AWS Explained
    Networking & Content Delivery
    🌐Networking & Content Delivery

    Amazon VPC

    Isolated virtual network environment to launch AWS resources

    Think of a VPC as your own private neighborhood inside AWS's massive city. In this neighborhood, you control everything: which houses (EC2 instances) go on which streets (subnets), who can enter through the gates (security groups), and whether your neighborhood connects to the outside world (Internet Gateway) or stays completely private. You can even build a private tunnel (VPN or Direct Connect) from your neighborhood back to your office. Just like a real neighborhood, you can have public streets where anyone can visit (public subnets) and private streets where only residents can go (private subnets). Your neighborhood is completely isolated from everyone else's; your neighbor can't peek into your windows unless you explicitly allow it.

    A VPC is a logically isolated network within AWS, defined by a CIDR block (e.g., 10.0.0.0/16). You subdivide the VPC into subnets, each tied to a specific Availability Zone and assigned a subset of the VPC CIDR (e.g., 10.0.1.0/24). Subnets are public if their route table directs 0.0.0.0/0 traffic to an Internet Gateway; otherwise, they're private. Resources in private subnets access the internet via a NAT Gateway (managed) or NAT Instance (self-managed) in a public subnet. Security operates at two layers: security groups (stateful, instance-level firewalls) and network ACLs (stateless, subnet-level firewalls).

    Key Capabilities

    Key components: Route tables control traffic routing, VPC peering connects VPCs, Transit Gateway creates hub-and-spoke topologies, VPC endpoints enable private connections to AWS services (S3, DynamoDB) without internet traversal.

    Gotchas & Constraints

    Gotcha #1: Default NACLs allow all traffic, but custom NACLs deny all by default; forgetting to add allow rules breaks connectivity. Gotcha #2: Overlapping CIDR blocks prevent VPC peering; plan your IP space carefully. Constraints: VPCs are region-specific but span all AZs in that region; subnets are AZ-specific. You can't change a VPC's primary CIDR after creation, but you can add secondary CIDRs (up to 5 by default).

    A financial services company builds a three-tier web application in a VPC (10.0.0.0/16). They create six subnets across two AZs: public subnets (10.0.1.0/24, 10.0.2.0/24) for Application Load Balancers, private app subnets (10.0.11.0/24, 10.0.12.0/24) for EC2 web servers, and private data subnets (10.0.21.0/24, 10.0.22.0/24) for RDS databases. Internet traffic flows: Internet -> Internet Gateway -> ALB in public subnet -> EC2 in private app subnet -> RDS in private data subnet. EC2 instances access the internet for software updates via a NAT Gateway in the public subnet. Security groups enforce least privilege: ALB security group allows 443 from 0.0.0.0/0, EC2 security group allows 8080 only from ALB security group, RDS security group allows 3306 only from EC2 security group. They use VPC Flow Logs to capture all network traffic for security analysis and compliance. A VPN connection links the VPC to their on-premises data center for hybrid cloud access.

    Official AWS Documentation