Skip to content

Amazon VPC

Amazon Virtual Private Cloud (VPC) Overview

  • Definition: Amazon Virtual Private Cloud (VPC) is a logically isolated virtual network in the AWS cloud where you can launch AWS resources, control network configurations, and secure connectivity. It provides a customizable private cloud environment.
  • Key Features:
    • Supports IPv4 and IPv6, customizable CIDR blocks, and subnets across Availability Zones (AZs).
    • Provides routing, security groups, network ACLs, and connectivity options (e.g., VPN, Direct Connect, Transit Gateway).
    • Integrates with AWS services (e.g., EC2, RDS, ELB, Lambda) and supports hybrid cloud networking.
    • Offers monitoring via VPC Flow Logs and CloudWatch, and advanced features like VPC Endpoints and peering.
  • Use Cases: Isolated application environments, multi-tier architectures, hybrid cloud integration, secure data processing, compliance-driven workloads.
  • Key Updates (2024–2025):
    • Enhanced VPC Flow Logs: Customizable fields and metadata (October 2024).
    • IPv6 Improvements: Simplified dual-stack configurations and endpoint support (March 2024).
    • VPC Lattice: Application-layer networking for microservices (January 2025).
    • FIPS 140-2 Compliance: Available for VPC endpoints in AWS GovCloud (October 2024).

1. VPC Core Concepts

Components

  • VPC:
    • A logically isolated network with a private CIDR block (e.g., 10.0.0.0/16).
    • Regional scope, spans multiple AZs, supports IPv4 and IPv6.
    • Explanation: E.g., VPC in us-east-1 with CIDR 172.31.0.0/16.
  • Subnet:
    • A segment of the VPC’s CIDR block, tied to a single AZ.
    • Types:
      • Public Subnet: Routes to an Internet Gateway (IGW) for public access.
      • Private Subnet: No direct internet access, uses NAT for outbound traffic.
    • Explanation: E.g., public subnet 172.31.1.0/24 in us-east-1a, private subnet 172.31.2.0/24 in us-east-1b.
  • Route Table:
    • Defines rules for routing traffic within the VPC and to external networks.
    • Each subnet is associated with one route table.
    • Explanation: E.g., route 0.0.0.0/0 to IGW for public subnet.
  • Internet Gateway (IGW):
    • Enables internet access for public subnets.
    • Attached to the VPC, highly available.
    • Explanation: E.g., IGW allows EC2 in public subnet to access internet.
  • NAT Gateway/NAT Instance:
    • Enables private subnets to access the internet (outbound) without exposing them to inbound traffic.
    • NAT Gateway: Managed, scalable; NAT Instance: EC2-based, customizable.
    • Explanation: E.g., NAT Gateway in public subnet for private EC2 outbound traffic.
  • Security Group:
    • Stateful firewall at the resource level (e.g., EC2, RDS).
    • Controls inbound/outbound traffic based on rules (e.g., allow port 80).
    • Explanation: E.g., security group allows SSH (port 22) from 203.0.113.0/24.
  • Network ACL (NACL):
    • Stateless firewall at the subnet level.
    • Controls traffic with numbered rules, applied to all resources in the subnet.
    • Explanation: E.g., NACL allows HTTP (port 80) to subnet, denies FTP.
  • VPC Endpoint:
    • Provides private access to AWS services (e.g., S3, DynamoDB) without internet.
    • Types:
      • Gateway Endpoint: Free, for S3 and DynamoDB (route table entry).
      • Interface Endpoint: Uses ENI for other services (e.g., ECS, powered by PrivateLink).
    • Explanation: E.g., gateway endpoint for S3 in private subnet.

Networking Concepts

  • CIDR Block:
    • Defines the IP address range for the VPC (e.g., 10.0.0.0/16, up to /16 max).
    • Supports secondary CIDRs and IPv6 (AWS-assigned or BYOIP).
    • Explanation: E.g., primary CIDR 10.0.0.0/16, secondary 10.1.0.0/16.
  • IPv6:
    • Supports dual-stack (IPv4+IPv6) or IPv6-only VPCs.
    • AWS provides /56 CIDR, subnets use /64.
    • Explanation: E.g., IPv6 subnet 2001:db8:1234:1a00::/64.
  • VPC Peering:
    • Connects two VPCs (same or different accounts/Regions) for private communication.
    • Non-transitive, requires route table updates.
    • Explanation: E.g., peer VPC A (10.0.0.0/16) to VPC B (172.31.0.0/16).
  • Transit Gateway:
    • Centralized hub for connecting multiple VPCs, VPNs, and Direct Connect.
    • Replaces complex VPC peering meshes.
    • Explanation: E.g., Transit Gateway connects 10 VPCs to on-premises VPN.

