Skip to main content
HashnodeCloudHubCloudHub

Command Palette

Search for a command to run...

๐ŸŒ AWS VPC - The Foundation of Secure Cloud Networking

Updated
โ€ข6 min read
A
Ankita Lunawat
Hi there! I'm a passionate AWS DevOps Engineer with 2+ years of experience in building and managing scalable, reliable, and secure cloud infrastructure. I'm excited to share my knowledge and insights through this blog. Here, you'll find articles on: AWS Services: Deep dives into core AWS services like EC2, S3, Lambda, and more. DevOps Practices: Best practices for CI/CD, infrastructure as code, and automation. Security: Tips and tricks for securing your AWS environments. Serverless Computing: Building and deploying serverless applications. Troubleshooting: Common issues and solutions in AWS. I'm always eager to learn and grow, and I hope this blog can be a valuable resource for fellow DevOps enthusiasts. Feel free to connect with me on [LinkedIn/Twitter] or leave a comment below!
Part of seriesAWS

When working with AWS, one of the first services you'll encounter is the Amazon Virtual Private Cloud (VPC). Understanding VPC is essential for Cloud Engineers, DevOps Engineers, Solutions Architects, and anyone building secure and scalable cloud infrastructure.

What is AWS VPC?

Amazon VPC (Virtual Private Cloud) is a logically isolated virtual network within AWS where you can launch and manage your cloud resources securely.

Think of a VPC as your own private data center in the AWS Cloud where you control:

โœ… IP Addressing

โœ… Network Routing

โœ… Internet Connectivity

โœ… Security Policies

โœ… Resource Isolation

Why Do We Need a VPC?

Without a VPC, all cloud resources would exist in a shared network environment.

A VPC allows organizations to:

  • Isolate applications

  • Improve security

  • Control traffic flow

  • Connect on-premises data centers

  • Design highly available architectures

AWS VPC Architecture

AWS Region
โ”‚
โ””โ”€โ”€ VPC (10.0.0.0/16)
    โ”‚
    โ”œโ”€โ”€ Public Subnet (10.0.1.0/24)
    โ”‚      โ”œโ”€โ”€ Web Server
    โ”‚      โ””โ”€โ”€ Load Balancer
    โ”‚
    โ”œโ”€โ”€ Private Subnet (10.0.2.0/24)
    โ”‚      โ”œโ”€โ”€ Application Server
    โ”‚      โ””โ”€โ”€ EKS Worker Nodes
    โ”‚
    โ””โ”€โ”€ Private DB Subnet (10.0.3.0/24)
           โ””โ”€โ”€ RDS Database

Key Components of AWS VPC

1๏ธโƒฃ CIDR Block

A CIDR block defines the IP address range available in the VPC.

Example:

10.0.0.0/16

This provides:

65,536 IP Addresses

2๏ธโƒฃ Subnets

A subnet divides a VPC into smaller networks.

Example:

VPC: 10.0.0.0/16

Public Subnet:
10.0.1.0/24

Private Subnet:
10.0.2.0/24

Database Subnet:
10.0.3.0/24

Public Subnet

Resources have internet access.

Examples:

  • Load Balancers
    Bastion Hosts
    Public EC2 Instances
    Private Subnet

Resources do not have direct internet access.

Examples:

  • Application Servers
    Kubernetes Nodes
    Internal Services

  • 3๏ธโƒฃ Internet Gateway (IGW)

An Internet Gateway allows communication between your VPC and the Internet.

Internet
    โ”‚
    โ–ผ
Internet Gateway
    โ”‚
Public Subnet

Without an IGW:

โŒ No internet access

4๏ธโƒฃ Route Tables

Route tables determine where network traffic is directed.

Example:

Destination Target
10.0.0.0/16 Local
0.0.0.0/0 Internet Gateway

Public Route Table

0.0.0.0/0 โ†’ IGW

Allows internet access.

Private Route Table

0.0.0.0/0 โ†’ NAT Gateway

Allows outbound internet only.

5๏ธโƒฃ NAT Gateway

Private resources often need outbound internet access.

Examples:

  • OS updates
    Package downloads ,Docker image pullsA NAT Gateway enables this securely.
Private EC2
      โ”‚
      โ–ผ
NAT Gateway
      โ”‚
      โ–ผ
Internet Gateway
      โ”‚
      โ–ผ
Internet

Benefits:

โœ… Outbound Access

โŒ No Inbound Internet Access

6๏ธโƒฃ Security Groups

Security Groups act as virtual firewalls at the instance level.

Example:

Web Server

Inbound:

80  HTTP
443 HTTPS
22  SSH

Outbound:

All Traffic

Characteristics:

  • Stateful
    Allow rules only

7๏ธโƒฃ Network ACL (NACL)

NACLs operate at the subnet level.

Characteristics:

  • Stateless
    Allow and Deny Rules

Example:

Allow HTTP
Allow HTTPS
Deny Specific IP

Security Group vs NACL

Feature Security Group NACL
Level Instance Subnet
Stateful Yes No
Allow Rules Yes Yes
Deny Rules No Yes

8๏ธโƒฃ Elastic IP (EIP)

Static Public IP Address.

Used for:

  • Bastion Hosts
    NAT Gateways

Benefits:

  • Persistent IP

  • Survives Instance Restart

9๏ธโƒฃ VPC Peering

Connects two VPCs privately.

