AWS-ANS-C01 & AWS CERTIFICATION | VPC Design: CIDR, Subnets, Route Tables, Internet Gateways - AWS Certified Advanced Networking

2.1.1. VPC Design: CIDR, Subnets, Route Tables, Internet Gateways

VPC components (CIDR, subnets, route tables, Internet Gateways) provide the building blocks for an isolated, customizable virtual network, enabling precise control over network topology and traffic flow.

Scenario: You need to design a VPC for a multi-tier web application. It requires a specific CIDR range, separate public and private subnets across two Availability Zones, and precise control over internet access for each subnet.

The Amazon Virtual Private Cloud (VPC) is the fundamental networking service in AWS, allowing you to provision a logically isolated section of the AWS Cloud. Network specialists control its design and configuration.

Key VPC Design Components:

VPC CIDR Blocks: (Classless Inter-Domain Routing blocks) Defines the IP address range for your VPC. Must be a private IPv4 range (RFC 1918). Planning CIDR blocks is crucial to avoid overlaps with connected networks.
Subnets: Subdivisions of a VPC defined by CIDR blocks within the VPC's CIDR range. Subnets are tied to a single Availability Zone (AZ) and provide network segmentation.
- Public Subnet: Route table has a route to an Internet Gateway (IGW).
- Private Subnet: Route table does not have a route to an IGW.
Route Tables: A set of rules (routes) that determine where network traffic is sent. Every subnet must be associated with a route table.
- Local Route: Default route for traffic within the VPC CIDR.
- Custom Routes: For internet, VPC peering, VPN, Direct Connect, Transit Gateway.
Internet Gateway (IGW): A horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the public internet for IPv4 traffic.

Practical Implementation: Creating a VPC with Public and Private Subnets via AWS CLI

# 1. Create the VPC
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text)
echo "VPC ID: $VPC_ID"

# 2. Create a Public Subnet in us-east-1a
PUBLIC_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --availability-zone us-east-1a --query Subnet.SubnetId --output text)
echo "Public Subnet ID: $PUBLIC_SUBNET_ID"

# 3. Create a Private Subnet in us-east-1a
PRIVATE_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --availability-zone us-east-1a --query Subnet.SubnetId --output text)
echo "Private Subnet ID: $PRIVATE_SUBNET_ID"

# 4. Create and Attach an Internet Gateway
IGW_ID=$(aws ec2 create-internet-gateway --query InternetGateway.InternetGatewayId --output text)
echo "Internet Gateway ID: $IGW_ID"
aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID

# 5. Create a Route Table for the Public Subnet and add a route to the IGW
PUBLIC_ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
echo "Public Route Table ID: $PUBLIC_ROUTE_TABLE_ID"
aws ec2 create-route --route-table-id $PUBLIC_ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID
aws ec2 associate-route-table --subnet-id $PUBLIC_SUBNET_ID --route-table-id $PUBLIC_ROUTE_TABLE_ID

# 6. (Optional) Create a separate Route Table for the Private Subnet (if not using default)
PRIVATE_ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
echo "Private Route Table ID: $PRIVATE_ROUTE_TABLE_ID"
aws ec2 associate-route-table --subnet-id $PRIVATE_SUBNET_ID --route-table-id $PRIVATE_ROUTE_TABLE_ID

⚠️ Common Pitfall: Overlapping CIDR blocks between VPCs or with on-premises networks. This prevents direct routing and requires complex NAT solutions or re-IPing.

Key Trade-Offs:

Public Accessibility vs. Security: Placing resources in a public subnet makes them easily accessible but also exposes them to the internet. Private subnets enhance security but require a NAT Gateway or VPC Endpoint for outbound access.

Reflection Question: How do VPC CIDR blocks, subnets (public/private), route tables, and Internet Gateways fundamentally provide the building blocks for an isolated, customizable virtual network, enabling precise control over network topology and traffic flow within your AWS environment?