Amazon Virtual Private Cloud (VPC) is the fundamental building block for your private network in AWS. VPC allows many types of AWS resources, such as EC2 instances, to communicate securely with each other, with the Internet, and with local networks. This virtual network closely resembles a traditional network that you’d operate in your own data centre, but brings with it additional benefits of AWS infrastructure such as scale, availability, and isolation .

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone.  

VPC Concepts:

• Address space
• Subnet
• Route table
• Internet Gateway
• VPC Endpoint

Best practices

As you build your network in AWS, it is important to keep in mind the following universal design principles:

• Ensure non-overlapping address spaces. Make sure your VPC address space (CIDR block) does not overlap with your organization’s other network ranges.
• Your subnets should not cover the entire address space of the VPC. Plan ahead and reserve some address space for the future.
• Secure your VPC by assigning Network Security Groups (NSGs) to the subnets beneath them.

VPC Sizing

Allowed IPv4 CIDR block size for VPC: a/16 netmask and a/28 netmask.

a/16 netmask : 65,536 IP addresses 

a/28 netmask: 16 IP addresses 

When you create a VPC, its recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges. 

10.0.0.0 - 10.255.255.255 (10/8 prefix) 

172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 

192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 

Subnet Sizing

For a single subnet in the VPC, the CIDR block of a subnet can be the same as the CIDR block for the VPC. For multiple subnets, subset of the CIDR block for the VPC. 

Note: If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap. 

For Example: 

VPC CIDR: 10.0.0.0/24 (256 addresses) 

You can break this CIDR block into two subnets, each supporting 128 IP addresses. 

Subnet 1: CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 - 10.0.0.127)  

Subnet 2: CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 - 10.0.0.255). 

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block 10.0.0.0/24, the following five IP addresses are reserved: 

• 10.0.0.0: Network address. 
• 10.0.0.1: Reserved by AWS for the VPC router. 
• 10.0.0.2: Reserved by AWS.  
• 10.0.0.3: Reserved by AWS for future use. 
• 10.0.0.255: Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address. 

Route Table

• Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed 
• Each VPC has a implicit router to route network traffic 
• Each VPC has a Main Route table, and can have multiple custom route tables created 
• Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it 

VPC Endpoint 

A Private endpoint created inside a VPC allows to connect AWS Services securely without exposing to the internet as a private endpoint uses AWS backbone network for traffic flow between your VPC.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. 

Deleting Your VPC 

You can delete your VPC at any time. However, you must terminate all instances in the VPC first.  

When you delete a VPC using the VPC console, we delete all its components, such as subnets, security groups, network ACLs, route tables, internet gateways, VPC peering connections, and DHCP options. 

If you have a AWS Site-to-Site VPN connection, you don’t have to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway). If you plan to use the customer gateway with another VPC, we recommend that you keep the Site-to-Site VPN connection and the gateways. Otherwise, your network administrator must configure the customer gateway again after you create a new Site-to-Site VPN connection. 

Shared VPC 

VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and AWS Lambda functions, into shared, centrally-managed Amazon Virtual Private Clouds (VPCs).  

In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.  

After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner.