AWS Solutions Architect GuideAWS Solutions Architect Associate

AWS VPC Deep Dive: Subnets, Route Tables, Internet Gateways, and NAT

How to design a secure, scalable AWS VPC with public and private subnets, route tables, internet gateways, NAT gateways, and security groups for the SAA-C03 exam.

4 min read
9 sections
Courseiva Study Hub
JA

Reviewed by Johnson Ajibi, MSc IT Security

12+ years in network and security engineering · Founder, JTNetSolutions Limited & Courseiva

Quick answer

How to design a secure, scalable AWS VPC with public and private subnets, route tables, internet gateways, NAT gateways, and security groups for the SAA-C03 exam.

AWS VPC Deep Dive: Subnets, Route Tables, Internet Gateways, and NAT

Introduction

A Virtual Private Cloud (VPC) is the foundational networking layer for AWS. For the SAA-C03 exam, you must understand how to design a VPC with public and private subnets, route tables, internet gateways (IGW), NAT gateways, and security groups. This post breaks down each component and provides exam-focused insights.

VPC and Subnets

A VPC is a logically isolated network within AWS. You define its IP address range using CIDR notation (e.g., 10.0.0.0/16). Subnets are subdivisions of the VPC CIDR block, each residing in a single Availability Zone (AZ).

  • Public subnet: Has a route to an Internet Gateway. Resources like web servers typically reside here.
  • Private subnet: No direct route to the internet. Databases or application servers go here.

Example: VPC CIDR 10.0.0.0/16, with two public subnets (10.0.1.0/24 in us-east-1a, 10.0.2.0/24 in us-east-1b) and two private subnets (10.0.3.0/24, 10.0.4.0/24).

Route Tables

Each subnet must be associated with a route table, which contains rules (routes) that determine where network traffic is directed. The most specific route (longest prefix match) wins.

  • Main route table: Default for subnets not explicitly associated.
  • Custom route tables: Create for public and private subnets.

Public route table:

  • Destination: 0.0.0.0/0 → Target: igw-xxxxxxxx (Internet Gateway)
  • Local route (10.0.0.0/16) is automatically added.

Private route table:

  • Destination: 0.0.0.0/0 → Target: nat-xxxxxxxx (NAT Gateway) for outbound internet access.
  • No direct internet route.

Internet Gateway (IGW)

An IGW is a horizontally scaled, redundant component that allows communication between your VPC and the internet. It serves two purposes:

  • Target for internet-bound traffic from public subnets.
  • Performs NAT for instances with public IPs.

Key points:

  • Attach one IGW per VPC.
  • Instances must have a public IP (auto-assign or Elastic IP) to be reachable from the internet.
  • Security groups and network ACLs still apply.

NAT Gateway

A NAT Gateway enables instances in a private subnet to initiate outbound traffic to the internet (e.g., for software updates) while preventing inbound traffic from the internet. It is managed by AWS, scales automatically, and supports up to 45 Gbps.

Placement: Create in a public subnet with an Elastic IP. Update the private subnet’s route table to point 0.0.0.0/0 to the NAT Gateway.

Cost: Charged per hour and per GB of data processed. For high availability, deploy one NAT Gateway per AZ.

Alternatives: NAT Instance (EC2-based, less reliable) or VPC endpoints (for AWS services).

Security Groups vs. Network ACLs

Security Groups (SG): Stateful, operate at the instance level. Default deny all inbound, allow all outbound. You allow specific traffic (e.g., HTTP on port 80 from 0.0.0.0/0).

Network ACLs (NACL): Stateless, operate at the subnet level. Default allow all inbound and outbound. Rules are evaluated in order (lowest number first).

Exam tip: Security groups are for instance-level control; NACLs are an additional layer for subnet-level control. Remember: SG is stateful, NACL is stateless.

Real Technical Example: Web App Architecture

Design a VPC for a web application with public web servers and private database servers.

  1. VPC: 10.0.0.0/16
  2. Subnets:
    • Public: 10.0.1.0/24 (AZ1), 10.0.2.0/24 (AZ2)
    • Private: 10.0.3.0/24 (AZ1), 10.0.4.0/24 (AZ2)
  3. IGW: Attach to VPC.
  4. Public route table: Associate public subnets, add route 0.0.0.0/0 → IGW.
  5. NAT Gateway: Launch in public subnet 10.0.1.0/24 with an Elastic IP.
  6. Private route table: Associate private subnets, add route 0.0.0.0/0 → NAT Gateway.
  7. Security Groups:
    • Web SG: Allow HTTP (80) and HTTPS (443) from 0.0.0.0/0.
    • DB SG: Allow MySQL (3306) from Web SG only.

Exam Tips

  • Default VPC: Comes with an IGW, a main route table, and public subnets. Instances get public IPs by default.
  • IPv6: Use Egress-Only Internet Gateway for private subnets (IPv6 equivalent of NAT).
  • NAT Gateway vs. NAT Instance: NAT Gateway is managed, scales, and is more reliable. NAT Instance is a single EC2, cheaper for low traffic, but requires management.
  • VPC Peering: Not transitive; you cannot route through a peered VPC to another.
  • Transit Gateway: For hub-and-spoke connectivity.
  • VPC Endpoints: Interface (powered by PrivateLink) or Gateway (S3, DynamoDB). Avoid NAT for AWS services.
  • Bastion Host: A jump box in a public subnet to SSH into private instances. Use Session Manager as a more secure alternative.

Conclusion

Mastering VPC design is critical for the SAA-C03 exam. Focus on understanding how subnets, route tables, IGWs, and NAT gateways interact. Practice by sketching architectures and configuring them in the AWS console or via CloudFormation. For more practice, check out our collection of SAA-C03 exam questions. Good luck!

Practise SAA-C03 questions

Original exam-style practice questions with detailed, explained answers. Track your weak topics and review missed questions before exam day.

Courseiva provides free IT certification practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics. Explore related practice questions for Cisco, CompTIA, Microsoft Azure, AWS, and other certification exams.