[AWS Architect] (3) VPC Basics

AWS Physical Networking

VPC Basics

Virtual Private Cloud (VCP)

  • VPC is an isolated virtual network inside the AWS cloud that resembles a traditional data center.
  • VPC belongs to a region and spans all Availability Zones (AZs).
    • Foundation of high-availability and fault-tolerance architecture.
    • VPC consists of subnets.
    • A subnet is in a single AZ and does not span to multi-AZ.

VPC Features

  • EC2 instances are launched in a subnet.
  • A custom CIDR (Classless Inter-Domain Routing) blocks can be assigned in each subnet.
  • Routes can be configured between subnets via route tables.
  • An internet gateway is used to provide a route to the internet for resources launched inside the VPC.
  • VPN (Virtual Private Network) and VPG (Virtual Private Gateway) are used for on-premise networks to extend to AWS VPCs.
  • VPC provides layered Security
    • Security Group: instance-level
    • Network ACL (Access Control List): subnet-level

Private (Internal) IP Addresses

  • An Internal IPv4 address range is required for VPC and Subnets.
  • Allowed CIDR Blocks:
    • Max: /16 (65,536 IPs)
    • Min: /28 (16 IPs)
  • For each subnet block, AWS reserves 5 IPs (first 4 + last).
  • IP range of each subnet cannot be overlapped.

Public (External) IP Addresses

  • Public IP should be specified when an instanced is created.
  • Assigned by AWS: one of AWS IP pools – IP will change when the instance stops and restarts.
  • Elastic IP: can be pre-allocated and stays assigned – for a long-term instance or when a static IP is required by scripts.

Default VPC

  • Default VPC is an easy way to create all necessary network environment but lacks the security.
  • Preconfigured with all required networking/security in a specified region.
    • Configured using /16 CIDR block (
    • One /20 public subnet (4,096 IPs) in each AZ with a public IP
    • All subnets are attached to an Internet Gateway (IGW).
    • Main route table sending all IP4 traffic ( to Internet Gateway.
    • Default Security Group has the following rules:
      • Inbound: allow traffics from itself
      • Outbound: allow all traffic to outside
    • Default NACL allows all inbound and outbound.
    • A DHCP is automatically added.

Custom VPC

  • You need to create subnets, allocate IP ranges, provide Internet Gateway, and setup securities.
  • The best practice is not to use the default VPC. Create a custom VPC.
  • When a custom VPC is created, the following components are also created:
    • main route table: for local route only
    • default network access control list (NACL): allow all inbound and outbound traffic
    • default security group: allow inbound traffic from itself (the same security group), allow all outbound traffic
    • Internet Gateway is NOT created.

VPC Limits

  • Up to 5 VPCs are allowed in each AWS region.

  • Login to AWS and Go to the “EC2” Service
  • Check the Limits for your region.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s