Skip to content

Networking

First PublishedLast UpdatedByAtif Alam

Every AWS resource that communicates over a network lives inside a VPC (Virtual Private Cloud). Understanding VPC networking is essential — it controls how your instances connect to each other, to the internet, and to on-premises networks.

VPC (Virtual Private Cloud)

Section titled “VPC (Virtual Private Cloud)”

A VPC is your isolated network in AWS. You define its IP address range, create subnets, and control traffic flow.

┌──────────────────────────────────────────────────────────┐
│  VPC: 10.0.0.0/16  (65,536 IPs)                         │
│                                                           │
│  ┌──────────────────────┐  ┌──────────────────────┐      │
│  │  Public Subnet        │  │  Public Subnet        │      │
│  │  10.0.1.0/24 (AZ-a)  │  │  10.0.2.0/24 (AZ-b)  │      │
│  │  ┌──────┐ ┌───────┐  │  │  ┌──────┐            │      │
│  │  │ EC2  │ │  ALB   │  │  │  │ EC2  │            │      │
│  │  └──────┘ └───────┘  │  │  └──────┘            │      │
│  └──────────────────────┘  └──────────────────────┘      │
│                                                           │
│  ┌──────────────────────┐  ┌──────────────────────┐      │
│  │  Private Subnet       │  │  Private Subnet       │      │
│  │  10.0.3.0/24 (AZ-a)  │  │  10.0.4.0/24 (AZ-b)  │      │
│  │  ┌──────┐ ┌───────┐  │  │  ┌──────┐ ┌───────┐  │      │
│  │  │ App  │ │  RDS   │  │  │  │ App  │ │  RDS   │  │      │
│  │  └──────┘ └───────┘  │  │  └──────┘ └───────┘  │      │
│  └──────────────────────┘  └──────────────────────┘      │
└──────────────────────────────────────────────────────────┘

Creating a VPC

Section titled “Creating a VPC”
Terminal window
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications \
  'ResourceType=vpc,Tags=[{Key=Name,Value=my-vpc}]'

CIDR Quick Reference

Section titled “CIDR Quick Reference”
CIDRIPsTypical Use
/1665,536VPC (largest recommended)
/204,096Large subnet
/24256Standard subnet
/2816Small subnet (minimum for AWS)

Choose a VPC CIDR that doesn’t overlap with your other VPCs or on-premises networks (important for VPC peering and VPN).

Subnets

Section titled “Subnets”

A subnet is a range of IPs within a VPC, placed in a single AZ. Subnets are either public (internet-accessible) or private (internal only).

Subnet TypeInternet AccessRoute Table Points ToContains
PublicYes (via IGW)Internet GatewayLoad balancers, bastion hosts, NAT Gateway
PrivateOutbound only (via NAT)NAT GatewayApp servers, databases, internal services

Best Practice: Multi-AZ

Section titled “Best Practice: Multi-AZ”

Always create subnets in at least two AZs for high availability:

AZ-a: public-subnet-a + private-subnet-a
AZ-b: public-subnet-b + private-subnet-b

Route Tables

Section titled “Route Tables”

A route table contains rules that determine where network traffic is directed.

Public Subnet Route Table

Section titled “Public Subnet Route Table”
Destination        Target
10.0.0.0/16        local           ← traffic within the VPC stays internal
0.0.0.0/0          igw-abc123      ← everything else goes to the Internet Gateway

Private Subnet Route Table

Section titled “Private Subnet Route Table”
Destination        Target
10.0.0.0/16        local           ← internal traffic
0.0.0.0/0          nat-xyz789      ← outbound internet via NAT Gateway

Internet Gateway (IGW)

Section titled “Internet Gateway (IGW)”

An IGW connects your VPC to the internet. It’s horizontally scaled, redundant, and free (you pay for the traffic).

A subnet is “public” only if its route table has a route to an IGW AND instances have public IPs.

Terminal window
# Create and attach an IGW
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-abc --vpc-id vpc-xyz

NAT Gateway

Section titled “NAT Gateway”

A NAT (Network Address Translation) Gateway lets instances in private subnets make outbound internet requests (e.g. download updates, call APIs) without being directly reachable from the internet.

Private instance ──► NAT Gateway (in public subnet) ──► IGW ──► Internet
                     
                     └── has an Elastic IP
  • Placed in a public subnet, one per AZ for high availability.
  • Charged per hour ($0.045/hr) + data processing ($0.045/GB). Can add up — one of the top hidden costs.
  • Alternative: NAT Instance (self-managed EC2) — cheaper but not managed.

Security Groups vs NACLs

Section titled “Security Groups vs NACLs”

AWS has two layers of firewall: security groups (instance-level) and NACLs (subnet-level).

