AWS VPC Networking Guide: Subnets, Route Tables, Security Groups & NACLs
Learn AWS VPC networking from scratch. Build isolated networks with public and private subnets, configure route tables, internet gateways, NAT gateways, and security controls.

Every resource you launch in AWS — EC2 instances, RDS databases, Lambda functions, ECS tasks — lives inside a Virtual Private Cloud (VPC). The VPC is your own isolated section of the AWS network. Understanding how to design and secure VPCs is one of the most heavily tested topics in the SAA-C03 exam.
What Is a VPC?
A VPC is a logically isolated virtual network within an AWS Region. It has a CIDR block defining its IP address range (e.g., 10.0.0.0/16 — 65,536 addresses), subnets dividing the VPC across Availability Zones, route tables controlling where traffic flows, gateways connecting the VPC to the internet or other networks, and security controls at both the subnet level (NACLs) and instance level (Security Groups).
AWS creates a default VPC in each region — ready to use with internet connectivity. For production, always create a custom VPC with explicitly designed architecture.
Subnets
A subnet is a range of IP addresses within your VPC, tied to a specific Availability Zone.
VPC: 10.0.0.0/16 (65,536 IPs)
├── Subnet: 10.0.1.0/24 (256 IPs) — AZ: us-east-1a — Public
├── Subnet: 10.0.2.0/24 (256 IPs) — AZ: us-east-1b — Public
├── Subnet: 10.0.10.0/24 (256 IPs) — AZ: us-east-1a — Private
└── Subnet: 10.0.11.0/24 (256 IPs) — AZ: us-east-1b — PrivatePublic vs Private Subnets
| Public Subnet | Private Subnet | |
|---|---|---|
| Internet access | Yes — via Internet Gateway | No direct internet access |
| Resources | Web servers, load balancers | Databases, application servers |
| Public IPs | Instances can have public IPs | No public IPs |
| Route table | Contains 0.0.0.0/0 → IGW route | No IGW route |
The key distinction: A subnet is "public" not because of its CIDR block, but because its route table has a route pointing to an Internet Gateway.
Internet Gateway (IGW)
An Internet Gateway allows resources in a public subnet to communicate with the internet. It's attached to the VPC (one per VPC), added as a route in the subnet's route table (0.0.0.0/0 → igw-xxxxxxxx), and is horizontally scaled, redundant, and highly available by default.
Route Table: public-rt
├── 10.0.0.0/16 → local (traffic within VPC)
└── 0.0.0.0/0 → igw-xxx (all other traffic → internet)NAT Gateway
Instances in private subnets often need internet access for outbound connections (downloading OS updates, calling external APIs) — but should never be directly reachable from the internet.
A NAT Gateway (Network Address Translation) solves this: it's placed in a public subnet, the private subnet route table points 0.0.0.0/0 → nat-xxxxxxxx, outbound traffic flows through the NAT Gateway to the Internet Gateway, and return traffic flows back — but inbound connections from the internet are blocked.
Route Table: private-rt
├── 10.0.0.0/16 → local (VPC-internal traffic)
└── 0.0.0.0/0 → nat-xxx (outbound internet via NAT)NAT Gateways cost ~$0.045/hour + data transfer charges. For cost savings in development, use a NAT Instance or schedule NAT Gateway deletion outside business hours.
Route Tables
Every subnet is associated with a route table. The route table contains rules (routes) that determine where network traffic is directed. The most specific route wins — a /24 route takes precedence over a /16 route for matching traffic.
Security Groups vs Network ACLs
Both control traffic, but they operate at different layers and have different behaviours:
| Security Groups | Network ACLs (NACLs) | |
|---|---|---|
| Level | Instance / ENI | Subnet |
| State | Stateful | Stateless |
| Rules | Allow only | Allow AND Deny |
| Evaluation | All rules evaluated | Rules evaluated in order (lowest number first) |
| Default | Deny all inbound, allow all outbound | Allow all in/out |
| Applies to | Specific instances | All instances in the subnet |
Stateful vs Stateless Explained
Security Groups are stateful: If inbound traffic is allowed, the return outbound traffic is automatically allowed — you don't need a separate outbound rule for it.
NACLs are stateless: You must explicitly allow both inbound AND outbound traffic for a connection. If you allow HTTP (port 80) inbound, you must also allow the ephemeral port range (1024–65535) outbound for the response to reach the client.
When to Use NACLs
NACLs are a broad, blunt instrument — they apply to all instances in a subnet. Use them to block a specific IP range at the subnet level (DDoS mitigation), add an extra layer of defence-in-depth, or enforce organisation-wide network policies. For most traffic control, Security Groups are the right tool.
VPC Peering
VPC Peering connects two VPCs (in the same or different accounts, same or different regions) so their resources can communicate using private IP addresses. Key constraints: No transitive peering (you must create direct peerings between each pair of VPCs), No overlapping CIDRs, and route tables on both sides must be updated.
For large-scale connectivity across many VPCs, use AWS Transit Gateway instead — a hub connecting many VPCs and on-premises networks, so you maintain N connections to the hub instead of N×(N-1)/2 peering connections.
VPN and Direct Connect
| Connection | Type | Speed | Use Case |
|---|---|---|---|
| AWS Site-to-Site VPN | Encrypted tunnel over public internet | Up to 1.25 Gbps | Quick hybrid setup, backup connection |
| AWS Direct Connect | Dedicated private fibre to AWS | 1, 10, 100 Gbps | High-throughput, consistent latency, compliance |
Direct Connect is not encrypted by default — combine with VPN over Direct Connect for both performance and encryption.
Previous: Lesson 5 — Amazon S3 | Next: Lesson 7 — AWS Databases
Part of the AWS Cloud Fundamentals course.
External references:
