What Is VPC in Networking?
On This Page
What do you want to do?
Quick Definition
A VPC is like your own private network inside a public cloud. It gives you a safe, isolated space to run your virtual servers and other cloud services. You can decide which parts of your network are public-facing and which are private, and you control who can go in and out.
Common Commands & Configuration
aws ec2 create-vpc --cidr-block 10.0.0.0/16Creates a new VPC with a /16 CIDR block (65,536 IP addresses). Use this as the first step in building a custom network in AWS.
Tests ability to create a VPC with a valid CIDR range. Remember the minimum /28 and maximum /16.
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24 --availability-zone us-east-1aCreates a subnet within a specific VPC and Availability Zone. Required for launching EC2 instances or other resources.
Subnets are AZ-specific and cannot span zones. You must specify an AZ. This is a common exam scenario.
aws ec2 create-internet-gateway && aws ec2 attach-internet-gateway --vpc-id vpc-12345678 --internet-gateway-id igw-12345678Creates and attaches an Internet Gateway to a VPC, enabling public internet access for resources in public subnets.
An IGW alone does not provide internet access; you must also add a route in the public subnet's route table pointing to the IGW.
aws ec2 create-nat-gateway --subnet-id subnet-12345678 --allocation-id eipalloc-12345678Creates a NAT Gateway in a public subnet with an Elastic IP. Used to provide internet access for instances in private subnets.
NAT Gateways are charged hourly and by data processed. They are highly available only within a single AZ unless you deploy one per AZ.
aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-12345678Adds a default route to a public subnet's route table pointing to an Internet Gateway. Allows instances in that subnet to communicate with the internet.
Remember: public subnets need a route to an IGW; private subnets need a route to a NAT Gateway for outbound traffic.
aws ec2 create-vpc-peering-connection --vpc-id vpc-11111111 --peer-vpc-id vpc-22222222 --peer-region us-west-2Creates a peering connection between two VPCs, potentially across regions. Requires acceptance and route updates in both VPCs.
VPC Peering is not transitive and does not support overlapping CIDR blocks. Exam questions often test these constraints.
aws ec2 create-network-acl --vpc-id vpc-12345678Creates a network ACL for a VPC. NACLs are stateless and support allow and deny rules. Often used for IP blocking at the subnet level.
NACLs process rules in order by rule number. An explicit deny rule can override an allow rule. This is a key exam concept.
VPC appears directly in 2,482exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA Security+. Practise them →
Must Know for Exams
VPC is a primary topic for AWS certifications, especially AWS Cloud Practitioner, AWS Solutions Architect Associate, AWS SysOps Administrator Associate, and AWS Developer Associate. For AWS Cloud Practitioner, you need to understand the basic purpose of a VPC, how it provides isolation, and the difference between public and private subnets. Expect questions about default VPCs, the fact that a VPC is regional, and high-level security features like security groups and NACLs. AWS Solutions Architect Associate dives much deeper: you must design multi-tier architectures using public and private subnets, configure route tables and NAT gateways, set up VPC peering and VPN connections, and choose between gateway and interface endpoints. Questions often present a scenario (e.g., 'A company needs to connect its on-premises data center to AWS securely with low latency and consistent bandwidth') and ask which service to use (Direct Connect vs. VPN). You also need to know about VPC endpoints for S3 and DynamoDB, and how to restrict access using bucket policies and endpoint policies. AWS SysOps Administrator Associate tests operational aspects like troubleshooting connectivity issues, interpreting VPC Flow Logs, and ensuring high availability by placing subnets across multiple Availability Zones. AWS Developer Associate focuses on how developers interact with VPCs: deploying Lambda functions inside a VPC for RDS access, using VPC endpoints for API calls, and understanding how security groups affect application behavior.
Microsoft Azure exams (AZ-900 Azure Fundamentals, AZ-104 Azure Administrator) test Azure Virtual Network (VNet) concepts, which are analogous to VPC. Expect questions on VNet peering, subnets, network security groups (NSGs), Azure Firewall, and Azure Bastion. Google Cloud certifications (Google Cloud Digital Leader, Associate Cloud Engineer, Professional Cloud Architect) cover Google Cloud VPC, which differs in being global and having different firewall rules. CCNA and Network+ exams touch on cloud networking fundamentals, including VPCs, but at a more conceptual level – you need to understand how cloud networking differs from on-premises networking.
Exam question patterns for VPC include: scenario-based questions asking you to choose the best architecture for a given requirement (e.g., 'You need to allow instances in a private subnet to download updates. What should you add?'), configuration questions (e.g., 'Which route would you add to a private subnet to allow internet access through a NAT gateway?'), and troubleshooting questions (e.g., 'Your EC2 instance in a public subnet cannot be accessed from the internet. What could be the issue?'). Security group and NACL rules are frequently tested: you may be asked to identify which rule allows or denies specific traffic, or to explain why a connection is failing. VPC peering and transitive routing are classic trap topics – remember that peering is not transitive.
Overall, VPC is a high-weight topic across multiple certifications. You should be prepared to design, implement, and troubleshoot VPC configurations, and understand how VPC integrates with other services like ELB, RDS, Lambda, and API Gateway.
Simple Meaning
Imagine you live in a big apartment building. The building itself is like the public cloud – it has many tenants, shared hallways, and a main entrance. Now, suppose you want to have your own private apartment where you can lock the door, control who comes in, and set up your own rooms. That private apartment is your VPC. Inside your VPC, you can create separate rooms (subnets) – some are open to guests (public subnets) and some are just for you and your family (private subnets). The front door of your apartment is like an internet gateway that lets you connect to the outside world. You also have a security guard (security group) and a doorman (network ACL) who check everyone trying to enter or leave. You can even set up a private hallway (VPN connection) that lets you walk from your apartment directly to your office building without going through the busy street. This is exactly what a VPC does in cloud computing: it gives you a private, customizable slice of the cloud network where you can safely run your applications. You decide the IP addresses, you decide which parts are public or private, and you decide the rules for traffic. Without a VPC, your cloud resources would be thrown into a shared space with everyone else, like living in a hostel instead of your own apartment. That is why VPCs are fundamental to cloud security and organization – they let you build your own digital home inside a much larger shared building.
VPCs are used by all major cloud providers. Amazon Web Services calls it Amazon VPC, Microsoft Azure calls it Virtual Network (VNet), and Google Cloud calls it Virtual Private Cloud (VPC). The core idea is the same across all of them. You get to create a network that feels as private and secure as a physical network you own, but it is actually running on the cloud provider's global infrastructure. This means you get the benefits of cloud computing (scalability, pay-as-you-go, global reach) without giving up control over your network environment. For example, you can host a web server in a public subnet so people on the internet can visit your website, but keep your database server in a private subnet where only your web server can reach it. This layered approach is a best practice in cloud architecture and is tested heavily in certification exams.
Think of your VPC as a gated community. The community has a main gate (internet gateway) that connects it to the outside world. Inside, there are different neighborhoods (subnets) – some are open to visitors (public subnets) and some are resident-only (private subnets). Each house (EC2 instance, virtual machine) has its own address (private IP) and can have a security system (security group). The community also has rules for who can enter and leave, enforced by a patrol (network ACL). If you want to connect your community to a neighboring city (your on-premises data center), you can build a private highway (VPN or Direct Connect) that bypasses the public roads. This is exactly how a VPC works – it gives you isolation, control, and connectivity in the cloud.
Full Technical Definition
A Virtual Private Cloud (VPC) is a software-defined network that runs on top of a public cloud provider's physical infrastructure. It provides logical isolation from other customers (tenants) while allowing the customer to define their own IP address space, subnets, route tables, network gateways, and security policies. In AWS, a VPC is regional and spans all Availability Zones (AZs) in that region. You can create up to 5 VPCs per region by default, but this is a soft limit and can be increased.
At its core, a VPC is defined by a CIDR block (Classless Inter-Domain Routing) – a range of IP addresses, such as 10.0.0.0/16. This CIDR block must be unique within the VPC and cannot overlap with other networks you plan to connect (like your on-premises network). Within the VPC, you create subnets, which are subdivisions of the CIDR block, each tied to a specific Availability Zone. Subnets can be public (have a route to an internet gateway) or private (no direct internet route). Each subnet has an associated route table that determines where traffic destined for a particular IP range should go.
Route tables are a fundamental component. Each subnet in a VPC must be associated with a route table (explicitly or via the main route table). Routes specify the target for traffic – for example, 0.0.0.0/0 (all internet traffic) going to an internet gateway (igw). For private subnets, there might be a route for 0.0.0.0/0 to a NAT gateway or a NAT instance, which allows outbound internet access (e.g., for software updates) but prevents inbound internet traffic.
Internet Gateways (IGW) are horizontally scaled, redundant, and highly available VPC components that allow communication between your VPC and the internet. An IGW serves two purposes: it provides a target in route tables for internet-routable traffic, and it performs network address translation (NAT) for instances with public IPs. Without an IGW, resources in a VPC cannot talk to the internet.
NAT Gateways / NAT Instances provide outbound-only internet access for instances in private subnets. A NAT gateway is a managed service that scales automatically and is highly available within an Availability Zone. You can place one NAT gateway in each AZ for fault tolerance. A NAT instance is an older, self-managed EC2 instance configured to perform NAT.
Security groups act as virtual firewalls at the instance level. They control inbound and outbound traffic based on rules you define. Security groups are stateful – if you allow inbound traffic on port 443, the outbound response is automatically allowed regardless of outbound rules. By default, security groups deny all inbound traffic and allow all outbound traffic.
Network Access Control Lists (NACLs) are stateless firewalls at the subnet level. They control traffic entering and leaving each subnet. NACLs support both allow and deny rules, and rules are evaluated in order by rule number (lowest to highest). Because NACLs are stateless, you must specify both inbound and outbound rules separately for traffic to flow correctly.
VPC Peering connects two VPCs (in the same or different accounts, same or different regions) using AWS's internal network. VPC peering is not a transitive relationship – if VPC A is peered with VPC B and VPC B is peered with VPC C, VPC A cannot talk to VPC C unless there is a direct peering connection. Route tables must be updated to enable traffic flow across peered VPCs.
VPC Endpoints allow you to privately connect your VPC to supported AWS services (like S3, DynamoDB) without using an internet gateway, NAT device, VPN, or AWS Direct Connect. There are two types: Gateway Endpoints (used for S3 and DynamoDB) and Interface Endpoints (powered by AWS PrivateLink, used for many other services). Gateway endpoints are free and are added as a route in your route table. Interface endpoints charge per hour and per GB of data processed.
VPN Connections and AWS Direct Connect allow you to connect your on-premises data center to your VPC securely over a private or encrypted connection. A VPN uses the public internet with IPsec encryption. Direct Connect uses dedicated, private fiber connections.
VPC Flow Logs capture information about IP traffic going to and from network interfaces in your VPC. Flow logs can be published to Amazon CloudWatch Logs or Amazon S3. They are invaluable for troubleshooting, security analysis, and compliance.
In Microsoft Azure, the equivalent service is called Azure Virtual Network (VNet). VNets are scoped to a region and can be segmented into subnets. Key differences include: Azure uses a different naming for resources (e.g., Azure Firewall instead of NACLs, Application Security Groups instead of security groups). Azure also has Azure Bastion for secure RDP/SSH access without public IPs.
In Google Cloud, the equivalent is also called VPC (Virtual Private Cloud). Google's VPC is global in scope, meaning subnets can be in any region and communicate freely. Google also uses firewall rules that are global, not per-subnet, and they are stateful. Google Cloud VPC has no explicit Internet Gateway concept – a default route with a next-hop of default-internet-gateway is automatically created.
Real-Life Example
Let’s imagine you are the manager of a large corporate office building. This building is the cloud. It has many companies (tenants) sharing the same physical space, but each company needs its own secure area. You decide to lease an entire floor – that floor is your VPC. You control who can enter that floor (security group), you divide the floor into different rooms (subnets) – a reception area open to visitors (public subnet) and internal offices (private subnets). The main entrance to the building is the internet gateway. Visitors from the street can come into the lobby (the public subnet) but cannot enter the internal offices unless you specifically allow them. Your employees working in the private offices need access to the internet to send emails and browse, but you don't want people from the internet to be able to reach them directly. So, you set up a dedicated employee exit (NAT gateway) that allows only outbound traffic. Now, your company also has a branch office in another city (on-premises data center). To connect the two securely without using the public street, you build a private tunnel (VPN) that connects your floor directly to your branch office. You also have a security camera system (VPC Flow Logs) that records everyone who enters or leaves your floor, so you can review for suspicious activity. This whole setup – your private floor, the rooms, the controlled entrances, the private tunnel – is exactly what a VPC does in the cloud. It gives you private, secure, and configurable network space inside a larger shared building.
Another analogy: think of a VPC as your own private gated community inside a large city. The city is the public cloud. Your community has its own street addresses (IP addresses), its own security gate (internet gateway), and internal roads (subnets). Some houses in the community are open for deliveries and visitors (public subnets), and others are hidden away for residents only (private subnets). The community also has a rule book (security groups and NACLs) that dictates who can enter each house and what they can do. If you want to connect your community to a neighboring city (another VPC or your on-premises network), you build a private highway (VPC peering or Direct Connect) that only your residents can use. This gated community gives you the privacy and control of owning your own land, without the cost of buying the entire city.
Why This Term Matters
VPCs are the foundation of cloud networking. Without a VPC, you cannot create a secure, isolated environment for your cloud resources. Every time you launch a virtual machine, a database, or a serverless function in a public cloud, it lives inside a VPC (or a default VPC if you don't explicitly create one). Understanding VPC design is critical for cloud architects, security engineers, and developers because misconfigurations can lead to data breaches, downtime, and runaway costs.
In practical IT contexts, VPCs enable you to implement a defense-in-depth strategy. You can place web servers in public subnets, application servers in private subnets, and databases in completely isolated subnets with no direct internet access. This layered approach minimizes the attack surface. VPCs also allow you to meet compliance requirements (like PCI-DSS or HIPAA) by keeping sensitive data within private subnets and controlling traffic with strict NACL rules and security groups.
For organizations with hybrid cloud architectures, VPCs are the anchor for connecting on-premises data centers to the cloud via VPN or Direct Connect. This allows you to extend your existing network into the cloud seamlessly, using the same IP addressing schemes and security policies. VPCs also enable multi-region deployments, disaster recovery, and network segmentation for different environments (development, staging, production).
Cost management is another reason VPCs matter. By designing your VPC with private subnets and NAT gateways, you can reduce data transfer costs and avoid exposing resources unnecessarily. VPC endpoints provide private connectivity to AWS services without incurring internet data transfer charges.
Finally, VPCs are central to many cloud certification exams. AWS certifications (Cloud Practitioner, Solutions Architect, SysOps, Developer) heavily test VPC concepts, as do Azure (AZ-104, Azure Fundamentals) and Google Cloud (ACE, PCA) exams. Even on-premises networking certifications like CCNA and Network+ touch on VPC concepts when discussing cloud networking.
How It Appears in Exam Questions
VPC questions appear in multiple formats across cloud certification exams. The most common pattern is scenario-based design questions. For example: 'A company wants to host a web application on AWS. The web servers must be accessible from the internet, but the database servers must be completely private. The database servers need to be updated regularly from the internet. Design a VPC architecture that meets these requirements.' The correct answer involves creating a VPC with two public subnets (for web servers in different AZs) and two private subnets (for databases), with an internet gateway attached to the public subnets and a NAT gateway in a public subnet for the private subnets to access the internet. You would also need to configure security groups to allow inbound HTTP/HTTPS traffic to the web servers and inbound database traffic only from the web servers' security group.
Another common pattern is configuration troubleshooting. Questions might describe a scenario where an EC2 instance in a public subnet has a public IP and a security group allowing HTTP traffic, but users still cannot access it. The possible causes could be: the subnet's route table does not have a route to an internet gateway, the NACL is blocking inbound HTTP traffic, the instance's OS firewall is blocking the port, or the security group outbound rules are restricting response traffic (though security groups are stateful, so this is less likely). The question asks you to identify the most likely cause.
