DEV Community

Nitesh More
Nitesh More

Posted on

AWS Networking Demystified: VPC, Subnets, Security, and Beyond

#aws #devops #networking #cloudcomputing

When you first dive into AWS, networking feels like a maze. Between VPCs, subnets, routing tables, security groups, and NACLs, itโ€™s easy to get lost.

This guide breaks it down step by step, so youโ€™ll walk away knowing how all the pieces fit together.

1. Virtual Private Cloud (VPC)

A VPC is your own private section of the AWS cloud.
Think of it as your own data center in the cloud, isolated from others.

  • You define the IP address range (CIDR block, e.g., 10.0.0.0/16).
  • Inside it, you place subnets, route tables, and security rules.
  • You can connect your VPC to the internet (via Internet Gateway) or keep it private.

๐Ÿ‘‰ Every AWS account comes with a default VPC, but for production, you almost always create custom ones.

2. Subnets

Inside a VPC, you slice the network into subnets.

  • Public subnet โ†’ connected to the internet via an Internet Gateway.
  • Private subnet โ†’ no direct internet access, usually behind a NAT Gateway or used for internal services.

๐Ÿ“ Example:

  • Public subnet hosts a web server.
  • Private subnet hosts a database (never exposed directly to the internet).

3. Route Tables

Subnets donโ€™t know where to send traffic by default. Thatโ€™s where Route Tables come in.

  • Each subnet is associated with a route table.
  • Example route: 0.0.0.0/0 โ†’ Internet Gateway (for internet access).
  • Private subnets may instead route 0.0.0.0/0 โ†’ NAT Gateway (so they can access the internet outbound but remain unreachable from outside).

4. Internet Gateway (IGW) & NAT Gateway

  • Internet Gateway (IGW) โ†’ attaches to a VPC to allow resources in public subnets to connect to the internet.
  • NAT Gateway โ†’ allows private subnets to initiate outbound traffic to the internet (like downloading updates) while blocking inbound traffic.

๐Ÿ‘‰ Rule of thumb:

  • Public subnet = IGW.
  • Private subnet = NAT Gateway.

5. Security Groups (SG)

A Security Group is like a firewall at the instance level (EC2, RDS, etc).

  • Stateful: If you allow inbound traffic, the response is automatically allowed.
  • Works on allow rules only (no explicit deny).

  • Example:

    • Allow inbound TCP 22 (SSH) from 10.0.0.0/16.
    • Allow inbound TCP 443 (HTTPS) from anywhere.

6. Network ACLs (NACLs)

A NACL is like a firewall at the subnet level.

  • Stateless: You must define both inbound and outbound rules.
  • Works with allow and deny rules.

  • Example:

    • Deny inbound TCP 22 (SSH) from everywhere.
    • Allow inbound TCP 443 (HTTPS) from 0.0.0.0/0.

๐Ÿ‘‰ Quick comparison:

  • Security Groups = โ€œWho can talk to this server?โ€
  • NACLs = โ€œWhat traffic can pass through this subnet?โ€

7. VPC Peering

What if you have two VPCs and want them to talk?

  • VPC Peering connects two VPCs privately using AWS backbone network.
  • Itโ€™s one-to-one and doesnโ€™t support transitive peering (VPC A canโ€™t automatically talk to C via B).
  • Alternative for larger architectures โ†’ Transit Gateway.

8. Transit Gateway (TGW)

  • A Transit Gateway is like a hub for multiple VPCs and on-prem networks.
  • Instead of managing many VPC peerings, you connect each VPC to TGW once.
  • Supports transitive routing.
  • Great for enterprise-scale multi-VPC setups.

9. PrivateLink & VPC Endpoints

Sometimes you donโ€™t want your private subnet to talk to AWS services (like S3, DynamoDB) over the public internet.

  • VPC Endpoint (Gateway/Interface) โ†’ private connection between your VPC and AWS service.
  • PrivateLink โ†’ lets you securely connect to services in another VPC without exposing traffic to the internet.

10. Putting It All Together (Example)

Imagine a simple 3-tier architecture:

  • Public Subnet โ†’ Load Balancer (ALB)
  • Private Subnet A โ†’ App Servers (EC2 in Auto Scaling Group)
  • Private Subnet B โ†’ Database (RDS)

Traffic flow:
User โ†’ ALB (Public Subnet) โ†’ App Server (Private Subnet) โ†’ Database (Private Subnet)

Security Layers:

  • ALB SG โ†’ allows inbound HTTPS from internet.
  • App Server SG โ†’ allows inbound only from ALB SG.
  • DB SG โ†’ allows inbound only from App Server SG.
  • NACLs โ†’ add subnet-wide restrictions for extra defense.

11. Key Best Practices

  • Use least privilege rules (narrow CIDR ranges).
  • Split workloads across AZs for resilience.
  • Use NAT Gateway for private subnets needing outbound access.
  • For many VPCs, prefer Transit Gateway over complex peering meshes.
  • Use VPC Flow Logs to monitor traffic.

โœ… Takeaway

AWS networking isnโ€™t just about connecting resources โ€” itโ€™s about designing secure, scalable, and maintainable networks.

If you understand VPC, subnets, routing, security groups, NACLs, and peering, youโ€™ve got the foundation to handle real-world AWS architectures.

Top comments (0)