Example:

VPC A
  โ”‚
Peering
  โ”‚
VPC B

Use Cases:

  • Multi-team environments
    Shared services

๐Ÿ”Ÿ VPC Endpoints

Allow private access to AWS services without traversing the internet.

Example:

Private EC2
     โ”‚
VPC Endpoint
     โ”‚
Amazon S3

Benefits:

โœ… Improved Security

โœ… Reduced Latency

โœ… No NAT Cost

High Availability VPC Design

Region
โ”‚
โ”œโ”€โ”€ AZ-A
โ”‚    โ”œโ”€โ”€ Public Subnet
โ”‚    โ””โ”€โ”€ Private Subnet
โ”‚
โ””โ”€โ”€ AZ-B
     โ”œโ”€โ”€ Public Subnet
     โ””โ”€โ”€ Private Subnet

Benefits:

  • Fault Tolerance
    High Availability
    Disaster Recovery

Real-World Production VPC

Internet
    โ”‚
ALB
    โ”‚
Public Subnets
    โ”‚
Application Layer
(Private Subnets)
    โ”‚
Database Layer
(Private Subnets)

Services:

  • EC2 EKS
    ECS
    RDS
    Lambda
    ElastiCache

Step by step to create VPC

Step 1: Create VPC

Navigate:

AWS Console
โ†’ VPC
โ†’ Your VPCs
โ†’ Create VPC

Select:

VPC Only

Configuration:

Name: DevOps-VPC
IPv4 CIDR: 10.0.0.0/16
Tenancy: Default

Click:

Create VPC

Step 2: Create Public Subnet

Navigate:

Subnets
โ†’ Create Subnet

Configuration:

VPC: DevOps-VPC

Subnet Name:
Public-Subnet

Availability Zone:
ap-south-1a

CIDR:
10.0.1.0/24

Create Subnet.

Step 3: Create Private Subnet

Subnet Name:
Private-Subnet

Availability Zone:
ap-south-1b

CIDR:
10.0.2.0/24

Create Subnet.

Step 4: Enable Auto Assign Public IP

Select Public Subnet:

Actions
โ†’ Edit Subnet Settings

Enable:

Auto Assign Public IPv4 Address

Save.

Step 5: Create Internet Gateway

Navigate:

Internet Gateways
โ†’ Create Internet Gateway

Name:

DevOps-IGW

Create.

Step 6: Attach IGW to VPC

Select Internet Gateway.

Actions
โ†’ Attach to VPC

Choose:

DevOps-VPC

Attach.

Step 7: Create Route Table

Navigate:

Route Tables
โ†’ Create Route Table

Name:

Public-RT

VPC:

DevOps-VPC

Step 8: Add Internet Route

Select:

Public-RT

Routes Tab:

Edit Routes

Add:

Destination: 0.0.0.0/0
Target: Internet Gateway

Save.

Step 9: Associate Public Subnet

Subnet Associations:

Edit Associations

Select:

Public-Subnet

Save.

Step 10: Create Elastic IP

Navigate:

Elastic IPs
โ†’ Allocate Elastic IP

Allocate.

Step 11: Create NAT Gateway

Navigate:

NAT Gateway
โ†’ Create NAT Gateway

Configuration:

Name:
DevOps-NAT

Subnet:
Public-Subnet

Elastic IP:
Select Created EIP

Create.

Wait until:

Available

Step 12: Create Private Route Table

Navigate:

Route Tables
โ†’ Create Route Table

Name:

Private-RT

Step 13: Add NAT Route

Routes:

Destination:
0.0.0.0/0

Target:
NAT Gateway

Save.

Step 14: Associate Private Subnet

Subnet Associations:

Private-Subnet

Save.

Step 15: Create Security Group

Navigate:

Security Groups
โ†’ Create Security Group

Name:

Web-SG

Inbound Rules:

HTTP 80
HTTPS 443
SSH 22

Source:

0.0.0.0/0

(For production, restrict SSH to your IP.)

Step 16: Launch EC2 in Public Subnet

Navigate:

EC2
โ†’ Launch Instance

Configuration:

AMI:
Ubuntu 22.04

Instance:
t2.micro

VPC:
DevOps-VPC

Subnet:
Public-Subnet

Security Group:
Web-SG

Launch.

Step 17: Verify Internet Connectivity

Connect:

ssh -i key.pem ubuntu@PUBLIC-IP

Run:

ping google.com

Success = Internet Gateway working.

Step 18: Launch EC2 in Private Subnet

Launch another EC2:

Subnet:
Private-Subnet

No Public IP

Connect through Bastion Host.

Verify:

sudo apt update

Success = NAT Gateway working.

Comments

Join the discussion

No comments yet. Be the first to comment.

AWS

Part 4 of 4
Start from the beginning

AWS Part 1 โ€” Introduction to Cloud and EC2

Amazon Web Services (AWS) introduces the fundamentals of cloud computing and Amazon EC2 (Elastic Compute Cloud), focusing on how to launch, configure, and connect to virtual servers in the cloud. The

More from this blog

CloudHub

94 posts

Hi there! I'm a passionate AWS DevOps Engineer with 2+ years of experience in building ,reliable, and secure cloud infrastructure. I'm excited to share my knowledge and insights through this blog.