VPC peering questions often test understanding of non-transitive routing. For instance: 'Company A has VPC A and VPC B peered. VPC B is also peered with VPC C. Can instances in VPC A communicate with instances in VPC C?' The answer is no, unless there is a direct peering connection between A and C. Another twist: 'You need to allow communication between VPCs that have overlapping CIDR blocks. What is the best solution?' This tests knowledge that VPC peering requires non-overlapping CIDRs, so you might need to use VPN or AWS Transit Gateway with network address translation.
VPC endpoints are another hot topic. A typical question: 'You have an EC2 instance in a private subnet that needs to access an S3 bucket. You want to avoid going over the internet. What should you do?' The correct answer is to create a gateway endpoint for S3 and add a route in the private subnet's route table pointing to the endpoint. You might also need to update the S3 bucket policy to allow access from the VPC endpoint.
Finally, Direct Connect and VPN questions: 'A company needs a consistent, low-latency connection between its on-premises data center and AWS. The company is transferring large amounts of data and wants to avoid internet bandwidth charges. Which solution should they use?' The answer is AWS Direct Connect. A related question might ask about the difference between a VPN (uses internet, encrypted) and Direct Connect (private dedicated line, more expensive, more reliable).
In Azure exams, similar scenarios appear but with Azure-specific services: e.g., 'You need to connect two VNets in different regions. What should you use?' Answer: VNet peering. 'You need to secure inbound traffic to a subnet. What should you use?' Answer: Network Security Group (NSG) or Azure Firewall. In Google Cloud exams, you might encounter questions about global VPC and shared VPC. For example: 'You need to connect two projects in Google Cloud so that they can share resources securely. What should you use?' Answer: Shared VPC or VPC Network Peering.
Practise VPC Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are the cloud architect for a new online bookstore. The application has three parts: a web server that shows books to customers, an application server that processes orders, and a database that stores book inventory and customer details. You need to design a VPC on AWS that hosts this application securely.
You create a VPC with the CIDR block 10.0.0.0/16. This gives you 65,536 IP addresses to work with. You decide to use two Availability Zones for high availability. In each AZ, you create two subnets: a public subnet (10.0.1.0/24 in AZ-A, 10.0.2.0/24 in AZ-B) and a private subnet (10.0.3.0/24 in AZ-A, 10.0.4.0/24 in AZ-B). You attach an internet gateway to the VPC and update the route tables for the public subnets to send 0.0.0.0/0 traffic to the internet gateway. For the private subnets, you create a NAT gateway in each public subnet and add a route in the private subnet route tables sending 0.0.0.0/0 to the respective NAT gateway.
Now, you launch two EC2 instances for your web servers in the public subnets (one in each AZ) with security groups allowing inbound HTTP (port 80) and HTTPS (port 443) from anywhere. You launch two application server EC2 instances in the private subnets, with a security group that allows inbound traffic only on port 8080 from the web server security group. You launch an RDS MySQL database in the private subnets (multi-AZ), with a security group that allows inbound traffic on port 3306 only from the application server security group.
This architecture ensures that customers can reach your website via the internet, but the application servers and database are locked down. The application servers can still download software updates through the NAT gateways. If a security flaw is discovered in the web server, the database remains protected because it is not directly accessible from the internet. This layered security is exactly what VPCs are designed to provide, and it is a classic exam scenario.
Common Mistakes
Thinking that a security group and a NACL are interchangeable and have the same behavior.
Security groups are stateful and operate at the instance level, while NACLs are stateless and operate at the subnet level. Their rule evaluation and behavior (e.g., allowing return traffic) are completely different.
Remember: Security groups = instance firewall, stateful, allow only. NACLs = subnet firewall, stateless, allow and deny, rules evaluated in order.
Assuming VPC peering allows transitive routing.
VPC peering is not transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, traffic cannot flow from A to C through B. You need a separate peering connection between A and C or use a Transit Gateway.
Treat each peering connection as a direct one-to-one link. No pass-through.
Not updating route tables after adding an internet gateway or a NAT gateway.
Simply creating an internet gateway or NAT gateway does not automatically route traffic through it. You must add a route in the subnet's route table (0.0.0.0/0 -> igw for public subnets, 0.0.0.0/0 -> nat for private subnets).
After creating a gateway, always check and update the route tables for the associated subnets.
Placing a NAT gateway in a private subnet.
A NAT gateway needs to be in a public subnet (with a route to the internet gateway) so that it can access the internet. If placed in a private subnet, it cannot reach the internet and will not work.
Always launch NAT gateways in public subnets.
Forgetting that a default VPC exists and that public subnets in the default VPC automatically have a public IP assigned.
Many beginners think they need to manually create a VPC, but AWS provides a default VPC with a /16 CIDR, an internet gateway, and a default route. Instances launched in default subnets get public IPs by default. This can cause confusion if you are trying to understand custom VPC behavior.
Know the default VPC exists and its properties. When designing a custom VPC, remember to enable 'Auto-assign public IPv4 address' on the subnet if you want instances to get public IPs automatically.
Confusing a VPN connection with Direct Connect.
VPN uses the public internet with encryption and is less expensive but has variable performance. Direct Connect uses a dedicated private line, is more expensive, and provides consistent, lower latency. They are not interchangeable.
VPN for budget-friendly, encrypted connection over the internet. Direct Connect for performance-sensitive, high-throughput, private connectivity.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a scenario where an EC2 instance in a public subnet has a public IP and a security group allowing SSH from 0.0.0.0/0, but the instance is unreachable.
