VPC Design: Subnets, CIDR, & Routing

Mastering the Foundation of AWS Networking for the SAA-C03

Overview

The Amazon Virtual Private Cloud (VPC) is your private, isolated section of the AWS Cloud. It allows you to launch AWS resources in a virtual network that you define. Proper VPC design is the cornerstone of the Reliability and Security pillars of the AWS Well-Architected Framework.

The “Office Building” Analogy

Imagine a VPC as a Private Office Building:

  • VPC (The Building): The total physical footprint and boundary.
  • CIDR Block (The Address): The unique street address of the building.
  • Subnets (The Floors): Smaller divisions within the building. Some floors are open to the public (Public Subnets), while others require high-security badges (Private Subnets).
  • Route Tables (The Signage): Directions in the hallway that tell people how to get to the lobby or the exit.
  • Internet Gateway (The Front Door): The only way in or out of the building from the street.

Core Concepts & Well-Architected Design

When designing a VPC, you must balance connectivity with security. Following the Principle of Least Privilege, resources should only be as accessible as absolutely necessary.

Feature Public Subnet Private Subnet
Route to IGW Direct (0.0.0.0/0 → igw-id) None
Internet Access Direct Inbound/Outbound Outbound only (via NAT Gateway)
Public IP / EIP Required for communication Not required / Private IPs only
Use Case Load Balancers, Bastion Hosts Databases, Application Servers

Decision Matrix: Routing & Connectivity

  • If you need instances to download updates but remain unreachable from the web: Use a NAT Gateway in a Public Subnet.
  • If you need to connect two VPCs privately: Use VPC Peering or Transit Gateway.
  • If you need a dedicated, private connection from On-Premise: Use AWS Direct Connect.
  • If you need to access S3 or DynamoDB without leaving the AWS network: Use Gateway VPC Endpoints.

Exam Tips: Golden Nuggets

  • The Rule of 5: AWS reserves 5 IP addresses in every subnet (.0, .1, .2, .3, and .255). Keep this in mind for capacity planning!
  • CIDR Limits: The minimum size is /28 (16 IPs) and the maximum size is /16 (65,536 IPs).
  • High Availability: Always design subnets across at least 2 Availability Zones (AZs). Subnets are tied to a single AZ.
  • NACLs vs Security Groups: NACLs are stateless (need inbound/outbound rules) and operate at the subnet level. Security Groups are stateful and operate at the instance level.

VPC Architecture Flow

VPC (10.0.0.0/16) IGW Public Subnet (AZ A) NAT GW Private Subnet (AZ A) DB Instance

Key Services

  • NAT Gateway: Managed service for private subnet internet exit.
  • VPC Endpoints: Private link to AWS services (Interface/Gateway).
  • Egress-Only IGW: For IPv6 outbound traffic only.

Common Pitfalls

  • Overlapping CIDRs: Prevents VPC Peering between networks.
  • Missing Routes: Forgetting to add the 0.0.0.0/0 route to the IGW or NAT.
  • NAT Cost: NAT Gateways are charged hourly; use Endpoints where possible.

Quick Patterns

  • 3-Tier: Public (Web), Private (App), Private (DB).
  • Hub & Spoke: Central VPC for shared services using Transit Gateway.
  • Isolation: Separate VPCs for Dev/Test/Prod environments.
Region Scope: VPCs are Regional AZ Scope: Subnets are AZ-Specific Default Limit: 5 VPCs per Region

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top