Skip to main content
AWS Fundamentals Tutorial
CHAPTER 09 Beginner

AWS VPC Networking Basics

Updated: May 15, 2026
30 min read

# CHAPTER 9

AWS VPC Networking Basics

1. Introduction

When you launched your first EC2 instance in Chapter 4, you did not have to wire an Ethernet cable or configure an IP subnet. AWS handled it automatically by placing your server into a "Default VPC." However, in a professional enterprise environment, you never use the default settings. You must build your own custom, highly secure virtual network from scratch. In this chapter, we explore the Amazon Virtual Private Cloud (VPC), diving into the networking fundamentals of Subnets, Route Tables, and Internet Gateways.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Define what a Virtual Private Cloud (VPC) is.
  • Understand IPv4 CIDR blocks (the numbering system of networks).
  • Differentiate between Public Subnets and Private Subnets.
  • Explain the role of an Internet Gateway (IGW).
  • Understand how Route Tables direct network traffic.

3. Beginner-Friendly Explanation

Imagine building a secure corporate office building.
  • The VPC: The entire physical building. You own the space, and you lock the front doors. No one gets in or out without permission.
  • Subnets: The individual rooms inside the building.
  • Public Subnet: The Lobby. It has a door leading out to the street. Anyone on the internet can walk in here. (This is where you put your Web Servers).
  • Private Subnet: The Vault in the basement. It has no doors leading outside. You can only access the Vault if you are already inside the Lobby. (This is where you put your Databases).
  • Internet Gateway (IGW): The actual front door connecting the Lobby to the public street.
  • Route Table: The security guard giving directions. "To get to the street, walk through the IGW."

4. What is a VPC?

An Amazon VPC (Virtual Private Cloud) is a logically isolated section of the AWS cloud where you launch your resources. It is your private, fenced-in network. When creating a VPC, you must define its size using a CIDR Block (Classless Inter-Domain Routing).
  • Example CIDR: 10.0.0.0/16.
  • The /16 means this VPC has exactly 65,536 private IP addresses available for you to assign to your servers.

5. Subnets (Dividing the VPC)

You cannot launch an EC2 instance directly into a VPC. You must slice the VPC into smaller networks called Subnets, and launch the server into a Subnet. Subnets are tied to specific Availability Zones (AZs). If your VPC spans multiple AZs for disaster recovery, you must create separate Subnets in each AZ.

*Example:*

  • VPC (10.0.0.0/16) spans all of N. Virginia.
  • Subnet A (10.0.1.0/24) is located inside AZ 1 (holds 256 IPs).
  • Subnet B (10.0.2.0/24) is located inside AZ 2 (holds 256 IPs).

6. Public vs. Private Subnets

A subnet is not inherently "public" or "private." It is defined entirely by its Route Table.
  • Internet Gateway (IGW): A virtual component attached to your VPC that allows communication with the outside internet.
  • Route Table: A set of rules.
  • If a Subnet's Route Table has a rule pointing traffic 0.0.0.0/0 (the whole internet) to the Internet Gateway, that subnet becomes a Public Subnet.
  • If a Subnet does NOT have a route to the IGW, it is a Private Subnet. Servers here have no public IPs and physically cannot be reached by hackers on the internet.

7. Mini Project: Build a Custom VPC

Let's build the foundation of a professional 2-tier architecture.

Step-by-Step Tutorial:

  1. 1. Open the AWS Console and search for VPC.
  1. 2. Click Create VPC.
  1. 3. Select VPC and more (AWS provides a visual builder for this).
  1. 4. Name tag auto-generation: Type Production-VPC.
  1. 5. IPv4 CIDR block: Leave as 10.0.0.0/16.
  1. 6. Number of Availability Zones (AZs): Select 2 (For High Availability).
  1. 7. Number of public subnets: Select 2.
  1. 8. Number of private subnets: Select 2.
  1. 9. NAT gateways ($): Select None (NAT Gateways cost money. We will skip them for this conceptual lab).
  1. 10. Look at the visual map on the right. Notice how the Public Subnets are wired to the Internet Gateway, while the Private subnets are isolated!
  1. 11. Click Create VPC.

*Result: You have just architected an enterprise-grade network. You can now launch Web Servers into the Public subnets, and RDS Databases into the Private subnets, guaranteeing the databases cannot be hacked from the public internet.*

8. Best Practices

  • Reserve IP Space: When defining CIDR blocks, leave room for growth. Do not create a VPC with a /24 (256 IPs) if you plan on launching hundreds of microservices. Use a /16 (65k IPs).
  • Multi-AZ Architecture: Never place all your subnets in a single Availability Zone. Always distribute your public and private subnets across at least two AZs to survive a data center outage.

9. Common Mistakes

  • Overlapping CIDR Blocks: If you plan on connecting two different VPCs together later (VPC Peering), or connecting your AWS VPC to your company's physical office network (AWS Direct Connect), their CIDR blocks MUST NOT overlap. (e.g., You cannot connect 10.0.0.0/16 to another 10.0.0.0/16). Always plan IP addresses carefully with network administrators.

10. Exercises

  1. 1. Explain the architectural difference between a Public Subnet and a Private Subnet.
  1. 2. If you launch an EC2 instance into a Private Subnet and install a web server, can a user on their laptop view the website? Why or why not?

11. MCQs with Answers

Question 1

Which AWS VPC component is explicitly required to allow instances in a Public Subnet to communicate with the outside internet?

Question 2

An architect creates a new VPC with the CIDR block 10.0.0.0/16. They then create a Subnet with the CIDR block 10.0.1.0/24. Where does this subnet physically reside?

12. Interview Questions

  • Q: Walk me through the required components to construct a fully functional Public Subnet from scratch inside a blank VPC. Mention the VPC, Subnet, Route Table, and Internet Gateway.
  • Q: A developer launches an EC2 instance into a Private Subnet to act as a backend worker. The script needs to download a software update from the public internet (e.g., running yum update). Because the subnet has no Internet Gateway, the request times out. Architecturally, how do you provide outbound internet access to a private instance without making it public? *(Hint: Look up NAT Gateways).*

13. FAQs

Q: What is a NAT Gateway? A: A NAT (Network Address Translation) Gateway sits in your Public Subnet. If a database in your Private Subnet needs to download a security patch from the internet, it sends the request to the NAT Gateway. The NAT Gateway fetches the patch and hands it back to the database. It allows *outbound* internet access for private servers, while strictly blocking any *inbound* connections from hackers.

14. Summary

In Chapter 9, we mastered the core networking wiring of AWS. We defined the Virtual Private Cloud (VPC) as our isolated network boundary. We utilized CIDR blocks to slice the VPC into Subnets locked to specific Availability Zones. Most importantly, we grasped the mechanics of network routing, utilizing Route Tables and Internet Gateways (IGWs) to create distinct Public Subnets for web-facing traffic and secure Private Subnets for isolated database storage.

15. Next Chapter Recommendation

Our network is built, but it lacks specific firewall rules. Proceed to Chapter 10: AWS Security Groups and NACLs.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter AWS Route 53 DNS Management
Next Chapter AWS Security Groups and NACLs

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 5

Related Quizzes 6

🎥 Related Videos 1