Key Notes:

  • Exam Relevance: Understand VPC, subnets, route tables, security groups, NACLs, and endpoints.
  • Mastery Tip: Compare VPC vs. Transit Gateway vs. VPC peering for connectivity.

2. VPC Performance Features

VPC optimizes isolated, high-performance networking.

High Throughput

  • Purpose: Support data-intensive workloads.
  • Features:
    • Supports up to 200 Gbps within VPC (e.g., EC2-to-EC2 traffic).
    • Integrates with high-bandwidth services (e.g., 100 Gbps Direct Connect, ELB).
  • Explanation: E.g., transfer 10 TB between EC2 instances in private subnet.
  • Exam Tip: Highlight throughput for large-scale apps.

Low Latency

  • Purpose: Fast resource communication.
  • Features:
    • Local traffic within VPC stays within AWS backbone.
    • Dual-stack IPv6 reduces NAT overhead for modern apps.
  • Explanation: E.g., low-latency API calls between EC2 and RDS in same VPC.
  • Exam Tip: Use private subnets for low-latency internal traffic.

Scalability

  • Purpose: Handle growing workloads.
  • Features:
    • Supports up to 200 subnets, 5 CIDR blocks, and thousands of resources.
    • Integrates with Transit Gateway for scaling to thousands of VPCs.
  • Explanation: E.g., scale VPC with secondary CIDR for new subnets.
  • Exam Tip: Use Transit Gateway for large-scale VPC networks.

IPv6 Support:

  • Purpose: Modernize networking.
  • Features:
    • Dual-stack simplifies IPv6 adoption (new 2024).
    • No NAT required for IPv6 traffic, reducing latency.
  • Explanation: E.g., IPv6-only subnet for IoT devices.
  • Exam Tip: Know dual-stack for modern apps.

Key Notes:

  • Performance: High throughput + low latency + scalability = robust networking.
  • Exam Tip: Emphasize VPC for isolated, high-performance apps.

3. VPC Resilience Features

Resilience ensures reliable networking.

Multi-AZ Deployment

  • Purpose: Survive AZ failures.
  • Features:
    • Subnets deployed across multiple AZs (e.g., us-east-1a, 1b).
    • Resources (e.g., EC2, RDS) distributed for high availability.
  • Explanation: E.g., ELB in public subnets across us-east-1a and 1b.
  • Exam Tip: Always use multiple AZs for HA.

Redundant Connectivity

  • Purpose: Avoid single points of failure.
  • Features:
    • Multiple NAT Gateways or VPN/Direct Connect attachments.
    • Transit Gateway with redundant VPNs for hybrid failover.
  • Explanation: E.g., two NAT Gateways in different AZs for private subnets.
  • Exam Tip: Configure redundant NAT or VPN for critical workloads.

Monitoring and Failover

  • Purpose: Detect and respond to issues.
  • Features:
    • VPC Flow Logs: Capture traffic metadata for analysis (enhanced 2024).
    • CloudWatch metrics: NetworkIn/Out, PacketLoss for resources.
    • Alarms for network issues or resource failures.
  • Explanation: E.g., alarm if Flow Log captures high packet drops.
  • Exam Tip: Use Flow Logs and CloudWatch for troubleshooting.

Disaster Recovery:

  • Purpose: Recover from Regional failures.
  • Features:
    • Cross-Region VPC peering or Transit Gateway peering for DR.
    • Route 53 failover to secondary Region.
  • Explanation: E.g., replicate RDS to us-west-2 via Transit Gateway.
  • Exam Tip: Use Transit Gateway for multi-Region DR.

Key Notes:

  • Resilience: Multi-AZ + redundant connectivity + Flow Logs = reliable VPC.
  • Exam Tip: Design HA with multi-AZ subnets and DR with Transit Gateway.

4. VPC Security Features

Security aligns with SAA-C03’s secure architecture focus.

Network Isolation

  • Purpose: Protect resources.
  • Features:
    • Logically isolated VPC with private CIDR.
    • Private subnets with no public IP or internet access.
  • Explanation: E.g., RDS in private subnet, inaccessible from internet.
  • Exam Tip: Use private subnets for sensitive workloads.