The answer choices include 'the NACL is blocking SSH' and 'the subnet route table does not have a route to the internet gateway.'","why_learners_choose_it":"Learners often assume that a public IP and permissive security group are enough, forgetting that the subnet must also be explicitly associated with a route to an internet gateway. They also might not understand the two layers of security."
,"how_to_avoid_it":"Always verify all three layers for internet access: the instance must have a public IP, the subnet must have a route to an internet gateway, and the security group must allow inbound traffic. NACL must also allow it (by default NACLs allow all, but if customized, check rules). The most common missing component is the route table."
Commonly Confused With
A VPC is the entire private network. A subnet is a smaller section within a VPC, tied to a single Availability Zone. Subnets are used to segment the VPC for different purposes (public vs private) and for high availability across zones.
Think of a VPC as a building, and subnets are the floors. Each floor is in a specific location (AZ) and can have different access rules.
An internet gateway is a component of a VPC that enables communication with the internet. It is not a VPC itself. A VPC can have only one internet gateway, but it can have multiple subnets (public and private). The internet gateway is the door; the VPC is the house.
Your VPC is your house. The internet gateway is the front door that connects your house to the outside world.
A VPN connection securely connects your on-premises data center to your VPC over the internet. It is not a VPC, but a way to extend your VPC into your on-premises network. VPCs can also be connected by VPC peering or Direct Connect.
A VPN is like a secure tunnel from your office (on-premises) directly into your private house (VPC) without walking through the main street.
A security group is a virtual firewall for a single EC2 instance, controlling inbound and outbound traffic. It is a component within a VPC. A VPC can have many security groups, and multiple instances can use the same security group.
Your VPC is your house. A security group is like the lock on your bedroom door – it controls who can enter that specific room.
AWS Transit Gateway is a central hub that connects multiple VPCs and on-premises networks together. It is not a VPC itself, but a service that simplifies network architecture. A single VPC can be connected to a Transit Gateway, but the Transit Gateway itself is a separate resource.
If VPCs are houses, Transit Gateway is the central bus station that connects all houses and allows people to travel between them efficiently.
A VPC endpoint allows you to connect to AWS services privately without using the internet. It is a feature of a VPC, not a separate network. You can create endpoints for S3, DynamoDB, and other services.
A VPC endpoint is like a private door from your house directly into the grocery store (S3) so you don't have to walk down the public street.
Step-by-Step Breakdown
Plan your IP address space
Choose a CIDR block for your VPC. It should be large enough to accommodate all current and future subnets, and it must not overlap with any other network you plan to connect (like on-premises or other VPCs). Common choices are 10.0.0.0/16 or 172.16.0.0/16.
Create the VPC
In the cloud provider's console (e.g., AWS, Azure, GCP), create a new VPC. Specify the CIDR block. Optionally, enable DNS hostnames and DNS resolution. For AWS, the VPC is regional.
Create subnets
Divide the VPC CIDR into smaller subnets. Each subnet must be in a single Availability Zone. Create at least two subnets per AZ for high availability: one public and one private. Public subnets will have a route to the internet; private subnets will not.
Create and attach an Internet Gateway
An Internet Gateway (IGW) is a redundant, horizontally scaled component that enables communication between the VPC and the internet. Create an IGW and attach it to your VPC. A VPC can have only one IGW.
Configure route tables
Create a route table for public subnets and add a route for 0.0.0.0/0 pointing to the IGW. Associate this route table with your public subnets. For private subnets, create a different route table (initially with only the local route). Optionally, add a route for 0.0.0.0/0 pointing to a NAT gateway for outbound internet access.
Set up NAT gateway (if needed)
To allow instances in private subnets to access the internet (e.g., for updates), create a NAT gateway in a public subnet. Allocate an Elastic IP for it. Then, update the private subnet route table to send 0.0.0.0/0 to the NAT gateway.
Configure security groups and NACLs
Create security groups for your resources (e.g., web servers, app servers, databases). Specify inbound and outbound rules. Configure Network ACLs at the subnet level if you need stateless, numbered rule filtering. Remember: security groups are stateful, NACLs are stateless.
Launch resources
Now you can launch EC2 instances, RDS databases, Load Balancers, etc., into the appropriate subnets. Make sure to assign security groups and, for public subnets, enable auto-assign public IP if needed.
Test connectivity
Verify that instances in public subnets are reachable from the internet, that instances in private subnets can reach the internet (if NAT is configured), and that inter-subnet communication works as expected. Use tools like ping, traceroute, or curl from within instances.
Enable monitoring and logging
Turn on VPC Flow Logs to capture IP traffic information. This helps with troubleshooting and security auditing. Also consider enabling CloudTrail for API calls related to VPC configuration.
Practical Mini-Lesson
In practice, designing a VPC is one of the first steps in any cloud project. You rarely start with the default VPC for production workloads because you need fine-grained control over IP addressing, subnet placement, and security. Let's walk through a realistic scenario: deploying a three-tier web application with PCI-DSS compliance.
First, you plan your IP address space. You choose 10.0.0.0/16, which gives you 65,536 addresses. You reserve 10.0.0.0/20 for public subnets (16 subnets), 10.0.16.0/20 for private subnets (app tier), and 10.0.32.0/20 for isolated database subnets. Each of these /20s will be further subdivided into /24s per Availability Zone. You plan to use three AZs for high availability.
