.
It allows you to separate resources based on funtion, environment or security needs.

Just like traditional network, LAN is segmented into logical separate LAN called the VLANs. These VLAN segments are based on the environment, users, and resources that should be provisioned in that segment.

In AWS VPC, segmentation is done exactly like this but in the form of subnets. You dont create VLANs but you create subnets in the AWS VPC.

Remember, that VPC is an isolated virtual network within AWS, that you create and control, just like the traditional data center network.

When you create a VPC, you define your CIDR or Block e.g 10.10.0.0/16

But in this VPC, there's need for you to do segmentation. Then you begin to create different subnets.

These subnets created will be given a block of ip from the VPC CIDR.

Say, you want to create four subnets from a VPC whose CIDR is 10.10.0.0/16. This can be manually created like this:

Subnet A = 10.10.1.0/24
Subnet B = 10.10.2.0/24
Subnet C = 10.10.3.0/24
Subnet D = 10.10.4.0/24

The vpc is segmented into four subnets. Like I said , a subnet in AWS VPC is just like VLAN in traditional network.

In AWS VPC, Any resource provisioned in any subnet will dynamically pick an ip address from the ip block assigned to that subnet.

Example: If we provisioned a server in subnet A, the ip of that server will dynamically pick an ip address in the (10.10.1.0/24) pool.

EC2 instance ip : 10.10.1.10/24

Also note that, you can decide to make any of these subnets created public or private.

For ease of troubleshooting you could have a unique address range for public subnet and for private subnet.

In the next article, I will show typical example of how to create VPC, subnet and allocating IPs.

DIFFERENCE BETWEEN INTERNET GATEWAY (IGW) AND NAT GATEWAY(NAT-GW)

Afolabi Gabriel Olaoluwa — Sat, 12 Apr 2025 14:02:14 +0000

In AWS Virtual private cloud, IGW and NAT GW are very important AWS VPC components.

It is very pertinent to understand the function of the two components so as to know where and when to deploy each of them.
Here i will explain the difference between the IGW and NAT Gateway.

Both VPC components are called gateways, in VPC context, they allow internet access, but have different use cases.

INTERNET GATEWAY (IGW)
The Internet Gateway is a VPC component that provides internet access for public subnets.
Its like a bridge that connects your VPC to the internet. Your VPC has access to the internet through the IGW.

It allows instances or resources in a public subnet to access the internet and also to be accessed from the internet. Example of this resource in a public subnet, is a web application hosted on a web server, which is expected to have access to the intenet or be accessed from the internet.

This is exactly a two-way communication i.e inbound and outbound internet traffic.
The IGW is attached to a virtual private cloud (vpc). It acts like a gate to the outside world (Internet).
Its usually used by the instances/resources in the public subnet, to route traffic to the internet.

Note: Instances or resources deployed in the Public subnets have a public ip, and their traffic is routed to the internet Gateway for internet access. It is not like that for resources in the private subnet.
The Traffic of an instance(WEB APPLICATION) in the public subnet is:
INSTANCE(WEB-APPLICATION) >>>> IGW >>>>INTERNET

NAT GATEWAY
AWS NAT Gateway (Network Address Translation Gateway) is a managed AWS service that allows instances/resources in a private subnet to connect to the internet while preventing the internet from initiating connections with those instances/resources.
Example is a backend server typically deployed in a private subnet. Users cannot be allowed to access this backend server from the internet for strict security measures; But the server needs to have access to the internet, for updates installations.
This is a typical ONE-WAY Communication that allows only outbound traffic (SERVER-TO-INTERNET), but does not allow inbound traffic (INTERNET-TO-SERVER).

This is ideally used by instances or resources in the private subnet, because the instances in the private subnet do not have public IPs , also their route do not point towards the IGW.
One more thing to note is that, NAT GW is used by resources in the private subnet, but the NAT GW itself is deployed in the public subnet i.e it is attached to a subnet and not vpc .

The Traffic flow of an instance(BACKEND APPLICATION) in the private subnet is:
INSTANCE(BACKEND-APPLICATION) >>>> NAT-GW >>>> IGW >>>> INTERNET

In the next article, i will be sharing the difference between the public and private subnet.

Understanding AWS VPC and Its Components

Afolabi Gabriel Olaoluwa — Mon, 24 Mar 2025 17:01:54 +0000

Amazon Virtual Private Cloud (VPC) is a fundamental service within Amazon Web Services (AWS) that enables users to launch AWS resources in a logically isolated virtual network. VPC is a regional service.

A VPC helps to provide control over network settings, including IP addressing subnetting, routing, and security policies. This makes it a crucial component for cloud-based applications.

I am going to list below the components of AWS VPC, with a brief introduction on each of them. Going forward, I will be explaining each of them as a stand alone topic on how each of the component functions and deployed in AWS VPC.

Subnets
A VPC is divided into subnets, which are segments of the IP address range allocated to specific Availability Zones. Subnets can be public or private, where public subnets have direct internet access, while private subnets are isolated for internal use. Note that the subnets are created in specific Availability Zone or Zones preferably for disaster recovery.
Internet Gateway (IGW)
An Internet Gateway allows resources within a VPC (specifically, public subnets) to communicate with the internet. It serves as a bridge between the VPC and external networks. Every resource deployed in the public subnet, has access to reach the internet through the internet Gateway.
NAT Gateway or NAT Instances
Network Address Translation (NAT) is used for private subnets to access the internet without exposing their instances to inbound traffic. This service is deployed in the public subnet, but used for the private subnet for internet access.
Useful for private resources like databases or backend servers that need to download updates or access external services but should not be exposed to the internet. AWS offers NAT Gateways (managed service) and NAT Instances (self-managed EC2 instances) for this purpose.
Security Group
Security Groups act as virtual firewalls for EC2 instances within the VPC. They control inbound and outbound traffic based on predefined rules, providing security at the instance level. Security groups are stateful.
Network Access Control Lists (NACLs)
NACLs provide an additional layer of security at the subnet level. Unlike Security Groups, NACLs operate with stateless rules, meaning inbound and outbound rules must be explicitly defined.
Elastic IPs (EIPs)
Elastic IPs are static public IP addresses that are associated with EC2 instances or NAT Gateways, ensuring persistent connectivity even if an EC2 instance is stopped and restarted.
VPC Peering
VPC Peering allows secure and direct connectivity between two VPCs within the same AWS account or across different accounts. This enables seamless communication without the need for going through the internet. VPC peering is not transitive.
AWS Transit Gateway
AWS Transit Gateway simplifies network management by allowing multiple VPCs and on-premises networks to be connected through a single, scalable hub.
AWS Transit Gateway
AWS Transit Gateway simplifies network management by allowing multiple VPCs and on-premises networks to be connected through a single, scalable hub.
VPC Endpoints
VPC Endpoints enable a VPC to connect with other AWS services without going through the internet. They are two types or categories:
(a) Interface Endpoints (b) Gateway Endpoints.
These will be discussed in further articles and practical examples.