Access Control

  • Security Groups:
    • Stateful, resource-level firewall (e.g., allow HTTP from ELB).
    • Default: Allow outbound, deny inbound.
    • Explanation: E.g., allow port 3306 from EC2 to RDS.
  • Network ACLs:
    • Stateless, subnet-level firewall (e.g., allow HTTPS, deny SSH).
    • Default: Allow all, customizable rules.
    • Explanation: E.g., deny port 21 to private subnet.
  • IAM:
    • Controls VPC operations (e.g., ec2:CreateSubnet).
    • Example: {"Effect": "Allow", "Action": "ec2:CreateSubnet", "Resource": "arn:aws:ec2:us-east-1:123456789012:vpc/*"}.
  • VPC Endpoint Policies:
    • Restrict access to AWS services (e.g., specific S3 buckets).
    • Enhanced policies (2024) support fine-grained controls.
    • Explanation: E.g., allow s3:GetObject for my-bucket.
  • Exam Tip: Practice security group, NACL, and endpoint policy configs.

Encryption

  • In Transit:
    • Resources (e.g., EC2, RDS) use TLS for traffic.
    • VPN/Direct Connect with IPsec/MACsec for hybrid connectivity.
    • Explanation: E.g., IPsec VPN for encrypted on-premises traffic.
  • At Rest:
    • Not applicable (VPC is a network service).
    • Resources (e.g., EBS, S3) use KMS encryption.
    • Explanation: E.g., EBS volume encrypted with KMS.
  • Exam Tip: Use TLS and IPsec for secure traffic.

VPC Endpoints:

  • Purpose: Private AWS service access.
  • Features:
    • Gateway: Free for S3/DynamoDB, no internet.
    • Interface: PrivateLink for ECS, Lambda, etc., uses ENI.
  • Explanation: E.g., interface endpoint for ECS API in private subnet.
  • Exam Tip: Use endpoints for compliance-driven workloads.

Compliance

  • Certifications: HIPAA, PCI, SOC, ISO, GDPR, FIPS 140-2 (GovCloud).
  • Explanation: E.g., deploy VPC for HIPAA-compliant app.

Key Notes:

  • Security: Isolation + security groups + NACLs + endpoints = robust protection.
  • Exam Tip: Configure layered security with groups, NACLs, and endpoints.

5. VPC Cost Optimization

Cost efficiency is a key exam domain.

Pricing

  • VPC: Free to create and use.
  • Subnets/Route Tables/Security Groups/NACLs: Free.
  • Internet Gateway: Free.
  • NAT Gateway:
    • $0.045/hour (~$32.40/month) per gateway.
    • $0.045/GB processed.
  • VPC Endpoint:
    • Gateway: Free (S3, DynamoDB).
    • Interface: $0.01/hour per AZ (~$7.20/month), $0.01/GB processed.
  • Data Transfer:
    • Intra-VPC: Free.
    • Inter-AZ: $0.01/GB (in/out).
    • Internet DTO: $0.09/GB (US, EU).
  • Example:
    • VPC with 1 NAT Gateway, 1 interface endpoint (2 AZs), 1 TB processed/month:
      • NAT Gateway: $0.045 × 24 × 30 = $32.40/month.
      • NAT Data: 1,000 GB × $0.045 = $45/month.
      • Interface Endpoint: 2 × $0.01 × 24 × 30 = $14.40/month.
      • Endpoint Data: 1,000 GB × $0.01 = $10/month.
      • Total: $101.80/month (excl. DTO).
  • Free Tier: None.

Cost Strategies

  • Use Gateway Endpoints:
    • Free for S3/DynamoDB, no data processing charges.
    • Explanation: E.g., use gateway endpoint for S3 backups.
  • Optimize NAT Gateways:
    • Deploy one NAT Gateway per VPC, share across subnets.
    • Explanation: E.g., single NAT Gateway for 10 private subnets.
  • Minimize Interface Endpoints:
    • Reuse endpoints across resources where possible.
    • Explanation: E.g., single ECS endpoint for multiple EC2 instances.
  • Reduce Data Transfer:
    • Compress data to reduce GB processed.
    • Use private subnets to avoid DTO costs.
    • Explanation: E.g., compress API payloads for endpoint traffic.
  • Tagging:
    • Use cost allocation tags to track VPC-related costs.
    • Explanation: E.g., tag VPC with “Project:App”.
  • Monitor Usage:
    • Use VPC Flow Logs and CloudWatch to optimize data transfer.
    • Explanation: E.g., remove unused NAT Gateway if data processed is low.

Key Notes:

  • Cost Savings: Gateway endpoints + shared NAT + compression = lower costs.
  • Exam Tip: Calculate costs for NAT Gateways and interface endpoints.

6. VPC Advanced Features

VPC Peering:

  • Purpose: Connect VPCs.
  • Features:
    • Private communication between VPCs (same/different accounts/Regions).
    • Non-transitive, requires route table updates.
  • Explanation: E.g., peer VPC A to VPC B for EC2-to-RDS access.
  • Exam Tip: Use peering for small-scale VPC connectivity.