FeatureSecurity GroupNACL
LevelInstance (ENI)Subnet
StateStateful (return traffic auto-allowed)Stateless (must allow both inbound and outbound)
RulesAllow onlyAllow and Deny
EvaluationAll rules evaluated togetherRules evaluated in number order (first match wins)
DefaultDeny all inbound, allow all outboundAllow all inbound and outbound

Stateful vs Stateless Firewalls (Vocabulary)

Section titled “Stateful vs Stateless Firewalls (Vocabulary)”

Job descriptions and firewall vendors often use stateful vs stateless:

  • Stateful (security groups) — The tracker remembers an allowed flow (e.g. client → server on port 443) and permits the return traffic for that flow without a separate “inbound rule for ephemeral ports” for the response path in the SG model.
  • Stateless (NACLs) — Each direction is evaluated independently against numbered rules. You must allow egress for return traffic as well as ingress for the initial packet, matching ephemeral client ports when you filter tightly.

Misconfigured NACLs are a classic cause of “TCP connects sometimes” or asymmetric behavior. For evidence of REJECT vs ACCEPT at scale, use VPC Flow Logs and Network RCA. For TCP/DNS/MTU concepts, see the TCP/IP primer.

Security Group Example

Section titled “Security Group Example”
Terminal window
# Create a security group
aws ec2 create-security-group --group-name web-sg --description "Web server" --vpc-id vpc-xyz


# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress --group-id sg-abc \
  --protocol tcp --port 80 --cidr 0.0.0.0/0


# Allow SSH from your IP only
aws ec2 authorize-security-group-ingress --group-id sg-abc \
  --protocol tcp --port 22 --cidr 203.0.113.50/32


# Allow app server SG to access database SG (SG-to-SG reference)
aws ec2 authorize-security-group-ingress --group-id sg-db \
  --protocol tcp --port 5432 --source-group sg-app

SG-to-SG references are a best practice — allow traffic from a security group rather than a CIDR. This way, if instances change IPs, the rule still works.

NACL Example

Section titled “NACL Example”
Rule#   Type      Protocol  Port   Source        Action
100     HTTP      TCP       80     0.0.0.0/0     ALLOW
110     HTTPS     TCP       443    0.0.0.0/0     ALLOW
120     SSH       TCP       22     203.0.113.0/24 ALLOW
*       All       All       All    0.0.0.0/0     DENY

Rules are evaluated in order — the first match wins. The * rule is the implicit deny-all at the bottom.

Load Balancers and DNS (Where to Read More)

Section titled “Load Balancers and DNS (Where to Read More)”

Elastic Load Balancing (ALB, NLB, GWLB) — listeners, target groups, health checks, TLS, 502/504 triage, EKS with the AWS Load Balancer Controller, and Global Accelerator — is covered in Elastic Load Balancing.

Route 53 — public/private hosted zones, routing policies, health checks, Resolver / hybrid DNS, and dig troubleshooting — is covered in Route 53.

This page stays focused on VPC topology and packet-level controls (security groups and NACLs).

VPC Peering and Transit Gateway

Section titled “VPC Peering and Transit Gateway”

VPC Peering connects two VPCs directly (same or different accounts/regions); traffic stays on the AWS backbone. There is no transitive peering — A↔B and B↔C does not give A↔C. Transit Gateway is a regional hub that connects many VPCs and on-premises networks (VPN, Direct Connect) with transitive routing. Use peering for 2–3 VPCs; use Transit Gateway for larger hub-and-spoke or hybrid setups.

For details on peering, Transit Gateway (attachments, route tables), Site-to-Site VPN, and Direct Connect, see VPC Connectivity.

Typical VPC Architecture

Section titled “Typical VPC Architecture”
                      Internet
                         
                    ┌────┴────┐
                    │   IGW    │
                    └────┬────┘
                         
     ┌───────────────────┼───────────────────┐
     │            Public Subnets              │
     │  ┌─────────┐           ┌─────────┐    │
     │  │  ALB    │           │ NAT GW  │    │
     │  └────┬────┘           └────┬────┘    │
     │       │                     │         │
     ├───────┼─────────────────────┼─────────┤
     │            Private Subnets             │
     │  ┌─────────┐  ┌─────────┐             │
     │  │ App (AZ-a)│ │ App (AZ-b)│           │
     │  └────┬────┘  └────┬────┘             │
     │       │             │                  │
     ├───────┼─────────────┼──────────────────┤
     │         Private (Data) Subnets         │
     │  ┌─────────┐  ┌─────────┐             │
     │  │ RDS (AZ-a)│ │ RDS (AZ-b)│           │
     │  └─────────┘  └─────────┘             │
     └────────────────────────────────────────┘

Three-tier: public (load balancer + NAT), private (application), private (data). This is the standard pattern for production workloads.

Key Takeaways

Section titled “Key Takeaways”
  • A VPC is your isolated network. Define the CIDR range carefully to avoid conflicts.
  • Public subnets route to an Internet Gateway; private subnets route through a NAT Gateway for outbound-only access.
  • Security groups (stateful, instance-level) are your primary firewall. Use SG-to-SG references.
  • NACLs (stateless, subnet-level) are an additional layer — useful for broad deny rules.
  • ALB for HTTP/HTTPS routing (path, host); NLB for TCP/UDP at extreme scale — see Elastic Load Balancing for setup and troubleshooting.
  • Deploy across multiple AZs for high availability.
  • Use VPC peering for 2–3 VPCs; Transit Gateway for larger hub-and-spoke networks. See VPC Connectivity for Transit Gateway, VPN, and Direct Connect.