6.1. VPC Architecture and Connectivity

💡 First Principle: What happens when you launch an EC2 instance without understanding which subnet it's in and how the route table is configured? It either can't reach the internet when it should, or it's exposed to the internet when it shouldn't be. A VPC is your private network inside AWS Think of it like a corporate office building: the VPC is the building, subnets are the floors, security groups are the door locks on each room, and the Internet Gateway is the front entrance. Without the Internet Gateway route, your public subnet is like a room labeled 'public' with no door to the outside — the label means nothing. — a logically isolated slice of the AWS network where you control the IP addressing, routing, and traffic flow. Everything you put inside a VPC is isolated from every other VPC by default; you explicitly open connectivity where needed. This "default deny" model means you build connectivity intentionally, which is far safer than the "default allow" model of traditional networks.

The exam tests VPC at multiple layers: the IP architecture (subnets, CIDR blocks), the traffic control layer (security groups, NACLs), and the connectivity layer (internet access, VPC endpoints, VPN, Transit Gateway). Each layer has distinct responsibilities and the exam distinguishes between them carefully.