Skip to main content
Skip to main content
Still in beta — questions, comments or suggestions? aramb@aramb.dev
Cloud Fundamentals

Amazon VPC: Your Private Cloud Network

Learn how Amazon VPC gives you an isolated virtual network in AWS — including subnets, gateways, NAT, and route tables.

20 min
Introductory

Learning outcomes

By the end of this lesson, you will be able to:

  1. Explain what an Amazon VPC is and why it exists.
  2. Distinguish between public and private subnets.
  3. Describe the role of an Internet Gateway (IGW) and a NAT Gateway.
  4. Explain how route tables direct traffic within a VPC.
  5. Sketch the standard two-tier VPC architecture used in most AWS deployments.

What is a VPC?

A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you launch resources in a virtual network you define. Think of it as your own private data center inside AWS — except you don't manage any physical hardware.

Every AWS account comes with a default VPC in each Region, pre-configured so you can launch resources immediately. But in production, teams create custom VPCs with intentional network designs.

Note

A VPC lives entirely within one AWS Region but spans all Availability Zones in that Region. Subnets, however, live in a single AZ.

CIDR blocks — your IP address range

When you create a VPC, you assign it a CIDR block — a range of private IP addresses. For example, 10.0.0.0/16 gives you 65,536 IP addresses.

You don't need to calculate CIDR math for the CCP exam. Just know:

  • A larger prefix (like /16) means more IP addresses.
  • A smaller prefix (like /24) means fewer IP addresses (256).
  • The VPC's CIDR block is the pool from which all subnets draw their IPs.

Subnets: public vs private

A subnet is a subdivision of your VPC's IP range, placed in a single Availability Zone. Subnets come in two flavors:

Public subnets

A subnet is "public" when its route table has a route sending 0.0.0.0/0 (all internet-bound traffic) to an Internet Gateway. Resources here can have public IP addresses and communicate directly with the internet.

Use for: Web servers, load balancers, bastion hosts.

Private subnets

A subnet is "private" when it has no direct route to an Internet Gateway. Resources here cannot be reached from the internet.

Use for: Databases, application servers, internal microservices.

Tip

The subnet itself isn't marked "public" or "private" — it's the route table that makes the difference. A subnet with a route to an IGW is public; without one, it's private.

Internet Gateway (IGW)

An Internet Gateway is a horizontally scaled, redundant VPC component that allows communication between your VPC and the internet.

  • Attach one IGW per VPC.
  • Add a route in the subnet's route table: 0.0.0.0/0 → igw-xxxxxxxx.
  • Resources in that subnet need a public IP (or Elastic IP) to send and receive internet traffic.

Without an IGW, nothing in your VPC can reach the internet — and nothing on the internet can reach your VPC.

NAT Gateway

A NAT Gateway (Network Address Translation) lets resources in a private subnet access the internet for outbound requests — like downloading software updates or calling external APIs — without allowing inbound connections from the internet.

Key points:

  • Lives in a public subnet (it needs internet access itself).
  • Private subnet route table points 0.0.0.0/0 → nat-xxxxxxxx.
  • Traffic flows: Private instance → NAT Gateway → IGW → Internet.
  • One-way only: the internet cannot initiate connections back to private instances through the NAT Gateway.

Cost Safety

NAT Gateways are not free. You pay an hourly charge plus data processing fees. For cost-sensitive workloads, consider NAT instances (self-managed) or reviewing whether outbound access is truly needed.

Route tables

A route table is a set of rules (routes) that determine where network traffic is directed. Every subnet must be associated with exactly one route table.

DestinationTargetMeaning
10.0.0.0/16localTraffic within the VPC stays local
0.0.0.0/0igw-xxxxxxxxInternet-bound traffic goes to the IGW
0.0.0.0/0nat-xxxxxxxxInternet-bound traffic goes through NAT (private subnet)

Note

The local route is always present and cannot be removed. It ensures that resources within your VPC can always communicate with each other.

Putting it all together

Here's the standard two-tier VPC architecture you'll see everywhere in AWS:

┌─────────────────────────────────────────────────┐
│  VPC (10.0.0.0/16)                              │
│                                                 │
│  ┌─────────────────┐   ┌─────────────────┐      │
│  │  Public Subnet   │   │  Public Subnet   │     │
│  │  (AZ-a)          │   │  (AZ-b)          │     │
│  │  Web Server      │   │  Web Server      │     │
│  │  NAT Gateway     │   │                  │     │
│  └────────┬─────────┘   └────────┬─────────┘     │
│           │                      │               │
│           ▼                      ▼               │
│  ┌─────────────────┐   ┌─────────────────┐      │
│  │  Private Subnet  │   │  Private Subnet  │     │
│  │  (AZ-a)          │   │  (AZ-b)          │     │
│  │  Database        │   │  Database        │     │
│  └──────────────────┘   └──────────────────┘     │
│                                                 │
│           ▲                                     │
│           │                                     │
│     Internet Gateway                            │
└─────────────────────────────────────────────────┘


        Internet
  • Web servers sit in public subnets with routes to the IGW.
  • Databases sit in private subnets with routes to a NAT Gateway (for outbound only).
  • Traffic between public and private subnets flows via the local route.

VPC Endpoints and PrivateLink

AWS PrivateLink provides private connectivity to AWS services and partner services without traversing the public internet. Traffic stays entirely within the AWS network.

Interface Endpoint (PrivateLink)

Elastic Network Interface in your VPC with private IP that routes to AWS services or SaaS offerings via PrivateLink

Gateway Endpoint

Free route-table-based endpoint for S3 and DynamoDB only - does NOT use PrivateLink

PrivateLink Service

Your own service or third-party SaaS made available to other VPCs privately

VPC Endpoint Types:

Endpoint TypeUses PrivateLinkCostServices Supported
Gateway EndpointNoFreeAmazon S3, DynamoDB only
Interface EndpointYesPer-hour + data processingMost AWS services, partner SaaS
Gateway Load Balancer EndpointYesPer-hour + data processingThird-party security appliances
Resource EndpointYesPer-hour + data processingVPC resources (databases, clusters)

When to use PrivateLink:

  • Compliance requirements prohibit public internet traversal
  • Accessing third-party SaaS through AWS Marketplace privately
  • Connecting VPCs across different accounts without peering
  • Hybrid scenarios requiring private access from on-premises via Direct Connect

Note

Gateway endpoints for S3 and DynamoDB are free and do not use PrivateLink. Interface endpoints for these services use PrivateLink and incur charges but offer additional functionality like private DNS.

Summary

ConceptPurpose
VPCIsolated virtual network in one Region
SubnetSubdivision of a VPC in one AZ
Public subnetHas a route to an Internet Gateway
Private subnetNo direct internet route
Internet GatewayEnables two-way internet access for public subnets
NAT GatewayEnables outbound-only internet access for private subnets
VPC Endpoints (Gateway)Free private access to S3 and DynamoDB
PrivateLink (Interface)Private access to AWS and partner services
Route tableRules that direct traffic to the correct target

Knowledge Check

Knowledge Check
1 / 5

What makes a subnet 'public' in AWS?

Next lesson

Lesson 2: Security Groups vs NACLs