Transit Gateway:

  • Purpose: Scale VPC and hybrid networks.
  • Features:
    • Centralized hub for VPCs, VPNs, Direct Connect.
    • Supports route tables, BGP, and multicast.
  • Explanation: E.g., Transit Gateway connects 100 VPCs to on-premises.
  • Exam Tip: Prefer Transit Gateway for large networks.

VPC Lattice:

  • Purpose: Application-layer networking.
  • Features:
    • Simplifies microservices connectivity (e.g., ECS, Lambda).
    • Automatic service discovery and routing (new 2025).
  • Explanation: E.g., Lattice routes traffic between ECS services.
  • Exam Tip: Know Lattice for microservices.

VPC Flow Logs (Enhanced):

  • Purpose: Network visibility.
  • Features:
    • Captures traffic metadata (source, destination, protocol).
    • Customizable fields (e.g., VPC ID, subnet ID) (new 2024).
    • Stores in CloudWatch Logs or S3.
  • Explanation: E.g., log traffic to detect unauthorized access.
  • Exam Tip: Use Flow Logs for security and troubleshooting.

IPv6 Dual-Stack:

  • Purpose: Modern networking.
  • Features:
    • Simplified IPv6 setup, no NAT for IPv6 traffic.
    • Supports ELB, endpoints, and resources (new 2024).
  • Explanation: E.g., dual-stack VPC for IPv6 web app.
  • Exam Tip: Know IPv6 for modern apps.

Key Notes:

  • Flexibility: Peering + Transit Gateway + Lattice = versatile networking.
  • Exam Tip: Know Lattice and enhanced Flow Logs for advanced scenarios.

7. VPC Use Cases

Understand practical applications.

Multi-Tier Applications

  • Setup: Public/private subnets, ELB, RDS.
  • Features: Isolated tiers, secure internal communication.
  • Explanation: E.g., web tier in public subnet, app/DB in private.

Hybrid Cloud Connectivity

  • Setup: VPC with VPN/Direct Connect, Transit Gateway.
  • Features: Secure on-premises to AWS access.
  • Explanation: E.g., on-premises app accesses EC2 via VPN.

Microservices Architectures

  • Setup: VPC with VPC Lattice, ECS, Lambda.
  • Features: Application-layer routing, private connectivity.
  • Explanation: E.g., Lattice routes traffic between microservices.

Compliance-Driven Workloads

  • Setup: Private subnets, VPC endpoints, Flow Logs.
  • Features: No internet exposure, auditable traffic.
  • Explanation: E.g., HIPAA-compliant app with S3 endpoint.

8. VPC vs. Other Networking Services

Feature VPC Transit Gateway VPC Peering
Type Isolated Network Centralized Hub VPC-to-VPC
Workload App isolation, hybrid Multi-VPC, hybrid VPC-to-VPC
Scalability 200 subnets, 5 CIDRs 5,000 attachments Limited by peering count
Cost Free (except NAT, endpoints) $0.045/attach, $0.02/GB Free (data transfer)
Use Case App environments Enterprise networks Small VPC networks

Explanation:

  • VPC: Isolated network for resources, customizable.
  • Transit Gateway: Centralized hub for large-scale VPC/hybrid networks.
  • VPC Peering: Direct VPC-to-VPC connectivity, limited scalability.

9. Detailed Explanations for Mastery

  • VPC Lattice:
    • Example: Route traffic between ECS and Lambda services.
    • Why It Matters: Microservices networking—new for 2025.
  • Enhanced Flow Logs:
    • Example: Log VPC ID and subnet ID for traffic analysis.
    • Why It Matters: Improved visibility—new for 2024.
  • IPv6 Dual-Stack:
    • Example: Deploy dual-stack VPC for IPv6 web app.
    • Why It Matters: Modern networking—common scenario.

10. Quick Reference Table

Feature Purpose Key Detail Exam Relevance
VPC Isolated network CIDR block, Regional scope Core Concept
Subnet Network segment Public/private, tied to AZ Core Concept
Route Table Traffic routing Routes to IGW, NAT, endpoints Core Concept
Security Group Resource firewall Stateful, inbound/outbound rules Security
Network ACL Subnet firewall Stateless, numbered rules Security
VPC Endpoint Private AWS access Gateway (S3), Interface (PrivateLink) Security, Performance
VPC Lattice Microservices networking Application-layer routing (2025) Flexibility
Flow Logs Network visibility Customizable metadata (2024) Resilience, Security