You create the VPC in the us-east-1 region. Then, you create six subnets: three public subnets (one per AZ), three private subnets for app servers (one per AZ), and three isolated subnets for databases (one per AZ). You remove the default local route and add routes: public subnets get a route to the internet gateway, private subnets get a route to a NAT gateway in the corresponding public subnet, and isolated subnets have no route to the internet (they only have the local route).
Next, you create security groups. The web server security group allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound HTTPS to the app server security group. The app server security group allows inbound TCP on the application port from the web server security group. The database security group allows inbound MySQL (port 3306) from the app server security group. You also create NACLs for each subnet tier. For public subnets, you allow inbound HTTP/HTTPS from the internet and deny all other inbound. For private subnets, you allow inbound from the public subnets on the app port, and outbound to the internet (for updates). For isolated subnets, you deny all inbound and outbound except for the VPC local traffic.
You then launch an Application Load Balancer in the public subnets, EC2 instances for web and app servers in the respective subnets, and an RDS MySQL Multi-AZ database in the isolated subnets. All resources are tagged for cost tracking and compliance.
What can go wrong? If you misconfigure the NACL for the private subnets, the app servers might not be able to reach the database. If you forget to add a route to the NAT gateway, the app servers won't be able to download security patches. If you use the same security group for web and app servers, you might accidentally expose the app servers to the internet. If you place the NAT gateway in a private subnet, it won't work. Flow logs help you diagnose these issues by showing dropped packets.
A professional tip: always use infrastructure-as-code tools like AWS CloudFormation or Terraform to define your VPC. This ensures consistency, repeatability, and version control for your network configuration. Also, consider using VPC endpoints for S3 and DynamoDB to keep traffic private and reduce costs.
Another common real-world practice is to use AWS Transit Gateway when you have many VPCs and need to connect them to each other and to on-premises networks. This simplifies routing and reduces the number of peering connections required.
Finally, keep in mind that VPCs are not free. NAT gateways cost per hour and per GB of data processed, VPC endpoints have hourly charges, and Direct Connect has monthly port fees. Always consider the cost implications of your design decisions.
practical VPC design requires careful planning of IP space, subnet layout, routing, security, and cost. Understanding these elements deeply is essential for any cloud professional, and it is directly tested in certification exams.
VPC Subnet Design and CIDR Planning
A Virtual Private Cloud (VPC) is the foundational networking construct in AWS, allowing you to provision a logically isolated section of the cloud where you can launch AWS resources. The first and most critical decision when creating a VPC is the IP address range, defined by a Classless Inter-Domain Routing (CIDR) block. This block must be large enough to accommodate all current and future subnets, and must not overlap with any other networks you intend to connect, such as on-premises data centers or other VPCs via peering.
AWS reserves the first four IP addresses and the last IP address in each subnet for networking purposes: for example, a subnet with CIDR 10.0.0.0/24 reserves 10.0.0.0 (network address), 10.
0.0.1 (VPC router), 10.0.0.2 (DNS server), 10.0.0.3 (future use), and 10.0.0.255 (broadcast). This means a /24 subnet provides 251 usable IP addresses, not 256. When designing subnets, best practice is to create at least two tiers: public subnets for resources that need direct internet access, such as load balancers or NAT gateways, and private subnets for application servers and databases.
Public subnets are associated with a route table that has a default route (0.0.0.0/0) pointing to an Internet Gateway (IGW), while private subnets route traffic through a NAT Gateway or NAT Instance for outbound internet access.
For high availability, you should deploy subnets across at least two Availability Zones (AZs) within the same AWS Region. Each subnet must reside entirely within one AZ and cannot span zones. This design ensures fault tolerance: if one AZ becomes unavailable, resources in the other AZ continue to operate.
CIDR planning must also consider the size of each subnet: a /24 subnet is typical for production workloads, while smaller subnets like /28 are suitable for isolated services or VPN connections. Avoid using RFC 1918 ranges that conflict with corporate networks; common choices are 10.0.
0.0/16, 172.16.0.0/16, or 192.168.0.0/16. AWS allows a VPC to have a primary CIDR block and up to four secondary CIDR blocks, enabling you to expand your network or connect to other networks without rearchitecting.
For exam scenarios, remember that the minimum CIDR block size for a VPC is /28 (16 IP addresses) and the maximum is /16 (65,536 IP addresses). You cannot change the primary CIDR after creation, but you can add secondary CIDRs. Subnets can be resized only by deleting and recreating them, but you can add new subnets in unused address space.
Understanding these constraints helps you design a scalable and resilient network architecture from the start.
Security Groups vs Network ACLs: Stateful vs Stateless Filters
AWS provides two layers of security for your VPC: Security Groups (SGs) and Network Access Control Lists (NACLs). Both control inbound and outbound traffic, but they operate at different levels and have fundamental differences in behavior that are heavily tested in AWS certification exams. Security Groups act as a virtual firewall for instances (ENIs), are stateful, and support allow rules only.
Stateful means if you allow inbound traffic on port 80, the outbound return traffic is automatically allowed, regardless of outbound rules. SGs default to deny all inbound traffic and allow all outbound traffic. You can create up to 60 inbound and 60 outbound rules per SG.
Rules are evaluated collectively: as long as any rule allows the traffic, it is permitted. SGs support source/destination by CIDR blocks, other security groups (great for layered architectures), or prefix lists. For example, you can allow inbound HTTP traffic from a load balancer by referencing that load balancer's SG ID.
