Amazon VPC: A Comprehensive Cheat Sheet
What is an Amazon VPC?
An Amazon Virtual Private Cloud (VPC) is a secure, isolated private cloud hosted within a public cloud. It is a foundational AWS service that lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
Core Components
Subnets: Public vs. Private
A VPC is comprised of one or more subnets, which are segments of a VPC's IP address range where you can place groups of isolated resources.
-
Public Subnet: A subnet is considered "public" if it has a route in its associated route table that directs internet-bound traffic to an Internet Gateway (IGW). This allows resources within the subnet (like a web server) to be directly accessible from the internet.
-
Private Subnet: A subnet is "private" if it does not have a route to an Internet Gateway. Resources in a private subnet (like a database server) cannot be directly accessed from the internet.
Route Tables
A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet is directed. Each subnet in your VPC must be associated with a route table. A subnet can only be associated with one route table at a time, but you can associate the same route table with multiple subnets.
Internet Gateway (IGW)
An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. An IGW serves two purposes: to provide a target in your VPC route tables for internet-routable traffic and to perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
Granting Internet Access to Private Subnets
Resources in a private subnet cannot be reached from the internet, but you might need them to be able to access the internet for software updates or to connect to external APIs. This is achieved using a Network Address Translation (NAT) device.
NAT Gateway vs. NAT Instance
| Feature | NAT Gateway | NAT Instance |
| -------------------- | ------------------------------------------------------ | ----------------------------------------------------- |
| Management | AWS Managed Service. No admin required. | Self-Managed. You manage the EC2 instance. |
| Availability | Highly Available within an Availability Zone. | You must implement your own high availability. |
| Bandwidth | Scales up to 45 Gbps. | Depends on the EC2 instance type. |
| Maintenance | Managed by AWS; no patching required. | You are responsible for OS and software patching. |
| Security Group | Cannot be associated with a Security Group. | Can be associated with Security Groups. |
| Cost | Billed per hour and per GB processed. | Billed per hour for the EC2 instance. |
| Recommendation | Preferred for most use cases due to ease and HA. | Legacy option; use only for specific edge cases. |
Network Security in a VPC
VPC provides two layers of firewalls to control traffic: Security Groups and Network Access Control Lists (NACLs).
Security Groups vs. Network ACLs (NACLs)
| Feature | Security Group | Network ACL (NACL) |
|---|---|---|
| Scope | Operates at the instance level. | Operates at the subnet level. |
| Rule Type | Supports ALLOW rules only. | Supports ALLOW and DENY rules. |
| State | Is Stateful: Return traffic is automatically allowed, regardless of any rules. | Is Stateless: Return traffic must be explicitly allowed by rules. |
| Rule Evaluation| All rules are evaluated before deciding whether to allow traffic. | Rules are processed in numerical order. |
| Application| Applies to a specific instance when associated with it. | Automatically applies to all instances in the associated subnets. |
Best Practice: Use Security Groups as your primary firewall for instances, defining what traffic is allowed. Use NACLs as a secondary, stateless defense layer to block specific IP addresses or apply broad rules at the subnet boundary.
Private Connectivity Options
VPC Peering
A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses. Instances in either VPC can communicate with each other as if they are within the same network.
- Key Limitation: VPC Peering is not transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot directly communicate with VPC C.
VPC Endpoints: Gateway vs. Interface
VPC Endpoints enable you to privately connect your VPC to supported AWS services without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection.
-
Gateway Endpoint:
-
Services: Supports only Amazon S3 and DynamoDB.
-
How it Works: A gateway endpoint is a target for a route in your route table used for traffic destined to the supported service. It does not use Security Groups.
-
-
Interface Endpoint:
-
Services: Supports most other AWS services (e.g., SQS, Kinesis, SNS, CloudWatch).
-
How it Works: Powered by AWS PrivateLink, an interface endpoint is an Elastic Network Interface (ENI) with a private IP address from the IP address range of your subnet. It acts as an entry point for traffic destined to the service. You can attach Security Groups to an interface endpoint.
-
VPN & AWS Direct Connect
These services connect your on-premises data center or corporate network to your VPC.
-
AWS Site-to-Site VPN: Creates an encrypted IPsec tunnel over the public internet.
-
AWS Direct Connect: Establishes a dedicated, private physical connection between your network and AWS. It offers more consistent bandwidth and a more private connection than a VPN.