AWS VPC | My Portfolio

What is a VPC?

Virtual Private Cloud — your own isolated private network within AWS
Spans all AZs in a region (regional resource)
You control: IP ranges, subnets, route tables, gateways, security rules
AWS gives a default VPC per region (ready to use, all public subnets) — never delete it
You create custom VPCs for production workloads with proper isolation

Default VPC:

Has a default subnet in every AZ
All instances get public + private IPs
Has an IGW attached — internet-ready out of the box
Fine for dev/testing, not for production

CIDR Blocks

VPC is defined by a CIDR block — e.g. 10.0.0.0/16
/16 = 65,536 IPs | /24 = 256 IPs | /28 = 16 IPs (minimum)
AWS reserves 5 IPs per subnet (first 4 + last 1):
- .0 — Network address
- .1 — VPC router
- .2 — AWS DNS
- .3 — Reserved for future use
- .255 — Broadcast (not supported, reserved)

Exam trap: If you need 29 usable IPs, you need at least a /27 (32 IPs), not /28 (16 IPs — only 11 usable after AWS reserves 5).

Subnets

A subnet is a sub-range of your VPC CIDR, tied to a single AZ
Public subnet — has a route to an IGW → instances can reach the internet
Private subnet — no route to IGW → no direct internet access

graph TD
    VPC[VPC — 10.0.0.0/16] --> PubA[Public Subnet<br/>10.0.1.0/24<br/>AZ-A]
    VPC --> PubB[Public Subnet<br/>10.0.2.0/24<br/>AZ-B]
    VPC --> PrivA[Private Subnet<br/>10.0.3.0/24<br/>AZ-A]
    VPC --> PrivB[Private Subnet<br/>10.0.4.0/24<br/>AZ-B]

    PubA --> IGW[Internet Gateway]
    PubB --> IGW
    PrivA --> NAT[NAT Gateway<br/>in Public Subnet]
    PrivB --> NAT
    NAT --> IGW
    IGW --> Internet([Internet])

    style VPC fill:#dbeafe,stroke:#3b82f6
    style PubA fill:#dcfce7,stroke:#16a34a
    style PubB fill:#dcfce7,stroke:#16a34a
    style PrivA fill:#fef9c3,stroke:#ca8a04
    style PrivB fill:#fef9c3,stroke:#ca8a04
    style IGW fill:#f3e8ff,stroke:#9333ea
    style NAT fill:#fed7aa,stroke:#ea580c
    style Internet fill:#dbeafe,stroke:#3b82f6

Standard 3-tier architecture:

Public subnet: Load Balancers, NAT Gateways, Bastion Hosts
Private subnet (app): EC2 instances, ECS tasks
Private subnet (data): RDS, ElastiCache, internal services

Internet Gateway (IGW)

Allows resources in a public subnet to connect to the internet
Scales horizontally — fully managed, no bandwidth limit, no HA concerns
One IGW per VPC — you attach it to the VPC, not the subnet
For a subnet to be "public": it needs both an IGW attached to the VPC and a route in its route table pointing 0.0.0.0/0 → IGW
Also enables inbound traffic from the internet (with correct SG rules)

IGW is not a NAT — it does 1:1 mapping between private IP and Elastic IP for instances with a public IP.

Route Tables

Every subnet must be associated with a route table
Route table = list of rules: "traffic going to X should go to Y"
Main route table — auto-created with VPC, associated with all subnets that don't have an explicit association
Custom route tables — create per subnet type (public/private) for fine-grained control

Public subnet route table example:

Destination	Target	Description
`10.0.0.0/16`	local	VPC-internal traffic stays local
`0.0.0.0/0`	igw-xxx	All internet-bound traffic → IGW

Private subnet route table example:

Destination	Target	Description
`10.0.0.0/16`	local	VPC-internal traffic stays local
`0.0.0.0/0`	nat-xxx	Internet-bound traffic → NAT Gateway

Most specific route wins — 10.0.0.0/24 beats 10.0.0.0/16 for traffic to that range.