This makes SGs ideal for micro-segmentation. Network ACLs, on the other hand, are stateless, operate at the subnet level, and support both allow and deny rules. Stateless means you must explicitly create rules for both inbound and outbound directions, including ephemeral port ranges for return traffic.
NACLs are processed in order by rule number, from lowest to highest, and the first matching rule determines the action (allow or deny). If no rule matches, the default deny rule at the end takes effect. Each NACL can have up to 20 inbound and 20 outbound rules by default (expandable to 40).
Because NACLs are stateless, they are often used for IP-level blocking, such as blocking a specific attacker IP address. For exam scenarios, remember: if you need to block a specific IP, use a NACL deny rule; SGs cannot deny traffic, only allow it. Also, SGs support five-tuple (protocol, source IP, source port, destination IP, destination port) but not explicit deny.
In practice, you should use SGs as the primary security mechanism for instance-level control, and NACLs as an additional layer of defense for the subnet, especially for blocking malicious traffic. A common exam question tests the stateful vs stateless distinction: if you see 'return traffic automatically allowed', that's a SG; if you need write both inbound and outbound rules, that's a NACL. Also, note that SGs can be referenced across accounts via VPC Peering, but NACLs cannot.
When troubleshooting connectivity issues, verify both layers: a missing SG rule or an incorrect NACL rule can cause timeouts (SG) or connection resets (NACL). Understanding these differences is critical for designing secure and compliant AWS networks.
VPC NAT Gateway Cost and High Availability Design
A NAT (Network Address Translation) Gateway is a managed AWS service that enables instances in a private subnet to connect to the internet or other AWS services, while preventing the internet from initiating connections to those instances. NAT Gateways are deployed in a specific Availability Zone (AZ) and are designed for high availability within that AZ, but they are not automatically fault-tolerant across AZs. To achieve full high availability, you must deploy a NAT Gateway in each AZ where you have private subnets, and configure your route tables accordingly.
For example, if you have private subnets in us-east-1a and us-east-1b, you need a NAT Gateway in each, and each private subnet's route table should point to its local NAT Gateway. This ensures that if one AZ goes down, traffic still flows through the NAT Gateway in the other AZ. Cost is a significant factor: each NAT Gateway incurs an hourly charge (approximately $0.
045 per hour, or about $32 per month) plus data processing charges ($0.045 per GB of data processed). This can add up quickly for high-traffic workloads. There are data transfer charges for traffic that goes through the NAT Gateway to the internet and then to other AWS services like S3 or DynamoDB.
A common cost-saving strategy is to use VPC Gateway Endpoints for S3 and DynamoDB instead of routing traffic through a NAT Gateway. Gateway Endpoints are free and use Amazon's internal network, avoiding NAT charges and improving performance. For exam scenarios, remember that NAT Gateways are not supported for IPv6 traffic: to allow outbound IPv6 traffic from a private subnet, you must use an Egress-Only Internet Gateway.
Also, NAT Gateways automatically scale up to 45 Gbps and handle port exhaustion automatically, unlike NAT Instances (which are EC2-based and require manual management). When configuring NAT Gateways, you must allocate an Elastic IP (EIP) to each one, and that EIP cannot be disassociated after attachment. A common troubleshooting scenario is connectivity failure from a private instance: check that the private subnet's route table has a default route (0.
0.0.0/0) pointing to the NAT Gateway, that the NAT Gateway's EIP is valid and not blocked, and that the Security Group and NACL of the NAT Gateway allow outbound traffic (port 80/443).
Also, verify that the public subnet where the NAT Gateway resides has a route to an Internet Gateway. In exams, look for questions about cost optimization: using a single NAT Gateway for multiple AZs is not highly available; using Gateway Endpoints reduces cost; NAT Instances are cheaper but require manual failover. Understanding these trade-offs helps you design cost-effective and resilient architectures.
VPC Peering vs Transit Gateway: Connecting VPCs
Connecting multiple VPCs is a common requirement for multi-account or multi-environment architectures. AWS offers two primary services for this: VPC Peering and Transit Gateway. VPC Peering is a one-to-one network connection between two VPCs that enables traffic routing using private IP addresses.
It is a simple, point-to-point connection that does not require a separate gateway or VPN. However, it has limitations: you cannot create transitive peering (if VPC A is peered with VPC B, and VPC B is peered with VPC C, VPC A cannot connect to VPC C through VPC B). Each peering connection must be explicitly established.
You cannot have overlapping CIDR blocks between peered VPCs, which can be a challenge in complex networks. VPC Peering is free (only data transfer charges apply) and can be used for intra-region or inter-region connections (inter-region peering incurs data transfer costs). It is best for simple, low-volume connections between a small number of VPCs.
Transit Gateway, on the other hand, is a hub-and-spoke architecture that acts as a central router for connecting multiple VPCs, on-premises networks (via VPN or Direct Connect), and even third-party services. It supports transitive routing, meaning traffic can flow from any connected VPC to any other connected VPC through the Transit Gateway. It also supports route tables that allow you to segment traffic (e.
g., production VPCs can talk to each other, but not to development VPCs). Transit Gateway is a managed service that scales to thousands of attachments and offers high bandwidth (up to 50 Gbps per attachment).
It supports both IPv4 and IPv6 and can be used for multicast traffic (with additional configuration). Cost: Transit Gateway charges per attachment (hourly) plus data processing fees (per GB). For large-scale, multi-VPC architectures, it is more cost-effective than a mesh of VPC peering connections.
