Amazon VPC (Virtual Private Cloud)

Amazon VPC is the network layer of AWS — a logically isolated section of the AWS cloud where you launch resources into subnets of your own IP ranges. Every EC2, RDS, Lambda-VPC, EKS node, and most other services live in a VPC, making it the foundation of AWS network security and connectivity.

Core Building Blocks:

• VPC: Regional, with an IPv4 CIDR (e.g., 10.0.0.0/16) and optional IPv6 block.
• Subnet: An AZ-scoped slice of the VPC CIDR. Public subnets route to an Internet Gateway; private subnets don't.
• Internet Gateway (IGW): Horizontally-scaled, stateless device that enables internet access for resources with public IPs.
• NAT Gateway: Managed, AZ-local egress-only NAT for private subnets to reach the internet for patches, API calls, etc.
• Route Tables: Per-subnet rules that decide where traffic leaves the subnet — the IGW, a NAT, a VPN, a Transit Gateway, or a VPC peering.
• Security Groups: Stateful, instance-level firewalls. Allow-only rules by default deny everything.
• Network ACLs (NACLs): Stateless, subnet-level firewalls — use sparingly, usually as a broad-stroke deny layer.
• VPC Endpoints: Private connectivity to AWS services (Gateway endpoints for S3/DynamoDB, Interface endpoints via PrivateLink for everything else) so traffic stays off the public internet.

Connecting VPCs and On-Premises:

• VPC Peering: 1:1 private connection between two VPCs; non-transitive.
• Transit Gateway: Hub-and-spoke router connecting many VPCs, Direct Connect, and VPN in a single region — the standard for multi-VPC architectures.
• Site-to-Site VPN: IPsec tunnel to on-premises equipment over the internet.
• Direct Connect: Dedicated physical circuit (1/10/100 Gbps) to an AWS region for predictable throughput and lower cost at scale.
• PrivateLink: Expose a service in one VPC privately to consumers in other VPCs or accounts without peering.

Reference Design for Application VPCs:

• Three or four subnets per AZ: public (ALB, NAT), private-app (EC2/EKS/Fargate), private-data (RDS, ElastiCache), optional private-isolated (no internet at all).
• One NAT Gateway per AZ for availability and to avoid cross-AZ data-transfer cost.
• VPC Flow Logs to S3 or CloudWatch for auditing and incident response.
• Interface endpoints for STS, ECR, Secrets Manager, Systems Manager — reduces NAT traffic and eliminates a public-internet dependency.

Common Gotchas:

• Overlapping CIDR ranges break peering and Transit Gateway — plan address space across accounts up front (IPAM helps).
• NAT Gateway data-processing charges add up — prefer VPC endpoints for S3/DynamoDB.
• Lambda-in-VPC has a warm-pool model now, but still adds cold-start and ENI cost — only attach when it must reach VPC resources.
• Default security groups are permissive between attached resources — always create explicit SGs per role.