AWS Solutions Architect: VPC

8 | Written on Sun 19 April 2020. Posted in Nuggets | Richard Walker

Amazon's Virtual Private Cloud service provides the networking layer of EC2. By, default every VPC is isolated from all other networks. However, VPCs can be connected to other networks, including the internet and other VPCs.

A VPC can exist only within an AWS region.


A VPC consists of at least one range of contiguous IP Addresses, which can be represented as a CIDR block.

Its best to use one of the RFC 1918 ranges to avoid conflicts with public Internet addresses:

  • - (
  • 172.16.00 - (
  • - (

When connecting a VPC to another network, be sure VPC CIDRs don't overlap with addresses already in use on the other network.

Example - Create a New VPC:

aws ec2 create-vpc-cidr-block


A subnet is a logical container within a VPC that holds EC2 instances. A subnet lets you isolate instances from each other, controls how traffic flows and lets you organize them by function.

One and instance is launched into a subnet, it can't be moved to another, only destroyed and recreated in a new subnet. The same is true at the VPC level.

Subnet CIDR Blocks

Each subnet has its own CIDR block that must be a subset of the VPC CIDR that it resides in. For example, if you VPC has a CIDR of, one of your subnets may have a CIDR of

AWS reserves the first four and last IP address in every subnet.

Availability Zones

A subnet can exist within only one availability zone (AZ).

Elastic Network Interfaces

An elastic network interface (ENI) allows an instance to communicate with other network resources. As the name suggests an ENI performs the same basic function as a network interface on a physical server.

  • Each instance must have a primary private IP address from the range specified by the subnet CIDR, this can't be change. However, you can assign a secondary private IP.

An ENU can exist independently of an instance and then attached later.

Internet Gateways

An Internet Gateway gives instances the ability to receive a public IP address, connect to the Internet and receive requests from the Internet.

VPC do not have an Internet gateway by default and must be created and associated manually. AWS identifies an Internet gateway by its resource ID, which begins igw-. To use it, a default route in a route table that points to the Internet gateway must be created.

Route Tables

The VPC infrastructure implements IP routing as a software function, called an implied router. You manage the route table which the implied router uses.

Each route table consists of one or more routes and at least one subnet association. (A subnet cannot exist without a route table association.)


Route determine how to forward traffic from instances within the subnets associated with the route table.

Routes must include:

  • Destination (IP prefix in CIDR)
  • Target (AWS network resource such as Internet Gateway of ENI)

A local route is mandatory in every route table, its what allows communication between instances in the same VPC.

The default route

To enable Internet access for instance a default route pointing to the Internet Gateway must be created.


Destination             Target
------------------------------           Local               igw-xyz

The prefix encompasses all IP addresses.

Security Groups

A security group functions as a firewall that controls traffic to and from an instance by permitting traffic to ingress (inbound) or egress (outbound) that instances ENI.

Inbound Rules

Inbound rules specify what traffic is allowed into the attached ENI. By default, a security group will default-deny meaning all inbound traffic will be blocked.

An inbound rule has three requirements:

  • Source
  • Protocol
  • Port range


Source            Protocol             Port Range
-------------------------------------------------  TCP                  22         TCP                  443

Outbound Rules

Outbound rules specify what traffic the instance may send via the attached ENI.

An outbound rule mirrors an inbound rule containing three elements:

  • Destination
  • Protocol
  • Port range


Destination       Protocol             Port Range
-------------------------------------------------         All                  All

Stateful Firewall

A security group acts as a stateful firewall, meaning for example when you allow inbound HTTPS access to an instance from a client on the INternet, the security group automatically allows reply traffic from the instance to the client.

Network Access Control Lists

Like a security group a network access control list (NACL) functions as a firewall with inbound and outbound rules. Like each VPC has a default NACL that can't be deleted.

A NACL differs from security groups in many respects. A NACL is attached to a subnet (not an ENI). A subnet can only have one NACL associated with it.

A NACL is stateless, meaning that it doesn't track the state of connections passing through it.

Inbound Rules

  • Rule number
  • Protocol
  • Port range
  • Source
  • Action

The default NACL for a VPC comes with two inbound rules.

Rule Number    Protocol    Port Range     Source        Action
100            All         All       Allow
*              All         All       Deny

NACL rules are processed in ascending order by rule number.

Outbound Rules

  • Rule number
  • Protocol
  • Port range
  • Destination
  • Action
Rule Number    Protocol    Port Range     Destination   Action
100            All         All       Allow
*              All         All       Deny

Do not restrict outbound traffic using a NACL, use security groups instead.

Public IP Addresses

A public IP address is reachable over the public Internet. When you stop or terminate instances public IP addresses are lost, typically public IP addresses will change. To avoid that unpredictable public IP assignment, use elastic IP addressing instead.

Elastic IP Address

An elastic IP address (EIP) is a type of public IP address that AWS allocates to you account when requested, which you then have exclusive use of until you manually release it. EIPa are associated with an ENI.

Network Address Translation

When a ENI is associated with a public IP address, the ENI maintains its private IP. Associating a public IP with an ENI doesn't reconfigure the ENI, the Internet Gateway maps the public IP address to the ENI's private IP address using a process called network address translation (NAT).

NAT Devices

NAT occurs at the INternet Gateway automatically, there are two other resources that can also perform NAT.

  • NAT gateway
  • NAT instance

The purpose of a NAT device is to allow an instance to access the INternet while preventing hosts on the Internet from reaching the instance directly.

Instance that use NAT devices must send Internet bound traffic to it, while the NAT device must send Internet bound traffic to an Internet Gateway, hence the NAT device and the instances that use it must use different default routes.

NAT Gateway

A NAT gateway is a NAT device managed by AWS. Like an Internet gateway, its a one-size-fits-all resource, automatically scaling to accommodate bandwidth.

NAT Instance

A NAT instance is a normal EC2 instance that uses a pre-configured Linux-based AMI.It functions like a NAT gateway but with a few key differences.

  • NAT instances don't auto scale
  • Have an ENI and must have a security group applied to it
  • Needs a public IP assigning
  • Must have source/dest check disabled on the ENI

VPC Peering

VPC peering allows instances in one VPC to communicate with VPCs in another over the private AWS network. This can be done between regions.

  • Must be set up between two VPCs
  • Only one peering connection allowed between a pair of VPCs
  • No overlapping CIDR blocks
  • Can't be used to share Internet Gateways or NAT devices
  • Can share NLBs
  • Daisy-chaining VPC peering is NOT possible

Routes in both VPCs need adding to allow traffic to travel in both directions:

Source VPC CIDR      Destination VPC CIDR            Target
------------------------------------------------------------                     pcx-xyz                   pcx-xyz


  • VPC service provides the networking foundation for EC2 and other AWS services
  • Each region automatically provides a default VPC with default subnets, route table and default security group and NACL.
  • Allowed CIDR prefix length range from /16 to /28, the longer the prefix the fewer number of IP addresses are available
  • A subnet is a logical container the holds EC2 instances
  • If an availability zone fails, every subnet and every instance in that subnet will also fail
  • Every instance must have a primary network interface with a primary private IP address.


Information on this page was obtained from source: AWS Certified Solutions Architect Second Edition ISBN 978-1-119-50421-4

Notes taken are kept brief and for personal reference. I urge and highly recommend anyone using this page as a source of information to purchase the source material for the complete information. The original book is fantastic and includes exercises, practice questions, verbose explanations and extra learning resources.