DEV Community

Cover image for AWS VPC 101
Eduardo Santana
Eduardo Santana

Posted on • Originally published at eduardosantana.dev

AWS VPC 101

#aws #networking #devops #cloud

What is a VPC?

Amazon Virtual Private Cloud (VPC) is a core AWS service that lets you provision a logically isolated section of the cloud where you can launch AWS resources in a virtual network that you define.

You have complete control over your virtual networking environment, including selection of your IP address range, creation of subnets, and configuration of route tables and network gateways.

What makes up a VPC?

A VPC is made up of several components, including:

  • The VPC itself
    • This is your private network. It closely resembled a traditional network that you'd find on-premises. It includes various network-wide settings, and a CIDR block, such as 10.0.0.0/16.
  • Subnets
    • Subnets are segments of the VPC IP address range that are used to organize resources in an availability zone (AZ). They can be public, private, or isolated, depending on whether they have a direct route to the internet, if they go through a NAT gateway, or if they have no connectivity outside of the VPC.
    • A subnet exists in a single Availability Zone (AZ), however you can have multiple subnets in a single AZ. Creating multiple subnets is a best practice for high availability and fault tolerance since if a single AZ ever goes down, you can still have resources running in other AZs.
    • Subnets can be either
  • Route tables
    • Route tables are used to determine where network traffic should be directed, a.k.a routing. They contain rules that specify the destination of the traffic (such as an IP address range) and the target (such as an internet gateway, NAT gateway, VPC peering connection, VPN gateway, or specific IP addresses).
    • These routes are always used to determine the next hop for traffic within the VPC, and they can also be used to route traffic to the internet or other VPCs.
    • Route tables are associated with one or more subnets, and each subnet can only be associated with one route table at a time. If you don't explicitly associate a subnet with a route table, it will be associated with the default route table for the VPC.
  • Gateways and endpoints
    • Internet gateways provide a direct route to the public internet in public subnets. Resources in a public subnet have both private and public IPv4 addresses, and can communicate directly with the internet both inbound and outbound.
    • NAT gateways are used to allow resources in the VPC to access the public internet without exposing the resources (like EC2 instances) directly as those resources don't have public IPs attached to them directly.
    • VPC endpoints are used to connect the VPC to other AWS services without going through the public internet. With VPC endpoints, all traffic from your AWS resources to AWS services stays within the AWS backbone network.
  • Security groups
    • Security groups are a set of stateful firewall rules that control the traffic to and from your AWS resources that live in a VPC (such as EC2 instances, ECS tasks, Lambda functions, RDS databases, etc). They act as a virtual firewall that controls the traffic for whichever resources the security group is attached to.
    • Security groups can only be attached to network interfaces, most commonly ENIs (Elastic Network Interfaces), and they control the traffic to and from the network interface. They are not attached to subnets or VPCs.
    • Security group rules are stateful, meaning that if you allow inbound traffic to a resource, the response traffic is automatically allowed to flow back out, and vice verse. If you allow outbound traffic from a resource to a destination, the return traffic is automatically allowed back in. This is not the case with network access control lists (NACLs).
  • Network access control lists (NACLs)
    • NACLs are a set of stateless firewalls that control the traffic to and from subnets in a VPC. They act as a virtual firewall that controls the traffic for all resources in a subnet.
    • NACLs only be attached to subnets, and they control the traffic to and from the subnet. They are not attached to network interfaces or VPCs.
    • NACL rules are stateless, meaning that if you allow inbound traffic to a subnet, the return traffic is not automatically allowed to flow back out. You must explicitly allow the return traffic in a separate rule, and vice versa.

Top comments (0)