DevOpsAWSCloud

AWS VPC Networking Guide: Subnets, Route Tables, Security Groups & NACLs

Learn AWS VPC networking from scratch. Build isolated networks with public and private subnets, configure route tables, internet gateways, NAT gateways, and security controls.

TT
Sarah Mitchell
5 min read
AWS VPC Networking Guide: Subnets, Route Tables, Security Groups & NACLs

Every resource you launch in AWS — EC2 instances, RDS databases, Lambda functions, ECS tasks — lives inside a Virtual Private Cloud (VPC). The VPC is your own isolated section of the AWS network. Understanding how to design and secure VPCs is one of the most heavily tested topics in the SAA-C03 exam.


What Is a VPC?

A VPC is a logically isolated virtual network within an AWS Region. It has a CIDR block defining its IP address range (e.g., 10.0.0.0/16 — 65,536 addresses), subnets dividing the VPC across Availability Zones, route tables controlling where traffic flows, gateways connecting the VPC to the internet or other networks, and security controls at both the subnet level (NACLs) and instance level (Security Groups).

AWS creates a default VPC in each region — ready to use with internet connectivity. For production, always create a custom VPC with explicitly designed architecture.


Subnets

A subnet is a range of IP addresses within your VPC, tied to a specific Availability Zone.

text
VPC: 10.0.0.0/16 (65,536 IPs)
  ├── Subnet: 10.0.1.0/24 (256 IPs) — AZ: us-east-1a — Public
  ├── Subnet: 10.0.2.0/24 (256 IPs) — AZ: us-east-1b — Public
  ├── Subnet: 10.0.10.0/24 (256 IPs) — AZ: us-east-1a — Private
  └── Subnet: 10.0.11.0/24 (256 IPs) — AZ: us-east-1b — Private

Public vs Private Subnets

Public SubnetPrivate Subnet
Internet accessYes — via Internet GatewayNo direct internet access
ResourcesWeb servers, load balancersDatabases, application servers
Public IPsInstances can have public IPsNo public IPs
Route tableContains 0.0.0.0/0 → IGW routeNo IGW route

The key distinction: A subnet is "public" not because of its CIDR block, but because its route table has a route pointing to an Internet Gateway.


Internet Gateway (IGW)

An Internet Gateway allows resources in a public subnet to communicate with the internet. It's attached to the VPC (one per VPC), added as a route in the subnet's route table (0.0.0.0/0 → igw-xxxxxxxx), and is horizontally scaled, redundant, and highly available by default.

text
Route Table: public-rt
  ├── 10.0.0.0/16  →  local     (traffic within VPC)
  └── 0.0.0.0/0    →  igw-xxx   (all other traffic → internet)

NAT Gateway

Instances in private subnets often need internet access for outbound connections (downloading OS updates, calling external APIs) — but should never be directly reachable from the internet.

A NAT Gateway (Network Address Translation) solves this: it's placed in a public subnet, the private subnet route table points 0.0.0.0/0 → nat-xxxxxxxx, outbound traffic flows through the NAT Gateway to the Internet Gateway, and return traffic flows back — but inbound connections from the internet are blocked.

text
Route Table: private-rt
  ├── 10.0.0.0/16  →  local       (VPC-internal traffic)
  └── 0.0.0.0/0    →  nat-xxx     (outbound internet via NAT)

NAT Gateways cost ~$0.045/hour + data transfer charges. For cost savings in development, use a NAT Instance or schedule NAT Gateway deletion outside business hours.


Route Tables

Every subnet is associated with a route table. The route table contains rules (routes) that determine where network traffic is directed. The most specific route wins — a /24 route takes precedence over a /16 route for matching traffic.


Security Groups vs Network ACLs

Both control traffic, but they operate at different layers and have different behaviours:

Security GroupsNetwork ACLs (NACLs)
LevelInstance / ENISubnet
StateStatefulStateless
RulesAllow onlyAllow AND Deny
EvaluationAll rules evaluatedRules evaluated in order (lowest number first)
DefaultDeny all inbound, allow all outboundAllow all in/out
Applies toSpecific instancesAll instances in the subnet

Stateful vs Stateless Explained

Security Groups are stateful: If inbound traffic is allowed, the return outbound traffic is automatically allowed — you don't need a separate outbound rule for it.

NACLs are stateless: You must explicitly allow both inbound AND outbound traffic for a connection. If you allow HTTP (port 80) inbound, you must also allow the ephemeral port range (1024–65535) outbound for the response to reach the client.

When to Use NACLs

NACLs are a broad, blunt instrument — they apply to all instances in a subnet. Use them to block a specific IP range at the subnet level (DDoS mitigation), add an extra layer of defence-in-depth, or enforce organisation-wide network policies. For most traffic control, Security Groups are the right tool.


VPC Peering

VPC Peering connects two VPCs (in the same or different accounts, same or different regions) so their resources can communicate using private IP addresses. Key constraints: No transitive peering (you must create direct peerings between each pair of VPCs), No overlapping CIDRs, and route tables on both sides must be updated.

For large-scale connectivity across many VPCs, use AWS Transit Gateway instead — a hub connecting many VPCs and on-premises networks, so you maintain N connections to the hub instead of N×(N-1)/2 peering connections.


VPN and Direct Connect

ConnectionTypeSpeedUse Case
AWS Site-to-Site VPNEncrypted tunnel over public internetUp to 1.25 GbpsQuick hybrid setup, backup connection
AWS Direct ConnectDedicated private fibre to AWS1, 10, 100 GbpsHigh-throughput, consistent latency, compliance

Direct Connect is not encrypted by default — combine with VPN over Direct Connect for both performance and encryption.


Previous: Lesson 5 — Amazon S3 | Next: Lesson 7 — AWS Databases


Part of the AWS Cloud Fundamentals course.

External references: