When you deploy resources on AWS, they don't just float in a shared network — they live inside a Virtual Private Cloud (VPC). A VPC is your own private, isolated section of the AWS network where you control IP addressing, routing, and access control. Understanding VPCs is essential because every EC2 instance, RDS database, and Lambda function inside a VPC depends on networking fundamentals to communicate securely.
What Is a VPC?
A VPC is a logically isolated virtual network in AWS. Think of it as your own data center network in the cloud. You define the IP address range (using CIDR notation), create subnets, configure routing, and decide what can communicate with what. Every AWS account comes with a default VPC in each region — pre-configured and ready to use.
CIDR Blocks and IP Addressing
When creating a VPC, you choose a CIDR block — the range of private IP addresses available inside the VPC. Common choices:
10.0.0.0/16— 65,536 addresses (recommended for most VPCs)172.16.0.0/12— ~1 million addresses192.168.0.0/16— 65,536 addresses
# Create a VPC with a /16 CIDR block
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications
"ResourceType=vpc,Tags=[{Key=Name,Value=my-prod-vpc}]"Subnets: Public vs. Private
A subnet is a subdivision of your VPC's IP range, confined to a single Availability Zone. The critical distinction:
- Public subnet — Has a route to the Internet Gateway. Resources here can receive inbound internet traffic (with appropriate security group rules).
- Private subnet — No direct route to the internet. Resources here are isolated from inbound internet traffic. They can reach the internet via a NAT Gateway in a public subnet.
# Create a public subnet in us-east-1a
aws ec2 create-subnet
--vpc-id vpc-0abc12345def67890
--cidr-block 10.0.1.0/24
--availability-zone us-east-1a
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1a}]"
# Create a private subnet in us-east-1a
aws ec2 create-subnet
--vpc-id vpc-0abc12345def67890
--cidr-block 10.0.2.0/24
--availability-zone us-east-1a
--tag-specifications "ResourceType=subnet,Tags=[{Key=Name,Value=private-subnet-1a}]"Internet Gateway
An Internet Gateway (IGW) is what connects your VPC to the public internet. Without one, nothing inside your VPC can reach the internet, and the internet cannot reach your resources. Attach one to your VPC:
# Create and attach an Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway
--internet-gateway-id igw-0abc12345def67890
--vpc-id vpc-0abc12345def67890Route Tables
Route tables control where network traffic is directed. Each subnet must be associated with a route table. A public subnet needs a route that sends 0.0.0.0/0 (all traffic) to the Internet Gateway:
# Create a route table for the public subnet
aws ec2 create-route-table --vpc-id vpc-0abc12345def67890
# Add a route to the Internet Gateway
aws ec2 create-route
--route-table-id rtb-0abc12345def67890
--destination-cidr-block 0.0.0.0/0
--gateway-id igw-0abc12345def67890
# Associate the route table with the public subnet
aws ec2 associate-route-table
--route-table-id rtb-0abc12345def67890
--subnet-id subnet-0abc12345def67890Security Groups
A security group is a stateful virtual firewall for your EC2 instances and other resources. Stateful means if you allow inbound traffic on port 80, the return traffic is automatically allowed — you don't need to add an outbound rule.
# Create a security group
aws ec2 create-security-group
--group-name web-sg
--description "Web server security group"
--vpc-id vpc-0abc12345def67890
# Allow inbound HTTP and HTTPS
aws ec2 authorize-security-group-ingress
--group-id sg-0abc12345def67890
--protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress
--group-id sg-0abc12345def67890
--protocol tcp --port 443 --cidr 0.0.0.0/0Network ACLs vs. Security Groups
Both control traffic, but they work differently:
- Security Groups — Applied at the instance/resource level. Stateful. Support Allow rules only (implicit deny).
- Network ACLs — Applied at the subnet level. Stateless (you must allow both inbound and outbound for each connection). Support both Allow and Deny rules. Evaluated in rule number order.
For most use cases, security groups are sufficient. Use Network ACLs for an extra layer of subnet-level defense or for explicit deny rules.
NAT Gateway for Private Subnets
Resources in private subnets often need to reach the internet for software updates or external API calls, without being directly reachable from the internet. A NAT Gateway in a public subnet enables this outbound-only connectivity. Note: NAT Gateways cost ~$0.045/hour plus data transfer fees — not free-tier eligible.
Recommended VPC Architecture
- 2 public subnets (one per AZ) — for load balancers and NAT Gateways
- 2 private subnets (one per AZ) — for EC2 instances and databases
- 1 Internet Gateway
- 1–2 NAT Gateways (one per AZ for high availability)
- Separate security groups for each tier (web, app, database)
Summary
A well-designed VPC is the foundation of every secure AWS deployment. Public subnets expose load balancers to the internet; private subnets protect application servers and databases from direct exposure. Route tables, security groups, and Internet Gateways are the tools that make this isolation work. Master VPC networking and the rest of AWS architecture becomes much clearer.