ContentsAuthorVisit Press
Lesson 21

Amazon VPC Fundamentals

Virtual Private Cloud, subnets, route tables, and connectivity

1. What Is Amazon VPC?

Amazon Virtual Private Cloud (Amazon VPC) enables you to provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define.

Core idea: A VPC is your own private network inside AWS. You control IP address ranges, subnets, route tables, and network gateways. VPCs belong to a single Region but span multiple Availability Zones.

2. IP Addressing and CIDR

When you create a VPC, you assign an IPv4 CIDR block. This block cannot be changed after creation. Valid sizes range from /16 (65,536 addresses) to /28 (16 addresses). IPv6 is also supported.

Exam tip: Every subnet reserves 5 IP addresses (network address, VPC router, DNS, future use, broadcast). A /24 subnet has 256 total addresses but only 251 are usable.

3. Subnets

A subnet is a range of IP addresses within a VPC. Each subnet belongs to a single Availability Zone and can be classified as public or private.

TypeInternet AccessTypical Use
Public subnetYes (direct)Web servers, load balancers, bastion hosts
Private subnetNo (indirect via NAT)Databases, application servers, backend services

CIDR blocks of subnets within the same VPC cannot overlap. Subnet CIDR blocks can be the same as the VPC block (single subnet) or a subset (multiple subnets).

4. Route Tables

A route table contains rules (routes) that direct network traffic from your subnet. Each route specifies a destination (CIDR block) and a target.

  • Every route table has a built-in local route for communication within the VPC. This route cannot be deleted.
  • Each subnet must be associated with exactly one route table.
  • The main route table controls routing for subnets not explicitly associated with another route table.

5. Gateways and Connectivity

Internet Gateway (IGW)

A scalable, redundant, and highly available VPC component that allows communication between your VPC and the internet. To make a subnet public, attach an IGW and add a route for 0.0.0.0/0 targeting the IGW.

NAT Gateway

Enables instances in private subnets to connect to the internet or other AWS services while preventing the internet from initiating connections to those instances. A NAT gateway lives in a public subnet and requires an Elastic IP address.

IGW vs. NAT Gateway: IGW gives instances two-way internet access (public subnet). NAT Gateway gives instances one-way outbound internet access (private subnet). AWS recommends NAT gateways over NAT instances for managed availability and bandwidth.

VPC Endpoints

Privately connect your VPC to supported AWS services without requiring an IGW, NAT, VPN, or Direct Connect. Traffic stays on the Amazon network.

  • Interface endpoints: Powered by AWS PrivateLink. Charges apply for hourly usage and data processing.
  • Gateway endpoints: For Amazon S3 and DynamoDB. No additional charge. Standard data transfer and resource charges apply.

VPC Peering

A networking connection between two VPCs that routes traffic privately using private IP addresses. Works across accounts and across Regions.

Peering restrictions: IP address ranges cannot overlap. Transitive peering is not supported (A-B and B-C does not mean A-C). Only one peering connection can exist between the same two VPCs.

AWS Transit Gateway

A hub-and-spoke model that connects VPCs, VPNs, and Direct Connect through a central gateway. Each network connects once to the transit gateway and is then available to every other connected network. Simplifies management when you have many VPCs.

6. Network Interfaces and Elastic IPs

  • Elastic network interface (ENI): A virtual network interface that can be attached/detached from instances. Attributes (private IP, MAC, security groups) follow the ENI when moved to a new instance.
  • Elastic IP address: A static, public IPv4 address designed for dynamic cloud computing. Can be remapped to another instance in the VPC to mask failure. Additional costs may apply when unused.

7. Quick Quiz

Test Your Understanding

Select one answer per question. You will receive immediate feedback.

1. A company needs to isolate its AWS resources in a private virtual network with full control over IP addressing, subnets, and routing. Which service should they use?
2. A subnet with CIDR block 10.0.0.0/24 has 256 total IP addresses. How many are available for use by AWS resources?
3. An application server in a private subnet needs to download security patches from the internet. The server must not be reachable from the internet. Which VPC component enables this?
4. An EC2 instance in a public subnet needs to be reachable from the internet via a static public IP that can be remapped to another instance on failure. What should be used?
5. Which rule must always exist in every route table and cannot be deleted?
6. A company has VPC A and VPC B connected via peering. VPC B is peered with VPC C. Can instances in VPC A communicate with instances in VPC C?
7. An application needs to access Amazon S3 privately without traffic going over the internet. Which VPC feature should be used and what is the charge?
8. A company has hundreds of VPCs and wants to simplify connectivity management using a hub-and-spoke model. Which service should they use?
Progress: 0/8 correct (0%). Answer all questions to see the final recommendation.
Primary Source: AWS Academy Module 5: Networking and Content Delivery (module-5.txt).
Ask your teacher: If you confuse IGW vs. NAT Gateway, or want more clarity on route tables and peering rules, ask before continuing. The exam frequently tests subnet design and connectivity options.
Last updated: June, 2026© 2026 Shahriar Ahmed ShovonCredits