Skip to main content

AWS VPC (Virtual Private Cloud)

What is Amazon VPC?

Amazon VPC is a foundational AWS service that allows you to launch AWS resources in a logically isolated virtual network that you define.

Core VPC Capabilities

  • Launch AWS resources in logically isolated virtual networks
  • Network customization with complete control over your virtual networking environment
  • Public subnets for web servers with internet access
  • Private subnets for backend systems without direct internet access
  • Multiple security layers through Security Groups and Network ACLs
  • Granular access control to EC2 instances in each subnet

Problems VPC Solves

Network Isolation

VPC provides network isolation and security in cloud environments, solving traditional networking challenges.

Key Problem Areas

ProblemVPC Solution
Network SecurityIsolated virtual networks with customizable security
Resource SeparationPublic and private subnet segregation
Internet Access ControlControlled internet access for different components
Network ArchitectureCustomizable network topology and routing

Benefits of Amazon VPC

  • Complete control over virtual networking environment
  • Enhanced security through network isolation
  • Flexible configuration for diverse network requirements
  • Seamless integration with other AWS services
  • Scalable infrastructure that grows with your needs

VPC Architecture Patterns

Multi-Tier Architecture

┌─────────────────────────────────────────────────────────┐
│                        VPC                              │
│  ┌─────────────────┐    ┌─────────────────────────────┐ │
│  │   Public Subnet │    │      Private Subnet         │ │
│  │                 │    │                             │ │
│  │  Web Servers    │    │  Application Servers        │ │
│  │  (EC2)          │    │  (EC2)                      │ │
│  │                 │    │                             │ │
│  └─────────────────┘    │  ┌─────────────────────────┐│ │
│                         │  │    Database Subnet      ││ │
│                         │  │    (RDS)                ││ │
│                         │  └─────────────────────────┘│ │
│                         └─────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘

Architecture Best Practices

  1. Separate tiers - Web, application, and database layers
  2. Public subnets for internet-facing resources (web servers)
  3. Private subnets for internal resources (databases, app servers)
  4. Multiple Availability Zones for high availability
  5. Proper security groups and Network ACLs implementation

Core VPC Components

Subnets

Subnet TypePurposeInternet AccessUse Cases
PublicInternet-facing resourcesDirect via IGWWeb servers, load balancers
PrivateInternal resourcesVia NAT GatewayApp servers, databases
DatabaseDatabase tierVia NAT GatewayRDS, ElastiCache

Gateways

Gateway TypeFunctionUse Case
Internet Gateway (IGW)Internet access for public subnetsWeb servers, public APIs
NAT GatewayOutbound internet for private subnetsSoftware updates, API calls
VPN GatewayOn-premises connectivityHybrid cloud architectures

Implementation Guide

1. Create VPC

# Create VPC with CIDR block
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'

2. Create Subnets

# Public subnet
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24 --availability-zone us-west-2a

# Private subnet
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.2.0/24 --availability-zone us-west-2a

3. Configure Internet Gateway

# Create and attach Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-12345678 --internet-gateway-id igw-12345678

4. Set Up Route Tables

# Create route table for public subnet
aws ec2 create-route-table --vpc-id vpc-12345678
aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-12345678

Security Configuration

Security Groups vs Network ACLs

FeatureSecurity GroupsNetwork ACLs
LevelInstance levelSubnet level
RulesAllow rules onlyAllow and deny rules
StateStatefulStateless
DefaultDeny all inboundAllow all traffic

Security Group Example

# Create security group for web servers
aws ec2 create-security-group --group-name WebServerSG --description "Security group for web servers" --vpc-id vpc-12345678

# Allow HTTP traffic
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 80 --cidr 0.0.0.0/0

# Allow HTTPS traffic
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 443 --cidr 0.0.0.0/0

Best Practices

Network Planning

Plan your IP address ranges carefully to avoid conflicts and allow for future growth.

IP Address Planning

EnvironmentVPC CIDRSubnet Strategy
Development10.0.0.0/16/24 subnets (254 hosts each)
Staging10.1.0.0/16/24 subnets
Production10.2.0.0/16/23 subnets (510 hosts each)

Design Considerations

Important Considerations
  • Availability Zone distribution for high availability
  • Proper security group rules - principle of least privilege
  • Network monitoring and cost optimization
  • Scalability planning for future growth

  1. Multi-AZ Deployment

    • Distribute subnets across multiple AZs
    • Ensure redundancy for critical components

  2. Security Implementation

    • Use security groups as primary firewall
    • Implement NACLs for additional subnet-level security
    • Regular security audits and reviews

  3. Monitoring and Optimization

    • Enable VPC Flow Logs for traffic analysis
    • Monitor NAT Gateway usage and costs
    • Optimize data transfer patterns

Common Use Cases

1. Web Application Architecture

# Three-tier architecture setup
# Public subnet: Load balancer + Web servers
# Private subnet: Application servers
# Database subnet: RDS instances

2. Hybrid Cloud Connectivity

# VPN connection to on-premises
aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-12345678 --vpn-gateway-id vgw-12345678

3. Multi-Environment Setup

EnvironmentVPCPurpose
Development10.0.0.0/16Development and testing
Staging10.1.0.0/16Pre-production validation
Production10.2.0.0/16Live applications

Pricing

Cost Structure

VPC itself is free - you only pay for the resources you use within it.

Cost Components

ComponentPricingNotes
VPCFreeNo charge for VPC creation
NAT Gateway$0.045/hour + data processingPer gateway, per hour
Elastic IP$0.005/hour (when not attached)Free when attached to running instance
VPN Connection$0.05/hourPer VPN connection
Data TransferVariesBetween AZs, regions, internet

Cost Optimization Tips

  • Use NAT Instances instead of NAT Gateways for low-traffic scenarios
  • Optimize data transfer patterns
  • Release unused Elastic IPs
  • Monitor and right-size resources

Quick Reference

Essential CLI Commands

# List VPCs
aws ec2 describe-vpcs

# List subnets
aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-12345678"

# Check route tables
aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-12345678"

# View security groups
aws ec2 describe-security-groups --filters "Name=vpc-id,Values=vpc-12345678"

CIDR Block Examples

CIDR BlockIP RangeAvailable IPsUse Case
10.0.0.0/1610.0.0.0 - 10.0.255.25565,536Large VPC
10.0.0.0/2410.0.0.0 - 10.0.0.255256Single subnet
10.0.1.0/2810.0.1.0 - 10.0.1.1516Small subnet