Amazon VPC and the Building Blocks of AWS Networking 🧱

πŸ‘€ This is not properly displayed? Here is the online version! πŸ’‘


Hi Reader πŸ‘‹πŸ½

today's service of the week is Amazon Virtual Private Cloud, better known as VPC 🌀️.

What's Amazon VPC and why does it matter❓

πŸ₯œ In a nutshell: because it's a powerful tool that allows you to create private & secure virtual networks for your AWS resources. It provides isolation and protection, ensuring the confidentiality and integrity of your instances. πŸ”

In this issue, we'll explore:

  • important networking fundamentals
  • the concepts behind Amazon VPC and its
  • key features as well as
  • practical use cases of VPC

Let's dive in! 🌊


Basic Concepts of Networking

VPC offers the following components to effectively isolate and secure your instances and resources:

1. CIDR Blocks: Your Network Address Space πŸ“β€‹
Your VPC requires a range of IPv4 addresses that attached network interfaces can use. These ranges are defined as Classless Inter-Domain Routing (CIDR) blocks.

They consist of two sets of numbers. The Prefix - a binary representation of the address - and the Suffix - the total number of bits in the entire address.

2. Subnets: Slicing Your Network πŸ”ͺ
Public subnets are used for resources that require Internet access, while private subnets are used for resources that should not be directly accessible from the Internet.

3. Routing Tables: Directing Traffic πŸ”€
VPCs use routing tables that contain a set of rules, called routes, which determine where network traffic is directed. Each route has a destination IP range and a target, which can be a subnet, an Internet Gateway, or a Virtual Private Gateway.

4. NACLs: Network-Level Security πŸ”
NACLs act as a firewall for subnets, controlling inbound and outbound traffic. They allow or deny traffic based on defined rules.

5. Security Groups: Instance-Level Security πŸ”‘
Security Groups control inbound and outbound traffic at the instance level. They provide granular control over access to resources.

A Virtual Private Cloud 🌀️

Each VPC is created for a region and always spans across all availability zones. Each availability zone can contain subnets, which are another breakdown of your VPC.

Subnets cannot span multiple availability zones but only a single one. For redundancy and availability reasons, it is therefore recommended to have at least two subnets for a single region so that you can have resources in at least two availability zones.

Default VPCs and Default Subnet

Every AWS account created after the end of 2013 comes with a default VPC per region. Each of these default VPCs also has a public subnet in each availability zone, an internet gateway, and settings to enable DNS resolution.

Slicing Your Network into Isolated Parts via Subnets

Subnets allow you to further divide your network into smaller parts. The most important segregation is between public and private subnets:

  • πŸ”“ Public - for resources that need to be accessed from the internet.
  • πŸ” Private - for resources that only need to be accessed internally and, therefore, do not need or get a public IP address.

Resources in each subnet can be protected with multiple layers of security, such as their own Security Groups or Network Access Control Lists.

Some AWS services require you to launch instances into a private subnet, such as ElastiCache.

Adding Layers of Security with Network Access Control Lists and Security Groups

Depending on the type of resource and your requirements, it is necessary to further restrict access to and between your resources.

Common requirements include:

  • a resource should/should not have access to the Internet
  • a resource should be accessible by other resources in a different subnet
  • a resource should only have access to a specific IP range

You can achieve this using Security Groups (SGs) and Network Access Control Lists (NACLs).

Security Groups to Restrict Access to Individual Resources

Security Groups define and allow rules for your traffic - inbound or outbound. They enable traffic filtering based on protocols and port numbers.

Security groups operate on the instance level and are stateful. Stateful means that return traffic doesn’t need to be allowed explicitly.

Network Access Control Lists to Restrict Access for All Resources within a Subnet

Network Access Control Lists act as a firewall on the network level. They can hold one or multiple allow and/or deny rules which are ordered via priority numbers.

Evaluation starts with the lowest rule number, and the first match will be executed.

Each subnet must be assigned to a network ACL, and return traffic must be explicitly allowed, as NACLs are stateless.

Achieving Connectivity and Internet Access

To connect your VPC to the internet and enable internet access for your resources, you can utilize the following components:

1. Internet Gateway: Enabling Internet Access
An Internet Gateway allows traffic from public subnets to access and communicate with the Internet.

2. NAT Gateway: Private Subnet Internet Access
A NAT Gateway enables outbound internet traffic from private subnets while keeping resources hidden from the public internet.

Practical Use Cases

We've covered all the theories. But how can we put VPC into practice and where do we find it in the real world?

Let's explore a few prominent examples. πŸ—οΈ

1. Secure Multi-Tier Architectures

With VPC, you have the flexibility to construct multi-tier architectures that encompass both public-facing resources, such as load balancers and DNS servers, and private components like application servers and databases.

In this architecture, the application servers maintain a connection to the internet through the public subnets but are safeguarded against direct internet access.

They can only be reached through the load balancer in the public subnets. On the other hand, the databases are located in a dedicated private subnet without any outgoing internet access. Access to the databases is exclusively granted to the applications running in the separate private subnet, ensuring a secure and controlled environment for data storage and retrieval.

2. Fulfilling Regulatory Requirements

VPC allows companies to meet regulatory compliance requirements by implementing strict access controls.

Private subnets can be dedicated to storing and processing sensitive data, ensuring data privacy and protection.

Public subnets can host resources that don't handle sensitive information, creating a secure and compliant environment.

3. Hybrid Clouds

VPC supports connecting on-premises infrastructure to the cloud.

With a VPN or Direct Connect connection, you can establish secure communication between your VPC and on-premises resources.

This enables organizations to leverage the scalability and flexibility of the cloud while maintaining connectivity to their existing infrastructure.


Amazon VPC provides a robust framework for isolating and securing your instances and resources in the AWS cloud.

By leveraging subnets, NACLs, security groups, and connectivity components, you can design a secure network architecture. Whether you're building web applications, microservices, ensuring compliance, or integrating with on-premises infrastructure, VPC offers the necessary tools and flexibility to meet your specific requirements.


...Beyond AWS ⛅️ πŸ‘€

At our core, we value high-quality content and appreciate the work of talented creators.

Starting with this issue, we are thrilled to introduce a new addition to our newsletter lineup: a curated selection of exceptional newsletters.

We want to emphasize that our recommendations are driven solely by our genuine appreciation for these newsletters and the value they provide. We do not receive any commission or incentives for featuring them. Our aim is to share these gems with you, confident that you will also find them engaging and enriching. Keep an eye out for our star-rated recommendations! πŸ’Ž


This week's star is Milan Jovanović. He runs a weekly newsletter where he talks about best practices for .NET, Azure, and software architecture in general.

With one practical tip every week, it's always less than a 5-minute read.

A small excerpt from his recent issues:

If you're interested, you can join more than 24,000 other engineers here! πŸ”—


That's all for this time! βŒ›οΈ

See you in two weeks! πŸ‘‹

Tobi & Sandro

If you're interested in more, have a look at our
AWS Fundamentals blog πŸ“š


AWS for the Real World

Join our community of over 8,800 readers delving into AWS. We highlight real-world best practices through easy-to-understand visualizations and one-pagers. Expect a fresh newsletter edition every two weeks.

Read more from AWS for the Real World

Hey Reader First things first: we apologize for not providing updates on The CloudWatch Book for a while! 😒 Sometimes, things don't go as planned and unexpected obstacles arise. But now, we're back in action, creating videos and putting the final touches on the book's content! πŸŽ₯ Don't just take our word for it! As an early subscriber, here's a free video from one of our favorite chapters: Anomaly Detection πŸ› In this deep-dive, you'll learn how to detect unusual patterns in metrics without...

βŒ› Reading time: 11.5 minutes πŸŽ“ Main Learning: Host Web Applications on AWS with the CloudFront Hosting Toolkit πŸ‘¨πŸ½πŸ’» GitHub Code πŸ“ Blog Post Hey Reader πŸ‘‹πŸ½ Happy New Week! I (Sandro) will attend the Serverless Days in Milano next week where Jeremy Daley will hold the keynote. I look forward to meeting many of you and the overall AWS community. This week's newsletter is all about hosting your frontend on AWS. AWS launched a new way of deploying your frontend to it: The CloudFront Hosting Toolkit....

βŒ› Reading time: 7 minutes πŸŽ“ Main Learning: Visual Regression Testing with AWS CloudWatch Synthetics πŸ‘¨πŸ½πŸ’» GitHub Code πŸ“ Blog Post Hey Reader Keeping your website running smoothly is important.It's also important to keep an eye on its visual appearance and that it doesn't change due to an unwanted change. AWS CloudWatch Synthetic Canaries is a tool that helps you check on your websites (and APIs!) to make sure it’s working well and look as expected. In this newsletter, we’re going to show you...