Skip to content
← Back to AWS VPC & Networking

You are viewing a free preview of this lesson.

Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.

View PricingCreate Account

Introduction to Amazon VPC

Introduction to Amazon VPC

Amazon Virtual Private Cloud (VPC) is the foundational networking layer of AWS. It lets you provision a logically isolated section of the AWS cloud where you launch resources in a virtual network that you define. Think of a VPC as your own private data centre inside AWS — except you never have to rack a server or run a cable.

Why VPC Matters

Every resource you create on AWS — an EC2 instance, an RDS database, a Lambda function connected to your data tier — ultimately lives inside a VPC. Without understanding VPCs you cannot:

  • Control which traffic reaches your applications
  • Segment workloads into public-facing and private tiers
  • Connect your cloud environment to on-premises networks securely
  • Meet compliance requirements that mandate network-level isolation

VPC is not an optional add-on; it is the network fabric that everything else plugs into.

Key Concepts at a Glance

Before we deep-dive in later lessons, here is a bird's-eye view of the components that make up a VPC:

Component Purpose
VPC Your private network, defined by a CIDR block
Subnet A range of IPs within the VPC, tied to one Availability Zone
Internet Gateway (IGW) Allows public subnets to reach the internet
NAT Gateway Allows private subnets outbound-only internet access
Route Table Rules that direct traffic within and outside the VPC
Security Group Stateful firewall at the instance / ENI level
Network ACL (NACL) Stateless firewall at the subnet level
VPC Peering Connect two VPCs over private IPs
Transit Gateway Hub-and-spoke connectivity for many VPCs
VPN Gateway Encrypted tunnel to an on-premises network
AWS Direct Connect Dedicated private link to AWS
VPC Endpoint Private access to AWS services without the internet
Elastic Network Interface (ENI) Virtual network card attached to instances

IP Addressing and CIDR Notation

Every VPC must be created with a primary CIDR block (Classless Inter-Domain Routing). CIDR notation tells AWS the range of private IP addresses available inside the VPC.

CIDR Crash Course

A CIDR block looks like this: 10.0.0.0/16

  • The first part (10.0.0.0) is the network address.
  • The second part (/16) is the prefix length — it tells you how many bits are fixed.
  • The remaining bits define the host addresses you can use.
CIDR Block Prefix Available IPs Common Use
10.0.0.0/8 8 bits fixed ~16.7 million Large enterprise
10.0.0.0/16 16 bits fixed 65,536 Standard VPC
10.0.0.0/24 24 bits fixed 256 Single subnet
10.0.0.0/28 28 bits fixed 16 Very small subnet

AWS allows VPC CIDR blocks ranging from /16 (65,536 IPs) to /28 (16 IPs). RFC 1918 private address ranges are recommended:

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16

How AWS Reserves IPs in a Subnet

In every subnet, AWS reserves five IP addresses:

Address Purpose
First IP (e.g. 10.0.1.0) Network address
Second IP (e.g. 10.0.1.1) VPC router
Third IP (e.g. 10.0.1.2) DNS server
Fourth IP (e.g. 10.0.1.3) Reserved for future use
Last IP (e.g. 10.0.1.255) Broadcast (not supported but reserved)

So a /24 subnet gives you 256 − 5 = 251 usable addresses.

The Default VPC

Every AWS account comes with a default VPC in each Region. It is pre-configured with:

  • A /16 CIDR block: 172.31.0.0/16
  • One public subnet per Availability Zone (each a /20)
  • An Internet Gateway already attached
  • A main route table sending 0.0.0.0/0 to the IGW
  • A default security group and default NACL

The default VPC is great for quick experiments, but for production you should always create a custom VPC with subnets and security controls tailored to your workload.

Custom VPC — High-Level Architecture

A well-designed custom VPC typically follows a multi-tier pattern:

Region: eu-west-2
┌──────────────────────────────────────────────────┐
│  VPC  10.0.0.0/16                                │
│                                                  │
│  ┌──────────────────┐  ┌──────────────────┐      │
│  │ Public Subnet    │  │ Public Subnet    │      │
│  │ 10.0.1.0/24      │  │ 10.0.2.0/24      │      │
│  │ AZ-a             │  │ AZ-b             │      │
│  │ Web / ALB        │  │ Web / ALB        │      │
│  └──────────────────┘  └──────────────────┘      │
│                                                  │
│  ┌──────────────────┐  ┌──────────────────┐      │
│  │ Private Subnet   │  │ Private Subnet   │      │
│  │ 10.0.3.0/24      │  │ 10.0.4.0/24      │      │
│  │ AZ-a             │  │ AZ-b             │      │
│  │ App Servers      │  │ App Servers      │      │
│  └──────────────────┘  └──────────────────┘      │
│                                                  │
│  ┌──────────────────┐  ┌──────────────────┐      │
│  │ Private Subnet   │  │ Private Subnet   │      │
│  │ 10.0.5.0/24      │  │ 10.0.6.0/24      │      │
│  │ AZ-a             │  │ AZ-b             │      │
│  │ Databases        │  │ Databases        │      │
│  └──────────────────┘  └──────────────────┘      │
│                                                  │
└──────────────────────────────────────────────────┘

This three-tier layout — public, application, data — is the backbone of most production architectures on AWS.

VPC Tenancy

When you create a VPC you choose a tenancy model:

Tenancy Description Cost
Default Instances may share physical hardware with other accounts Standard pricing
Dedicated All instances run on single-tenant hardware Premium pricing

Most workloads use default tenancy. Dedicated tenancy is typically required by compliance regimes that forbid shared hardware (e.g., certain government or financial regulations).

Elastic Network Interfaces (ENIs)

An ENI is a virtual network card. Every EC2 instance has at least one. ENIs carry:

  • A primary private IPv4 address
  • One or more secondary private IPv4 addresses
  • An optional Elastic IP (public static IP)
  • One or more security groups
  • A MAC address

You can detach an ENI from one instance and attach it to another — useful for failover scenarios where you want to move a private IP between instances without changing DNS.

Bringing It All Together — Traffic Flow

Here is a simplified flow for a user requesting a web page hosted in AWS:

  1. The user's browser sends an HTTPS request to a public IP or domain name.
  2. Route 53 resolves the domain to the public IP of the Application Load Balancer in a public subnet.
  3. The ALB forwards the request to an EC2 instance (or ECS task) in a private subnet.
  4. The application queries an RDS database in another private subnet.
  5. The response travels back through the ALB to the user.

At no point does the database need a public IP or direct internet access — it sits safely in a private subnet.

Best Practices

  • Plan your CIDR blocks carefully. Overlapping CIDRs between VPCs or with on-premises networks will prevent peering or VPN connections.
  • Use multiple Availability Zones. Spread subnets across at least two AZs for high availability.
  • Create separate subnets for each tier (web, application, data) to apply different security rules.
  • Tag everything. Use tags such as Environment, Team, and CostCentre for visibility and billing.
  • Avoid using the default VPC for production. Build a custom VPC that matches your architecture.

Summary

Amazon VPC is the networking foundation of every AWS architecture. It gives you complete control over IP addressing, subnet layout, routing, and security. Understanding CIDR notation, the distinction between public and private subnets, and the role of gateways and route tables is essential before you build anything in production on AWS.

In the next lesson we will dive into subnets — the building blocks of VPC design — and explore how public and private subnets work in detail.

Subscribe to continue