Exam topics often compare these two: VPC Peering is simpler but limited (no transitive routing, no overlapping CIDRs). Transit Gateway is more powerful and scalable but costs more. A common exam question: 'Which service allows transitive routing between VPCs?'
Answer: Transit Gateway. Another: 'You need to connect 10 VPCs in a cost-effective way with minimal management overhead. Which service should you use?' Answer: Transit Gateway. Also, remember that you can combine both: use VPC Peering for a specific, high-bandwidth connection between two VPCs, and Transit Gateway for the rest.
When troubleshooting peering issues, ensure that the route tables in both VPCs have routes pointing to the peering connection, and that the Security Groups and NACLs allow the traffic. For Transit Gateway, verify that the VPC attachments are in the correct state (available) and that the route tables are properly configured. Understanding these architectural options is essential for designing scalable, secure, and cost-effective multi-VPC networks.
Troubleshooting Clues
EC2 instance in private subnet cannot reach internet
Symptom: ping or curl to external IP times out; instance has a private IP only.
The private subnet's route table likely lacks a default route (0.0.0.0/0) pointing to a NAT Gateway, or the NAT Gateway is not in a public subnet with an IGW route. Also, Security Groups or NACLs may block outbound traffic.
Exam clue: Exams test that private subnets require a NAT Gateway route. A missing route or incorrect NACL rule will block outbound connections.
Cannot SSH into public EC2 instance
Symptom: SSH connection times out; ping also fails.
The instance's Security Group likely does not allow inbound SSH (port 22) from your IP. Alternatively, the public subnet's route table may lack a route to an Internet Gateway, or the IGW is not attached to the VPC.
Exam clue: Exam questions often highlight that Security Groups are stateful and return traffic is automatically allowed. If SSH fails, check SG inbound rules first.
VPC peering connection is 'pending-acceptance'
Symptom: Peering connection shows status pending-acceptance; no traffic flows.
The peering request must be accepted by the owner of the peer VPC. After acceptance, route tables in both VPCs must be updated with routes pointing to the peering connection.
Exam clue: Exams test that VPC peering requires acceptance and explicit route table entries. Also, transitive routing is not supported.
NAT Gateway shows 'failed' status
Symptom: NAT Gateway enters 'failed' state after creation; instances cannot reach internet.
The NAT Gateway must be created in a public subnet with an attached IGW and a route to the IGW. Also, the Elastic IP must be valid and not already attached to another resource. Check subnet and route table configuration.
Exam clue: A failed NAT Gateway often appears in scenario-based questions where a misconfigured subnet (private instead of public) is the root cause.
Traffic between peered VPCs is dropped
Symptom: Instances in Peered VPCs cannot communicate; ping fails.
There may be overlapping CIDR blocks between the VPCs, or route tables do not have entries for the peer VPC's CIDR. Also, Security Groups and NACLs in both VPCs must allow the traffic.
Exam clue: Overlapping CIDRs are a common exam trick. You cannot peer VPCs with overlapping ranges; you must use Transit Gateway with network segmentation instead.
High latency or packet loss through NAT Gateway
Symptom: Applications experience slow response times; network monitoring shows dropped packets.
The NAT Gateway may be in a single AZ, and traffic from other AZs may be taking a suboptimal path (cross-AZ traffic incurs additional latency). Also, the NAT Gateway may be experiencing port exhaustion if many connections are being made.
Exam clue: Exams recommend deploying a NAT Gateway in each AZ for high availability and low latency. Port exhaustion is a known NAT Gateway issue that can be mitigated by increasing the number of connections or using a different architecture.
Cannot attach an Internet Gateway to a VPC
Symptom: Error message: 'The Internet Gateway is already attached to another VPC.'
An Internet Gateway can be attached to only one VPC at a time. You must detach it from the current VPC before attaching it to another. This is a one-to-one relationship.
Exam clue: Exam questions test that IGW attachment is exclusive. Also, you can attach only one IGW to a VPC, but multiple VPCs can have their own IGWs.
Memory Tip
Think of VPC as Your Private Cloud, You control the access, the rooms (subnets), and the doors (gateways).
Learn This Topic Fully
This glossary page explains what VPC means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →ACEGoogle ACE →CDLGoogle CDL →AZ-104AZ-104 →PCAGoogle PCA →CLF-C02CLF-C02 →SAA-C03SAA-C03 →AZ-900AZ-900 →DVA-C02DVA-C02 →SOA-C02SOA-C02 →220-1101CompTIA A+ Core 1 →200-301Cisco CCNA →N10-009CompTIA Network+ →220-1102CompTIA A+ Core 2 →XK0-006CompTIA Linux+ →SC-900SC-900 →ISC2 CCISC2 CC →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
Quick Knowledge Check
1.A company has a VPC with a CIDR block of 10.0.0.0/16. They need to create a subnet that can support at least 200 EC2 instances. Which subnet size should they choose?
2.Which of the following statements correctly describes the difference between Security Groups and Network ACLs?
3.A company wants to connect 10 VPCs to each other in a hub-and-spoke topology with transitive routing. Which service should they use?
4.An EC2 instance in a private subnet cannot reach the internet. The instance has a public IP, but connectivity fails. What is the most likely cause?
5.A network engineer notices that traffic between two peered VPCs is not flowing. Both VPCs have route table entries pointing to the peering connection, and the peering is in 'active' state. What is a possible reason for the issue?
6.What is a primary benefit of using AWS Transit Gateway over a mesh of VPC Peering connections?