AWS Virtual Private Cloud (VPC)

Amazon Virtual Private Cloud (VPC) is the fundamental building block for your private network in AWS. VPC allows many types of AWS resources, such as EC2 instances, to communicate securely with each other, with the Internet, and with local networks. This virtual network closely resembles a traditional network that you’d operate in your own data centre, but brings with it additional benefits of AWS infrastructure such as scale, availability, and isolation .

A VPC spans all the Availability Zones in the region. After creating a VPC, you can add one or more subnets in each Availability Zone.  

VPC Concepts:

  • Address space
  • Subnet
  • Route table
  • Internet Gateway
  • VPC Endpoint

Best practices

As you build your network in AWS, it is important to keep in mind the following universal design principles:

  • Ensure non-overlapping address spaces. Make sure your VPC address space (CIDR block) does not overlap with your organization’s other network ranges.
  • Your subnets should not cover the entire address space of the VPC. Plan ahead and reserve some address space for the future.
  • Secure your VPC by assigning Network Security Groups (NSGs) to the subnets beneath them.

VPC Sizing

Allowed IPv4 CIDR block size for VPC: a/16 netmask and a/28 netmask.

a/16 netmask : 65,536 IP addresses 

a/28 netmask: 16 IP addresses 

When you create a VPC, its recommend that you specify a CIDR block (of /16 or smaller) from the private IPv4 address ranges. - (10/8 prefix) - (172.16/12 prefix) - (192.168/16 prefix) 

Subnet Sizing

For a single subnet in the VPC, the CIDR block of a subnet can be the same as the CIDR block for the VPC. For multiple subnets, subset of the CIDR block for the VPC. 

Note: If you create more than one subnet in a VPC, the CIDR blocks of the subnets cannot overlap. 

For Example: 

VPC CIDR: (256 addresses) 

You can break this CIDR block into two subnets, each supporting 128 IP addresses. 

Subnet 1: CIDR block (for addresses -  

Subnet 2: CIDR block (for addresses - 

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance. For example, in a subnet with CIDR block, the following five IP addresses are reserved: 

  • Network address. 
  • Reserved by AWS for the VPC router. 
  • Reserved by AWS.  
  • Reserved by AWS for future use. 
  • Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address. 
Internet Gateway 
Private IP: 
Elastic IP: 
EC2 instance 
Subnet I 
Private IP: 
EC2 instance 
Subnet 2 
Private IP: 
EC2 instance 
Subnet 3 
Custom Route Table 
Main Route Table 
Destination 6 
Virtual Private 
Custom Route Table 

Route Table

  • Route table defines rules, termed as routes, which determine where network traffic from the subnet would be routed 
  • Each VPC has a implicit router to route network traffic 
  • Each VPC has a Main Route table, and can have multiple custom route tables created 
  • Each Subnet within a VPC must be associated with a single route table at a time, while a route table can have multiple subnets associated with it 
Contains a set of rules to determine where network 
traffic is routed in a VPC 
Each VPC comes with the main route table by default 
Each route in a table specifies a destination CIDR and a 
The routing table associated with a subnet needs to be 
updated if there are any changes in status 
Configuring route table 
IOU.' 0,'24 
10 10 0.0/16 
ans ec2 create- route 
--ro rtb-ef36e58a 
Cognrab Dab Certer 
192 16800:16 
Eæh VPC has a single 
routing at creation time. 
used by all subnets 
--dest --gateway-id vgw-f9da06e7
Route Priority 
Specific routing policy or the longest prefix in your route table that matches the traffic determines how to 
route the traffic 
Virtual private gateways are mainly used for connecting data centers to cloud over an IPsec VPN tunnel 
When a virtual private gateway is attached to a VPC, routes representing the VPN will automatically 
appear as decided routes 
When overlapping routes within a VPN, follow the route specified on the VPN connection from the most 
preferred to the least preferred

VPC Endpoint 

A Private endpoint created inside a VPC allows to connect AWS Services securely without exposing to the internet as a private endpoint uses AWS backbone network for traffic flow between your VPC.

Endpoints are virtual devices. They are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic. 

Deleting Your VPC 

You can delete your VPC at any time. However, you must terminate all instances in the VPC first.  

When you delete a VPC using the VPC console, we delete all its components, such as subnets, security groups, network ACLs, route tables, internet gateways, VPC peering connections, and DHCP options. 

If you have a AWS Site-to-Site VPN connection, you don’t have to delete it or the other components related to the VPN (such as the customer gateway and virtual private gateway). If you plan to use the customer gateway with another VPC, we recommend that you keep the Site-to-Site VPN connection and the gateways. Otherwise, your network administrator must configure the customer gateway again after you create a new Site-to-Site VPN connection. 

Shared VPC 

VPC sharing allows multiple AWS accounts to create their application resources, such as Amazon EC2 instances, Amazon Relational Database Service (RDS) databases, Amazon Redshift clusters, and AWS Lambda functions, into shared, centrally-managed Amazon Virtual Private Clouds (VPCs).  

In this model, the account that owns the VPC (owner) shares one or more subnets with other accounts (participants) that belong to the same organization from AWS Organizations.  

After a subnet is shared, the participants can view, create, modify, and delete their application resources in the subnets shared with them. Participants cannot view, modify, or delete resources that belong to other participants or the VPC owner. 

One comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s