It manages how your applications are distributed inside AWS servers, and more importantly, how will be the network access of these applications for in and out network connections.

The AWS Cloud is distributed in regions and availability zones (AZ) around the world. With VPC we can get access to this infrastructure, a logically isolated section, to control the virtual networking environment, including resource placement, connectivity, and security.


In the example above, network traffic is being shared between two VPCs in single Region.

VPC Components

The VPC is made from the following services:

  • Public Subnets
  • Private Subnets
  • VPC Peering
  • Routing Tables
  • Internet Gateway (IGW)
  • Security Groups (SG)
  • Network Access Control Lists (NACLs)
  • Nat Gateway
  • VPC Endpoints

A simple schema with core components: components

Default VPC

Each Amazon account comes with a default VPC that is pre-configured for you to start using immediately.

This is the diagram of a default VPC:

A VPC can span multiple availability zones in a region.

VPC Peering

Allows you to connect one VPC with another over a direct network route using private IP addresses.

Instances on peered VPCs behave just like they are on the same network

Connect VPCs across the same or different AWS accounts and regions:

No Transitive Peering (peering must take place directly between VPCs) and no Overlapping CIDR Blocks.

Route tables

It is used to determine where network traffic is directed.

Each subnet in your VPC must be associated with a RouteTable.

route table
A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same route table.

Internet Gateway

The Internet Gateway allows your VPC access to the internet.

IGW does two things:

  1. provide a target in your VPC route tables for internet
  2. routable traffic perform network address translation (NAT) for instances that have been assigned public IPv4 addresses.
internet gateway
To route out to the internet you need to add in your route tables the internet gateway address and set the Destination to be

Security Groups

Acts as a virtual firewall at the instance level.

Security Groups are associated with EC2 instances.

Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.

There are no ‘Deny’ rules: All traffic is blocked by default unless a rule specifically allows it.

Multiple Instances across multiple subnets can belong to a Security Group.

Uses Cases

You can specify the source to be an IP range or A specific ip (/32 is a specific IP Address): case 1

You can specify the source to be another security group: case 2

An instance can belong to multiple Security Groups, and rules are permissive (instead of restrictive). Meaning if you have one security group which has no Allow and you add an allow to another than it will Allow: case 3


Network Access Control List (NACLs) acts as a virtual firewall at the subnet level: nacl

VPCs automatically get a default NACL. The Subnets are associated with NACLs. Subnets can only belong to a single NACL.

Each NACL contains a set of rules that can allow or deny traffic into (inbound) and out of (outbound) subnets. You can allow or deny traffic:

nacl traffic

Rule # determines the order of evaluation. From lowest to highest.

The highest rule # can be 32766 and it’s recommended to work in 10 or 100 increments.

You could block a single IP address (You can’t do this with Security Groups)

Network Address Translation (NAT)

Network Address Translation (NAT) is the method of re-mapping one IP address space into another.

If you have a private network and you need to help gain outbound access to the internet, you would need to use a NAT gateway to re-map the Private IPs

If you have two networks that have conflicting network addresses, you can use a NAT to make the addresses more agreeable

nat gateway

VPC endpoints

Think of a secret tunnel where you don’t have to leave the AWS network.

VPC Endpoints allow you to privately connect your VPC to other AWS services, and VPC endpoint services.

vpc endpoints

There are two types of VPC Endpoints:

  1. Interface Endpoints
  2. Gateway Endpoints

Eliminates the need for an Internet Gateway, NAT device, VPN connection, or AWS Direct Connect connections.

Instances in the VPC do not require a public IP address to communicate with service resources.

Traffic between your VPC and other services does not leave the AWS network.

Horizontally scaled, redundant, and highly available VPC component.

Allows secure communication between instances and services - without adding availability risks or bandwidth constraints on your traffic.

Interface endpoint

Interface Endpoints are Elastic Network Interfaces (ENI) with a private IP address.

They serve as an entry point for traffic going to a supported service.

interface endpoint

Access services hosted on AWS easily and securely by keeping your network traffic within the AWS network.

Interface Endpoints support the following AWS Services:

  • API Gateway
  • CloudFormation
  • CloudWatch
  • Kinesis
  • SageMaker
  • Codebuild
  • AWS Config
  • EC2 API
  • Secrets Manager
  • Security Token Service
  • Service Catalog
  • SNS
  • SQS
  • Systems Manager
  • Marketplace Partner Services
  • Endpoint Services in other AWS accounts

Gateway endpoint

A Gateway Endpoint is a gateway that is a target for a specific route in your route table, used for traffic destined for a supported AWS service.

gateway endpoint

To create a Gateway Endpoint, you must specify the VPC in which you want to create the endpoint, and the service to which you want to establish the connection.

AWS Gateway Endpoint currently only supports two services:

  • Amazon S3
  • DynamoDB
VPC Gateway Endpoints are Free!


VPC Flow Logs

Allow you to capture IP traffic information in and out of Network Interfaces within your VPC.

flow logs

You can create flow logs for network interfaces that are created by other AWS services, such as:

  • Elastic Load Balancing
  • Amazon RDS
  • Amazon ElastiCache
  • Amazon Redshift
  • Amazon WorkSpaces
  • NAT gateways
  • Transit gateways

All log data is stored using Amazon CloudWatch Logs or S3 bucket.

After a Flow Log is created it can be viewed in detail within CloudWatch Logs.

Direct Connect

AWS solution for establishing dedicated network connections from on-premises locations to AWS.

direct connect

Helps reduce network costs and increase bandwidth throughput. (great for high traffic networks).

Provides a more consistent network experience than a typical internet-based connection. (reliable and secure).

Very fast network Lower Bandwidth 50M-500M or Higher Bandwidth 1GB or 10GB.