VPC basics (what it is and why it matters)

Topic: Cloud aws core

A VPC is your isolated network in AWS: you control IP ranges, subnets, route tables, and gateways. Use it to place instances in public or private subnets and to control inbound and outbound traffic. Use this when designing or troubleshooting EC2 networking.

Intent: Decision

Quick answer

  • VPC is a virtual network in a region; you choose a CIDR (e.g. 10.0.0.0/16). Subnets are segments (e.g. 10.0.1.0/24) in AZs; public subnets have a route to an Internet Gateway, private subnets do not (or use NAT).
  • Default VPC exists per region with a public subnet per AZ; good for learning. Production: create a custom VPC, use private subnets for instances, and a NAT Gateway or NAT instance for outbound internet from private.
  • Route tables determine where traffic goes; security groups and NACLs filter traffic. Use this to understand why an instance cannot reach the internet or why you cannot reach the instance.

Steps

  1. VPC and CIDR

    VPC has a CIDR block (e.g. 10.0.0.0/16). Subnets have smaller CIDRs within the VPC (e.g. 10.0.1.0/24) and live in one AZ. You cannot change the VPC CIDR after creation; plan for growth.

  2. Public vs private subnet

    Public: route table has 0.0.0.0/0 to an Internet Gateway (IGW); instances can have public IPs. Private: no IGW route (or 0.0.0.0/0 to NAT); instances are not directly reachable from the internet; use for app and DB tiers.

  3. Route tables and gateways

    Each subnet has a route table (explicit or default). IGW for public internet; NAT Gateway or NAT instance for private subnet outbound. Peering or Transit Gateway for VPC-to-VPC or on-prem.

  4. Security groups and NACLs

    Security groups (stateful) apply to instances; NACLs (stateless) apply to subnets. Both allow/deny by rule; start with security groups for instance-level control.

Summary

VPC is your isolated network; subnets segment it by AZ. Public subnets use an IGW; private subnets use NAT for outbound. Use route tables, security groups, and NACLs to control traffic. Use this to design and troubleshoot EC2 networking.

Prerequisites

None.

Steps

Step 1: VPC and CIDR

Define VPC CIDR and subnet CIDRs in AZs. Plan so you do not need to change VPC CIDR later.

Step 2: Public vs private subnet

Public subnet: route to IGW; instances can have public IPs. Private: route to NAT or no default route; no direct internet access.

Step 3: Route tables and gateways

Attach route tables to subnets; add IGW for public, NAT for private outbound. Use peering or Transit Gateway for other VPCs or on-prem.

Step 4: Security groups and NACLs

Use security groups on instances; add NACLs if you need subnet-level rules. Prefer security groups for most use cases.

Verification

You can explain how traffic reaches the internet from a public vs private subnet and what role IGW and NAT play.

Troubleshooting

No internet from instance — Check route table (IGW or NAT); check security group and NACL for outbound. Cannot SSH — Instance in private subnet needs bastion or Session Manager; in public needs security group allowing your IP.

Next steps

Continue to