NAT Gateway

Allows private subnet instances to initiate outbound internet connections (e.g. to download packages)
Blocks inbound connections from the internet — private instances stay private
Lives in a public subnet, uses an Elastic IP
Managed by AWS — fully managed, highly available within AZ
Scales automatically up to 45 Gbps

graph LR
    PrivEC2[EC2 in Private Subnet] -->|outbound only| NAT[NAT Gateway<br/>Public Subnet]
    NAT --> IGW[IGW]
    IGW --> Internet([Internet])
    Internet -.->|blocked inbound| NAT

    style PrivEC2 fill:#fef9c3,stroke:#ca8a04
    style NAT fill:#fed7aa,stroke:#ea580c
    style IGW fill:#f3e8ff,stroke:#9333ea

NAT Gateway vs NAT Instance

	NAT Gateway	NAT Instance
Managed by	AWS	You
Availability	HA within AZ	Single EC2, you manage failover
Bandwidth	Up to 45 Gbps	Depends on instance type
Security Groups	❌ Cannot attach	✅ Can attach
Cost	Higher	Lower (EC2 cost)
Use today	✅ Always prefer	Legacy only

NAT Gateway High Availability

A single NAT Gateway is AZ-scoped — if AZ fails, private instances in other AZs lose internet
Best practice: Create one NAT Gateway per AZ, each with its own route table

graph TD
    PrivA[Private Subnet AZ-A] --> NATA[NAT GW — AZ-A]
    PrivB[Private Subnet AZ-B] --> NATB[NAT GW — AZ-B]
    NATA --> IGW[IGW]
    NATB --> IGW

    style NATA fill:#fed7aa,stroke:#ea580c
    style NATB fill:#fed7aa,stroke:#ea580c
    style IGW fill:#f3e8ff,stroke:#9333ea

Security Groups vs NACLs

	Security Group	NACL
Level	Instance (ENI)	Subnet
State	Stateful — return traffic auto-allowed	Stateless — must explicitly allow both directions
Rules	Allow only	Allow + Deny
Rule evaluation	All rules evaluated together	Rules evaluated in order (lowest number wins)
Default (custom)	Deny all inbound, allow all outbound	Allow all inbound + outbound
Applies to	Any instance you attach it to	All instances in the subnet automatically
Scope	First line of defence for instances	Subnet-level firewall (coarse-grained)

NACL Rule Evaluation:

Rule 100: Allow 10.0.0.0/8 on port 443  ← checked first
Rule 200: Deny  0.0.0.0/0  on port 443  ← only checked if rule 100 didn't match
Rule *:   Deny  0.0.0.0/0  (default)    ← catches everything else

Ephemeral ports (NACL gotcha):

When a client connects to a server, the response goes back on a random ephemeral port (1024–65535)
NACLs must explicitly allow the ephemeral port range for return traffic
Security Groups handle this automatically (stateful)

Exam trap: NACLs are stateless — if you allow port 443 inbound, you must also add an outbound rule for ephemeral ports 1024–65535 or responses will be blocked.

When to Use Which

Security Groups: Primary, always-on instance-level control
NACLs: Additional subnet-level layer — especially useful for blocking specific IPs (e.g. denying a malicious IP range — you can't deny in SGs)

VPC Peering

Connect two VPCs privately — traffic routes through AWS backbone, not the internet
Can peer across accounts and regions (inter-region VPC peering)
Instances communicate as if they're in the same network
Not transitive — if VPC-A peers with VPC-B and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C through B

graph LR
    A[VPC A] <-->|Peering| B[VPC B]
    B <-->|Peering| C[VPC C]
    A -.->|❌ No transit| C

    style A fill:#dcfce7,stroke:#16a34a
    style B fill:#dbeafe,stroke:#3b82f6
    style C fill:#fef9c3,stroke:#ca8a04

Requirements:

CIDRs must not overlap — no 10.0.0.0/16 ↔ 10.0.0.0/16 peering
Must update route tables on both sides to point to the peering connection
Must update Security Groups to allow traffic from the peered VPC CIDR

Exam tip: For many VPCs needing full mesh connectivity, VPC peering becomes unmanageable (N×(N-1)/2 connections). Use Transit Gateway instead.

