AWS Networking & CDN
VPC
Logically isolated virtual network with full control over IP ranges, subnets, and routing tables
Amazon VPC (Virtual Private Cloud) gives you a logically isolated section of the AWS cloud where you can launch resources in a virtual network you define. You have full control over IP address ranges, subnets, route tables, and network gateways - making VPC the foundational networking layer for nearly every AWS architecture.
VPC Architecture and Core Components
A VPC spans all Availability Zones in a region. You carve it into subnets, each pinned to a single AZ. Public subnets route to an Internet Gateway; private subnets route outbound traffic through a NAT Gateway or stay fully isolated.
| Component | Purpose | Key Detail |
|---|---|---|
| VPC CIDR | IP address space for the VPC | Range /16 to /28; cannot be changed after creation |
| Subnet | AZ-scoped IP range within the VPC | First 4 and last 1 IP reserved by AWS |
| Internet Gateway (IGW) | Horizontally scaled gateway to the internet | 1 per VPC; attach to VPC, add route 0.0.0.0/0 -> IGW |
| NAT Gateway | Outbound internet for private subnets | Deployed in public subnet; costs per hour + data processed |
| Route Table | Controls traffic routing per subnet | Each subnet associated with exactly one route table |
| Security Group | Stateful instance-level firewall | Allow rules only; return traffic automatically allowed |
| Network ACL | Stateless subnet-level firewall | Allow and deny rules; rules evaluated in order by number |
| VPC Endpoint | Private path to AWS services | Gateway (S3/DynamoDB) or Interface (most services) |
Default VPCs come pre-configured with a /16 CIDR, one public subnet per AZ, an IGW, and a route table. They are fine for experiments but most production workloads use custom VPCs with private subnets.
Subnet Design and Routing Patterns
A three-tier subnet layout is the standard starting point: public (load balancers), private app (EC2/ECS), and private data (RDS/ElastiCache). Spread each tier across at least two AZs for high availability.
| Tier | Route Table Has | Typical Resources |
|---|---|---|
| Public | 0.0.0.0/0 -> IGW | ALB, NAT Gateway, Bastion hosts |
| Private App | 0.0.0.0/0 -> NAT Gateway | EC2, ECS tasks, Lambda in VPC |
| Private Data | Local routes only | RDS, ElastiCache, OpenSearch |
NAT Gateway must live in a public subnet and have an Elastic IP. Create one per AZ to avoid cross-AZ data transfer charges and single points of failure.
# Create a VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=prod-vpc}]'
# Create public subnet in us-east-1a
aws ec2 create-subnet --vpc-id vpc-xxxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
# Create and attach Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-xxxx --internet-gateway-id igw-xxxx
# Add route in public route table
aws ec2 create-route --route-table-id rtb-xxxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxxxEnabling "Auto-assign public IPv4" on a subnet does not make it a public subnet. A subnet is public only when its route table has a route to an IGW. Forgetting the route table update is a common interview gotcha.
Security Groups vs Network ACLs
Security Groups and NACLs both filter traffic but operate at different layers and have different statefulness models.
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance / ENI | Subnet |
| Statefulness | Stateful - return traffic automatically allowed | Stateless - must explicitly allow inbound and outbound |
| Rule types | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated together | Rules evaluated in ascending number order; first match wins |
| Default | Deny all inbound, allow all outbound | Allow all inbound and outbound (default NACL) |
| Association | Many instances, many SGs | One NACL per subnet; one subnet per NACL |
Use Security Groups as your primary control - they are easier to manage and stateful. Use NACLs as a second layer to block specific IPs at scale (e.g., blocking a /24 range from a known bad actor without adding rules to every SG).
VPC Connectivity Options
As architectures grow you need to connect VPCs to each other and to on-premises networks. Each option has different trade-offs in complexity, cost, and scalability.
| Option | Use Case | Transitive? | Bandwidth Limit |
|---|---|---|---|
| VPC Peering | Connect two VPCs (same or cross-account) | No | No limit (uses AWS backbone) |
| Transit Gateway | Hub-and-spoke for many VPCs | Yes | 50 Gbps per VPC attachment |
| PrivateLink | Expose a service to consumers privately | N/A | Per-endpoint limits |
| Site-to-Site VPN | Connect on-premises to VPC | No (with TGW: yes) | 1.25 Gbps per tunnel |
| Direct Connect | Dedicated physical link to AWS | With DXGW: yes | 1-100 Gbps |
VPC Peering is not transitive. If VPC-A peers with VPC-B and VPC-B peers with VPC-C, traffic cannot flow A -> B -> C without a direct peering between A and C. This is a very common exam and interview question.
VPC Pricing and Cost Optimization
The VPC itself is free. Costs come from attached resources and data transfer.
| Resource | Cost Driver | Optimization |
|---|---|---|
| NAT Gateway | $0.045/hr + $0.045/GB processed | Share one NAT GW per AZ; use VPC Endpoints for S3/DynamoDB to bypass NAT |
| VPC Endpoints (Interface) | $0.01/hr per AZ + $0.01/GB | Worth it if NAT Gateway data costs exceed endpoint hourly cost |
| VPC Peering | Data transfer between AZs/regions | Keep traffic within same AZ where possible; use TGW for many-to-many |
| Elastic IP | $0.005/hr when not in use | Release unused EIPs immediately |
| Transit Gateway | $0.05/hr per attachment + $0.02/GB | Use for 3+ VPCs; peering is cheaper for just two |
S3 and DynamoDB Gateway Endpoints are free and eliminate NAT Gateway data charges for those services. Always enable them in every VPC - there is no reason not to.
Interview Focus Points
- 1What is the difference between a Security Group and a Network ACL? When would you use each?
- 2Explain why VPC Peering is not transitive and how Transit Gateway solves that problem.
- 3A private subnet instance cannot reach the internet. Walk through your troubleshooting steps.
- 4How would you design a multi-account VPC architecture for a large enterprise?
- 5What is the difference between an Interface VPC Endpoint and a Gateway VPC Endpoint?
- 6How do you reduce NAT Gateway costs in a large VPC setup?
- 7Can two VPCs with overlapping CIDR blocks be peered? What would you do instead?
- 8Explain the reserved IP addresses in a subnet and why they matter for capacity planning.
- 9How does VPC Flow Logs work and what are its limitations for security monitoring?