AWS Networking Demystified: VPC, Subnets, Security, and Beyond
Nitesh More

Nitesh More @nitz22199

Location:
Boston, MA
Joined:
Aug 16, 2025

AWS Networking Demystified: VPC, Subnets, Security, and Beyond

Publish Date: Aug 22
0 0

When you first dive into AWS, networking feels like a maze. Between VPCs, subnets, routing tables, security groups, and NACLs, it’s easy to get lost.

This guide breaks it down step by step, so you’ll walk away knowing how all the pieces fit together.


1. Virtual Private Cloud (VPC)

A VPC is your own private section of the AWS cloud.
Think of it as your own data center in the cloud, isolated from others.

  • You define the IP address range (CIDR block, e.g., 10.0.0.0/16).
  • Inside it, you place subnets, route tables, and security rules.
  • You can connect your VPC to the internet (via Internet Gateway) or keep it private.

👉 Every AWS account comes with a default VPC, but for production, you almost always create custom ones.


2. Subnets

Inside a VPC, you slice the network into subnets.

  • Public subnet → connected to the internet via an Internet Gateway.
  • Private subnet → no direct internet access, usually behind a NAT Gateway or used for internal services.

📝 Example:

  • Public subnet hosts a web server.
  • Private subnet hosts a database (never exposed directly to the internet).

3. Route Tables

Subnets don’t know where to send traffic by default. That’s where Route Tables come in.

  • Each subnet is associated with a route table.
  • Example route: 0.0.0.0/0 → Internet Gateway (for internet access).
  • Private subnets may instead route 0.0.0.0/0 → NAT Gateway (so they can access the internet outbound but remain unreachable from outside).

4. Internet Gateway (IGW) & NAT Gateway

  • Internet Gateway (IGW) → attaches to a VPC to allow resources in public subnets to connect to the internet.
  • NAT Gateway → allows private subnets to initiate outbound traffic to the internet (like downloading updates) while blocking inbound traffic.

👉 Rule of thumb:

  • Public subnet = IGW.
  • Private subnet = NAT Gateway.

5. Security Groups (SG)

A Security Group is like a firewall at the instance level (EC2, RDS, etc).

  • Stateful: If you allow inbound traffic, the response is automatically allowed.
  • Works on allow rules only (no explicit deny).
  • Example:

    • Allow inbound TCP 22 (SSH) from 10.0.0.0/16.
    • Allow inbound TCP 443 (HTTPS) from anywhere.

6. Network ACLs (NACLs)

A NACL is like a firewall at the subnet level.

  • Stateless: You must define both inbound and outbound rules.
  • Works with allow and deny rules.
  • Example:

    • Deny inbound TCP 22 (SSH) from everywhere.
    • Allow inbound TCP 443 (HTTPS) from 0.0.0.0/0.

👉 Quick comparison:

  • Security Groups = “Who can talk to this server?”
  • NACLs = “What traffic can pass through this subnet?”

7. VPC Peering

What if you have two VPCs and want them to talk?

  • VPC Peering connects two VPCs privately using AWS backbone network.
  • It’s one-to-one and doesn’t support transitive peering (VPC A can’t automatically talk to C via B).
  • Alternative for larger architectures → Transit Gateway.

8. Transit Gateway (TGW)

  • A Transit Gateway is like a hub for multiple VPCs and on-prem networks.
  • Instead of managing many VPC peerings, you connect each VPC to TGW once.
  • Supports transitive routing.
  • Great for enterprise-scale multi-VPC setups.

9. PrivateLink & VPC Endpoints

Sometimes you don’t want your private subnet to talk to AWS services (like S3, DynamoDB) over the public internet.

  • VPC Endpoint (Gateway/Interface) → private connection between your VPC and AWS service.
  • PrivateLink → lets you securely connect to services in another VPC without exposing traffic to the internet.

10. Putting It All Together (Example)

Imagine a simple 3-tier architecture:

  • Public Subnet → Load Balancer (ALB)
  • Private Subnet A → App Servers (EC2 in Auto Scaling Group)
  • Private Subnet B → Database (RDS)

Traffic flow:
User → ALB (Public Subnet) → App Server (Private Subnet) → Database (Private Subnet)

Security Layers:

  • ALB SG → allows inbound HTTPS from internet.
  • App Server SG → allows inbound only from ALB SG.
  • DB SG → allows inbound only from App Server SG.
  • NACLs → add subnet-wide restrictions for extra defense.

11. Key Best Practices

  • Use least privilege rules (narrow CIDR ranges).
  • Split workloads across AZs for resilience.
  • Use NAT Gateway for private subnets needing outbound access.
  • For many VPCs, prefer Transit Gateway over complex peering meshes.
  • Use VPC Flow Logs to monitor traffic.

✅ Takeaway

AWS networking isn’t just about connecting resources — it’s about designing secure, scalable, and maintainable networks.

If you understand VPC, subnets, routing, security groups, NACLs, and peering, you’ve got the foundation to handle real-world AWS architectures.

Comments 0 total

    Add comment