VPC Networking Model

Concepts Covered

• VPCs and CIDR ranges
• Subnets and Availability Zones
• Public and private subnets
• Route tables
• Internet gateways
• NAT gateways
• Security groups
• Network ACLs
• VPC endpoints
• VPC peering and Transit Gateway

1. Plain-English Definition

A Virtual Private Cloud, or VPC, is a logically isolated network in AWS.

Inside a VPC, you choose an IP address range, create subnets, launch resources, attach gateways, configure routes, and apply network security controls. EC2 instances, load balancers, RDS databases, ECS tasks, Lambda functions with VPC access, and many other resources can live inside or connect to a VPC.

The shortest useful definition is:

VPC = private AWS network + subnets + routes + gateways + network controls

A subnet is a slice of the VPC IP range in one Availability Zone. A route table decides where traffic from that subnet should go. A gateway or endpoint connects the VPC to something else: the internet, another VPC, an AWS service, an on-premises network, or a NAT path.

VPC design is where cloud architecture becomes physical enough to reason about packets, reachability, failure zones, and exposure.

2. Why This Matters In AWS

Many AWS exam questions are really networking questions with service names attached.

Why can an EC2 instance not reach the internet? Check the route table, internet gateway, public IP, security group, network ACL, and DNS. Why should a database be in a private subnet? Because clients should access it through controlled application paths, not directly from the public internet. Why use a NAT gateway? To allow private resources to initiate outbound internet access without accepting inbound internet traffic. Why use a VPC endpoint? To reach supported AWS services privately without sending traffic over the public internet.

For real systems, VPC design affects security, availability, cost, latency, and operations. A weak VPC design can expose databases, force unnecessary public paths, create single-AZ dependencies, or make future connectivity painful.

The exam does not expect you to be a packet-level networking specialist. It does expect you to reason clearly about routing, public versus private placement, security groups, NACLs, endpoints, and connectivity choices.

3. The Beginner Mental Model

Think of a VPC like a private office campus.

Subnets are rooms or floors in specific buildings. Some rooms have controlled doors to the street. Some rooms are internal only. Route tables are signs that tell traffic where to go. Security groups are guards attached to each server. Network ACLs are checkpoint rules at the subnet edge.

A common layout looks like this:

VPC
  -> public subnet in AZ A: load balancer, NAT gateway
  -> private subnet in AZ A: app instances
  -> database subnet in AZ A: database
  -> public subnet in AZ B: load balancer, NAT gateway
  -> private subnet in AZ B: app instances
  -> database subnet in AZ B: database

The public subnet is not public because of its name. It is public because its route table sends internet-bound traffic to an internet gateway and resources have public reachability.

The private subnet is private because it does not have a direct route to an internet gateway. It may still reach the internet through a NAT gateway or reach AWS services through VPC endpoints.

4. What That Mental Model Misses

The simple model hides several AWS-specific details.

First, subnets are Availability Zone scoped. If you want a highly available workload, you usually need subnets in multiple AZs and resources spread across them.

Second, route tables are associated with subnets. Two subnets can be in the same VPC but behave very differently because they use different route tables.

Third, security groups are stateful and attached to elastic network interfaces. If inbound traffic is allowed, the response is automatically allowed. Network ACLs are stateless and attached at the subnet level, so inbound and outbound rules must both make sense.

Fourth, private does not mean disconnected. Private resources can reach external systems through NAT, VPN, Direct Connect, Transit Gateway, VPC peering, or endpoints.

Fifth, network controls and IAM controls are different. A VPC endpoint can keep traffic private, but IAM and endpoint policies still decide which AWS API actions are allowed.

5. AWS Mechanics

A VPC has a CIDR range, such as 10.0.0.0/16. Subnets use smaller ranges, such as 10.0.1.0/24. Avoid overlapping CIDRs when VPCs may connect later through peering, Transit Gateway, VPN, or Direct Connect.

An internet gateway attaches to a VPC and enables internet routing. A subnet route table can send 0.0.0.0/0 to the internet gateway. Instances also need public IPv4 addresses or IPv6 configuration, and security rules must allow the traffic.

A NAT gateway sits in a public subnet and lets private subnet resources initiate outbound IPv4 internet connections. It does not allow unsolicited inbound internet access to those private resources.

A VPC endpoint provides private access to supported AWS services. Gateway endpoints support services such as S3 and DynamoDB. Interface endpoints use AWS PrivateLink and elastic network interfaces for many other services.

Security groups allow traffic by rule and deny everything else by default. Network ACLs have ordered allow and deny rules at the subnet boundary.

6. Architecture Examples

A standard web application often uses public subnets for an Application Load Balancer and private subnets for application compute. The database lives in isolated private database subnets. Users connect to the load balancer. The load balancer forwards to app instances. App instances connect to the database.

Private app instances may need to download patches or call external APIs. A NAT gateway can provide outbound access. If the application only needs S3 or DynamoDB, VPC endpoints can reduce public internet exposure and may reduce some data transfer patterns.

A company with on-premises systems may connect to AWS using Site-to-Site VPN or Direct Connect. Transit Gateway can simplify hub-and-spoke connectivity across many VPCs and accounts.

A multi-account environment may use a shared networking account where central connectivity is managed separately from workload accounts.

7. SAA-C03 Exam Signals

"Instances in a private subnet need outbound internet access" points to a NAT gateway in a public subnet.

"Keep traffic to S3 private without internet traversal" points to an S3 gateway endpoint or interface endpoint depending on the service requirement.

"Database should not be accessible from the internet" points to private subnets, restrictive security groups, and no public accessibility.

"Allow HTTP and HTTPS to a web tier" points to security group inbound rules on the load balancer or instance, depending on the architecture.

"Stateless subnet-level filtering" points to network ACLs.

"Connect many VPCs and on-premises networks at scale" often points to Transit Gateway.

8. Common Traps

Do not call a subnet public just because the console name says "public." The route table and addressing determine reachability.

Do not put a NAT gateway in a private subnet. It needs to live in a public subnet with a route to an internet gateway.

Do not forget that NACLs are stateless. Return traffic needs rules too.

Do not expose databases publicly when the requirement is application-only access.

Do not use VPC peering for overlapping CIDRs or transitive routing. Peering is not a transit router.

Do not confuse VPC endpoints with IAM permissions. Endpoints create private network paths. IAM still controls allowed actions.

9. What To Learn Next

Next, study Amazon EC2, because EC2 is the easiest place to see subnets, security groups, public IPs, roles, and load balancing come together.

Then study Amazon RDS, where VPC subnet choices affect database exposure, failover, and application connectivity.

Official AWS references:

• Amazon VPC User Guide
• How Amazon VPC works
• VPC endpoints