Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.3.1. VPC Design and Connectivity (Subnets, Route Tables, NAT, Internet Gateway, Egress-Only IGW)

šŸ’” First Principle: A logically isolated virtual network ("VPC") provides a secure and customizable foundation for launching AWS resources, enabling granular control over network topology, traffic routing, and security.

Scenario: You are tasked with setting up the foundational network for a new multi-tier application on AWS. You need to ensure that public-facing web servers are accessible from the internet, while backend application servers and databases remain strictly private, with controlled outbound internet access for updates.

The "Virtual Private Cloud (VPC)" is the foundational networking service in AWS, allowing you to define your own virtual network in isolation from other AWS customers. This section explores the core components of "VPC" design, including subnets (public and private), route tables, and various gateways ("Internet Gateway", "NAT Gateway", "Egress-Only Internet Gateway"). Mastering these elements is essential for establishing secure network segmentation, controlling traffic flow, and ensuring proper connectivity for all your AWS resources.

  • Subnets: Subdivisions of a "VPC" defined by "CIDR blocks".
    • Public Subnet: Associated with a "route table" that has a route to an "Internet Gateway (IGW)", allowing inbound/outbound internet access. For public-facing resources (e.g., "ALBs", web servers).
    • Private Subnet: Associated with a "route table" that does not have a route to an "IGW". For internal resources (e.g., databases, application servers).
  • "Internet Gateway (IGW)": A horizontally scaled, redundant, and highly available "VPC" component. Allows communication between your "VPC" and the internet for "IPv4" traffic.
  • "NAT Gateway": A highly available, managed Network Address Translation service. Allows instances in private subnets to initiate outbound connections to the internet (e.g., for updates) while remaining isolated from inbound internet connections. Costs are based on throughput and hourly usage.
  • "Egress-Only Internet Gateway": For "IPv6" traffic. Allows instances in private subnets to initiate outbound connections to the internet, but prevents inbound internet connections. Crucial for "IPv6"-only private subnets.
  • "Route Tables": Control where network traffic from a subnet or gateway is directed. Each subnet must be associated with a "route table".
Practical Implementation: Creating a VPC with Public and Private Subnets via AWS CLI
# 1. Create the VPC
VPC_ID=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text)

# 2. Create a Public Subnet
PUBLIC_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.1.0/24 --query Subnet.SubnetId --output text)

# 3. Create a Private Subnet
PRIVATE_SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block 10.0.2.0/24 --query Subnet.SubnetId --output text)

# 4. Create and Attach an Internet Gateway
IGW_ID=$(aws ec2 create-internet-gateway --query InternetGateway.InternetGatewayId --output text)
aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID

# 5. Create a Route Table for the Public Subnet and add a route to the IGW
ROUTE_TABLE_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --query RouteTable.RouteTableId --output text)
aws ec2 create-route --route-table-id $ROUTE_TABLE_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID
aws ec2 associate-route-table --subnet-id $PUBLIC_SUBNET_ID --route-table-id $ROUTE_TABLE_ID
Visual: VPC Public & Private Subnet Design
Loading diagram...

āš ļø Common Pitfall: Placing a "NAT Gateway" in a private subnet. A "NAT Gateway" must be placed in a public subnet to have a route to the "Internet Gateway", which it needs to function.

Key Trade-Offs:
  • Public Accessibility vs. Security: Placing resources in a public subnet makes them easily accessible but also exposes them to the internet. Private subnets enhance security but require a "NAT Gateway" or "VPC Endpoint" for outbound access.

Reflection Question: How would you use public and private subnets, along with an "Internet Gateway" and a "NAT Gateway", to achieve this secure network segmentation and controlled internet access within your "VPC" for a multi-tier application? Explain the traffic flow for each tier.