When you launch anything in AWS, it exists within a Virtual Private Cloud, which is your own logically isolated online network. The VPC is where you define how your applications talk to one another, how they connect to the internet, and how they talk to your on-prem infrastructure. 

This guide outlines the major components of the VPC, how they interact, and how you should use them. It is all meat and no filler, based on real deployments and practical information.


What is a VPC?

A VPC (Virtual Private Cloud) is your private section of AWS’s network. Think of it as your own data center β€” you define its IP range, subnets, routing, firewalls, and more. You control every bit of network flow.


Key VPC Components (with Real Usage)

1. CIDR Block

CIDR (Classless Inter-Domain Routing) defines the IP range for a VPC. It helps in efficient IP allocation by representing IP addresses and subnet masks in a compact format.

  • Example: 192.168.1.0/24
  • β†’ /24 means the first 24 bits are reserved for the network, the remaining 8 bits are for hosts.

Host Calculation

To determine the number of usable IPs in a subnet:

Formula:

Usable Hosts = 2^(32 – CIDR Prefix) – 2


Example: For 192.168.1.0/24

  • Host bits = 32 – 24 = 8
  • Possible hosts = 2⁸ – 2 = 254


2. Subnets

Subnets are IP ranges carved from your VPC. Each subnet exists in one Availability Zone.

  • Public Subnet: Has a route to the internet through an Internet Gateway.
  • Private Subnet: Has no direct access to the internet.
  • Isolated Subnet: Used for databases or backend services β€” no NAT, no IGW.


3. Internet Gateway (IGW)

Allows public subnets to talk to the internet. Must be attached to your VPC and explicitly routed via the route table.

Without an IGW and public IP, your EC2 instance can’t reach the internet β€” not even for OS updates.


4. NAT Gateway / NAT Instance

NAT instances and gateways are used to provide outbound internet access for private subnets - e.g., downloading packages/updating - without granting inbound connections from the internet.

NAT Gateway: Fully managed by AWS. Automatically scales, resilient across Availability Zones, no maintenance.

NAT Instance: You manage an EC2 instance configured for NAT. Occasional scaling of the NAT is the responsibility of the customer. You are responsible for software/OS updates to the instance and high availability. More commonly used in legacy environments or to afford flexibility in customize the configuration.

Placement: Always position the NAT... instance or gateway... in a public subnet - with a route to the internet gateway. Thus, your private subnets can route their internet-bound traffic through the NAT.


5. Route Tables

Every subnet must be associated with a route table. These control where traffic goes.

Example:

Destination       Target

10.0.0.0/16       local

0.0.0.0/0         igw-xxxx   # for public subnets


You can customize route tables to send traffic to NAT, VPC peering, VPNs, Transit Gateways, etc.


6. Security Groups

These are instance-level firewalls. You define inbound and outbound rules by port, protocol, and source/destination.

Key points:

  • Stateful: responses are automatically allowed.
  • Attached to ENIs (not instances directly).
  • Can reference other security groups as source.

Example:

Allow TCP port 22 from 198.51.100.10/32

Allow TCP port 443 from sg-web-servers



7. Network ACLs (NACLs)

Subnet-level stateless firewalls. They evaluate rules top-down.

Used when you want to enforce deny rules β€” something security groups can’t do.

Example use case: deny traffic from a specific IP range across a subnet.


8. VPC Endpoints

Let your services in private subnets access AWS services (like S3, DynamoDB) without going through the public internet.

  • Interface Endpoints: ENI-powered for services like SNS, SQS
  • Gateway Endpoints: For S3 and DynamoDB only

Reduces data exposure and saves NAT bandwidth.


9. VPC Peering

Connect two VPCs (same or different accounts) to route traffic between them privately.

Limitations:

  • No transitive peering (VPC A <-> B <-> C won't work)
  • Must update route tables on both sides
  • CIDR blocks must not overlap

Use Transit Gateway for hub-and-spoke routing.


10. VPN Gateway (VGW)

Used to establish secure IPSec VPN tunnels between on-prem and your VPC.

Typical for hybrid setups:

  • Customer Gateway on your data center
  • Virtual Private Gateway on AWS

Can also be used with AWS Direct Connect for private connectivity.


11. Elastic IP (EIP)

Static public IP that you can assign to an EC2, NAT, or load balancer.

You get 5 EIPs per region by default. Unused EIPs are charged β€” always release them if not in use.


12. Flow Logs

Capture all IP-level traffic in your VPC. Can write logs to CloudWatch or S3.

Useful for debugging connectivity issues or detecting unexpected access.

Example insights:

  • Why can’t my app connect to RDS?
  • Who hit my NAT gateway the most?
  • Did anyone hit this subnet from an unknown IP?


.Best Practices Based on Experience

  • Multiple AZ: Always spread your subnets and resources over multiple Availability Zones.
  • Least privilege: Start with as little privileges as possible - block everything then open what is needed.
  • Naming: Use effective naming for your subnets and route tables. An example is β€˜prod-app-public-us-east-1a’.
  • Have different VPCs for prod, staging and dev environments; 
  • Use Endpoints if you are using services like S3 create endpoints for better security and to save on NAT costs.



Conclusion

Amazon VPC is the building block of everything in AWS. If you mis configure VPC nothing else can work properly. Make sure you spend time planning you CIDR ranges, subnets, and routes. Always put anything that doesn't need a public connectivity in a private subnet. Make security groups and flow logs your best friends in help to keep you secure and on observance.

After you configured properly, your VPC becomes a solid network foundation to build a secure, fast, and flexible environment for anything you thrown at it.