VPC Endpoints

Access AWS services privately without going through the internet (no IGW, no NAT, no public IP needed).

graph LR
    EC2[EC2 in Private Subnet] -->|private| EP[VPC Endpoint]
    EP --> S3[S3 / DynamoDB]
    EC2 -.->|without endpoint| NAT[NAT GW → IGW → Internet → S3]

    style EC2 fill:#fef9c3,stroke:#ca8a04
    style EP fill:#f3e8ff,stroke:#9333ea
    style S3 fill:#dcfce7,stroke:#16a34a

Gateway Endpoints

Free — no additional cost
Only for: S3 and DynamoDB
Works by adding a route in the route table pointing to the endpoint
Does not use an ENI — no IP address

Interface Endpoints (AWS PrivateLink)

Paid — ~$0.01/hr + data transfer
Works for most other AWS services (SSM, SNS, SQS, CloudWatch, API Gateway, Kinesis, etc.)
Creates an ENI (Elastic Network Interface) with a private IP in your subnet
Can be accessed from on-premises via VPN or Direct Connect

	Gateway Endpoint	Interface Endpoint
Cost	Free	Paid
Services	S3, DynamoDB only	Most AWS services
How it works	Route table entry	ENI with private IP
On-prem access	❌	✅ via VPN/DX

Exam tip: "Access S3 from private subnet without NAT" → Gateway Endpoint. "Access SQS/SSM from private subnet" → Interface Endpoint.

VPC Flow Logs

Capture IP traffic information going to/from network interfaces in your VPC
Can be enabled at: VPC level, Subnet level, or ENI level
Logs go to: CloudWatch Logs or S3
Does not capture: DNS traffic, Windows license activation, metadata service traffic (169.254.x.x), DHCP traffic

Flow log record format:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status

Use cases:

Diagnose overly restrictive SG rules
Monitor traffic reaching your instance
Detect anomalies, port scanning
Security forensics

Bastion Host

A public EC2 instance used as a jump box to SSH into private instances
Sits in a public subnet, accepts SSH from specific IPs (your corporate IP, not 0.0.0.0/0)
Private instances only allow SSH from the Bastion's Security Group

graph LR
    Internet([Your IP]) -->|SSH port 22| Bastion[Bastion Host<br/>Public Subnet]
    Bastion -->|SSH port 22| Private[Private EC2<br/>Private Subnet]
    Internet -.->|blocked| Private

    style Bastion fill:#dcfce7,stroke:#16a34a
    style Private fill:#fef9c3,stroke:#ca8a04

Modern alternative: SSM Session Manager — no bastion, no port 22, full audit trail. Prefer this for production.

Site-to-Site VPN

Connect your on-premises network to your VPC over the public internet (encrypted)
Components:
- Virtual Private Gateway (VGW) — AWS side, attached to VPC
- Customer Gateway (CGW) — your side (physical device or software)
Traffic is encrypted using IPSec
Bandwidth: limited by internet connection, not AWS
Setup time: minutes

graph LR
    OnPrem[On-Premises<br/>Data Centre] <-->|IPSec VPN<br/>over Internet| VGW[Virtual Private Gateway]
    VGW --> VPC[VPC]

    style OnPrem fill:#fef9c3,stroke:#ca8a04
    style VGW fill:#f3e8ff,stroke:#9333ea
    style VPC fill:#dbeafe,stroke:#3b82f6

Direct Connect (DX)

Dedicated physical connection from on-premises to AWS — bypasses the internet entirely
More consistent latency, higher bandwidth (1 Gbps or 10 Gbps)
Takes weeks to set up (physical cable provisioning)
Not encrypted by default — combine with VPN over DX for encryption
Use for: large data transfers, latency-sensitive workloads, compliance

	Site-to-Site VPN	Direct Connect
Path	Over internet (encrypted)	Dedicated private line
Bandwidth	Limited by internet	1 or 10 Gbps
Latency	Variable	Consistent, low
Setup time	Minutes	Weeks
Cost	Low	High
Encryption	Yes (IPSec)	No (add VPN on top)
Use when	Quick hybrid setup	Large-scale, consistent throughput

Transit Gateway

Hub-and-spoke model — connect many VPCs and on-prem networks through a single gateway
Eliminates the N×(N-1)/2 peering problem — every VPC just connects to TGW
Supports: VPC attachments, VPN attachments, Direct Connect Gateway attachments
Regional resource, but can peer with TGW in other regions
Supports route tables per attachment — enables network segmentation

graph TD
    TGW[Transit Gateway]
    TGW <--> VPC1[VPC 1]
    TGW <--> VPC2[VPC 2]
    TGW <--> VPC3[VPC 3]
    TGW <--> VPC4[VPC 4]
    TGW <--> VPN[Site-to-Site VPN<br/>On-Premises]

    style TGW fill:#f3e8ff,stroke:#9333ea,stroke-width:2px
    style VPC1 fill:#dcfce7,stroke:#16a34a
    style VPC2 fill:#dcfce7,stroke:#16a34a
    style VPC3 fill:#dcfce7,stroke:#16a34a
    style VPC4 fill:#dcfce7,stroke:#16a34a
    style VPN fill:#fef9c3,stroke:#ca8a04

Exam tip: VPC Peering = simple, two VPCs, non-transitive. Transit Gateway = many VPCs, transitive routing, centralized.

VPC Exam Cheat Sheet

Scenario	Answer
Private instance needs to download packages from internet	NAT Gateway in public subnet
Connect two VPCs in same account, same region	VPC Peering
Connect 10 VPCs + on-prem without managing 45 peering connections	Transit Gateway
Block a specific malicious IP at subnet level	NACL Deny rule (SGs can't deny)
Access S3 from private subnet without NAT costs	Gateway Endpoint (free)
Access SQS from private subnet without internet	Interface Endpoint (PrivateLink)
SSH into private EC2 without opening port 22 to internet	SSM Session Manager or Bastion Host
Connect on-prem to AWS quickly, encrypted	Site-to-Site VPN
Connect on-prem to AWS with consistent 10 Gbps, no internet	Direct Connect
Capture traffic logs for security forensics	VPC Flow Logs
Private subnet instance has no internet even with NAT	Check route table — missing `0.0.0.0/0 → NAT` route
Instance in public subnet can't reach internet	Check route table (`0.0.0.0/0 → IGW`) + IGW attached to VPC + public IP assigned
Two VPCs can't peer — overlapping CIDRs	CIDRs must be non-overlapping
NACLs blocking traffic even though SG allows	Check outbound NACL allows ephemeral ports `1024–65535`

Summary

Concept	One-liner
VPC	Isolated private network in AWS, regional, you control everything
Subnet	AZ-scoped slice of VPC CIDR — public (has IGW route) or private
IGW	Allows public subnet instances to reach internet — 1 per VPC
Route Table	Rules for where traffic goes — most specific route wins
NAT Gateway	Outbound-only internet for private instances — managed, AZ-scoped
Security Group	Stateful instance-level firewall — allow rules only
NACL	Stateless subnet-level firewall — allow + deny, ordered rules
VPC Peering	Direct private link between 2 VPCs — non-transitive
Transit Gateway	Central hub for many VPCs + on-prem — transitive routing
Gateway Endpoint	Free private access to S3/DynamoDB — route table based
Interface Endpoint	Paid private access to other AWS services — ENI based
VPC Flow Logs	Traffic capture for monitoring/forensics → CloudWatch or S3
Bastion Host	Jump box in public subnet for SSH into private instances
Site-to-Site VPN	Encrypted on-prem → AWS over internet — fast setup
Direct Connect	Dedicated private physical line on-prem → AWS — consistent, fast