This chapter provides a comprehensive deep dive into Amazon Virtual Private Cloud (VPC) as required for the AWS Certified SysOps Administrator Associate SOA-C02 exam. VPC is the foundational networking layer for almost every AWS service, and exam questions on VPC concepts, components, and troubleshooting constitute approximately 15-20% of the total exam. Mastering VPC is essential for designing secure, scalable, and cost-effective cloud architectures and for passing the SOA-C02 exam.
Jump to a section
Think of a VPC as a private office building in a city (the AWS cloud). The building has its own address (CIDR block) and is isolated from other buildings. Inside, you have floors (subnets) that are either open to visitors (public subnets) or restricted to employees only (private subnets). The building's main entrance with a security guard who checks IDs is the Internet Gateway (IGW). For employees to access the internet without exposing themselves to incoming calls, they use a single phone line through a receptionist who logs outgoing calls and routes responses—this is a NAT Gateway. To connect two buildings securely, you build a private tunnel (VPN) or a dedicated fiber line (Direct Connect). The building's internal mailroom that distributes packages to the correct floor based on recipient name is like a VPC peering connection or Transit Gateway. Each floor has its own access control list (network ACL) at the floor entrance, and each office door has its own lock (security group). If you want to monitor who enters and leaves, you install cameras (VPC Flow Logs). This analogy maps directly: the city is the AWS region, the building is the VPC, floors are subnets, security guard is IGW, receptionist is NAT Gateway, tunnels are VPNs, mailroom is peering, floor ACLs are network ACLs, door locks are security groups, and cameras are Flow Logs.
What is Amazon VPC and Why Does It Exist?
Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. Before VPC (introduced in 2009), all EC2 instances shared a flat network (EC2-Classic). VPC gave customers control over IP addressing, routing, and security. Every new AWS account now has a default VPC in each region, but you can create up to 5 VPCs per region (soft limit, can be increased).
VPC CIDR Blocks and Subnets
A VPC spans all Availability Zones (AZs) in a region. You assign an IPv4 CIDR block (e.g., 10.0.0.0/16) and optionally an IPv6 CIDR block (a /56 from AWS's pool). The CIDR block size must be between /16 and /28. You cannot change the CIDR after creation, but you can add secondary CIDRs (up to 5, with limits). Subnets are subdivisions within a VPC, each residing in a single AZ. Subnet CIDR blocks must be a subset of the VPC CIDR (or secondary CIDR). AWS reserves the first four IP addresses and the last one in each subnet (e.g., for 10.0.0.0/24: .0 network, .1 VPC router, .2 DNS, .3 future use, .255 broadcast).
Internet Gateway (IGW)
An IGW is a horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet. It serves two purposes: a target in your route tables for internet-routable traffic, and performs NAT for instances that have public IPv4 addresses. An IGW supports both IPv4 and IPv6. To make a subnet public, you attach an IGW to the VPC and add a route to the subnet's route table: destination 0.0.0.0/0 (or ::/0 for IPv6) target igw-id. The IGW is not a physical device; it's a logical connection managed by AWS.
NAT Gateway and NAT Instance
A NAT (Network Address Translation) Gateway enables instances in a private subnet to connect to the internet or other AWS services, but prevents the internet from initiating connections with those instances. NAT Gateway is a managed service (scales automatically, up to 45 Gbps). It supports IPv4 only. You must allocate an Elastic IP (EIP) to it. For high availability, deploy one NAT Gateway per AZ. NAT Gateway automatically processes traffic and updates connection tracking. Default timeout for TCP connections is 350 seconds (configurable via idle timeout). NAT Instance is an older, self-managed EC2 instance with source/destination check disabled. Not recommended for production due to single point of failure and manual scaling.
Route Tables
Each subnet must be associated with a route table (explicitly or the main route table). A route table contains routes that determine where network traffic is directed. The most specific route (longest prefix match) wins. Each route table has a local route (e.g., 10.0.0.0/16 local) that cannot be deleted. You can add routes to IGW, NAT Gateway, VPC peering, Transit Gateway, VPN Gateway, etc. If no route matches, traffic is dropped. Route tables are regional resources.
Security Groups vs. Network ACLs
Security Groups (SGs) act as virtual firewalls for instances (stateful). They support allow rules only (no explicit deny). Default SG allows all outbound, denies all inbound. You can reference other SGs or CIDR blocks. SGs evaluate all rules before deciding to allow traffic. Network ACLs (NACLs) are stateless firewalls for subnets. They support allow and deny rules, in numeric order. Default NACL allows all inbound and outbound. Custom NACLs deny all by default. NACLs are evaluated in rule number order (lowest to highest) and the first matching rule is applied.
VPC Peering
VPC peering connects two VPCs (in same or different accounts/regions) using AWS's internal network. It's a one-to-one relationship (no transitive peering). You must add routes in both VPCs' route tables to point to the peering connection. Instances in peered VPCs can communicate as if they are on the same network (using private IPs). You cannot create a peering connection between VPCs with overlapping CIDRs. For inter-region peering, traffic stays on the AWS backbone.
AWS VPN and Direct Connect
Site-to-Site VPN connects your on-premises network to your VPC via encrypted tunnels over the internet. You create a Virtual Private Gateway (VGW) attached to your VPC, and a Customer Gateway (CGW) representing your on-premises router. Two tunnels are created for redundancy (IPsec). AWS VPN supports static or BGP routing (using dynamic routing). Direct Connect provides a dedicated private connection from your on-premises data center to AWS. It reduces network costs and increases bandwidth consistency. You can combine Direct Connect with VPN for encrypted traffic.
VPC Endpoints
VPC endpoints allow private connections to AWS services (S3, DynamoDB, etc.) without traversing the internet. Two types: Gateway Endpoints (for S3 and DynamoDB) and Interface Endpoints (for many other services using AWS PrivateLink). Gateway endpoints are free and use route table entries. Interface endpoints are powered by PrivateLink and cost per hour + data processed. Both keep traffic within the AWS network.
VPC Flow Logs
Flow Logs capture IP traffic information for network interfaces in a VPC, subnet, or instance. They can be published to CloudWatch Logs or S3. Flow logs do not capture real-time logs; they are aggregated and delivered periodically (every 10 minutes for CloudWatch, every 5 minutes for S3). Flow logs record the following fields: version, account-id, interface-id, srcaddr, dstaddr, srcport, dstport, protocol, packets, bytes, start, end, action (ACCEPT/REJECT), log-status. Flow logs can help diagnose overly restrictive security group rules or network ACLs.
AWS Transit Gateway
Transit Gateway acts as a hub for connecting multiple VPCs and on-premises networks. It supports transitive routing and simplifies network architecture. You attach VPCs and VPNs to the Transit Gateway, and create route tables to control traffic flow. Transit Gateway is a regional resource but supports inter-region peering.
DHCP Options Sets
A DHCP options set gives you control over the DNS servers, domain name, and NTP servers that EC2 instances use. By default, the VPC uses AmazonProvidedDNS (which resolves to the VPC's DNS server at 169.254.169.253). You can create custom DHCP options sets, but you cannot modify them after creation; you must create a new one and associate it with the VPC.
Elastic IP Addresses
An Elastic IP (EIP) is a static, public IPv4 address that you can allocate to your account and associate with an instance or NAT Gateway. EIPs are charged when not associated with a running instance (to encourage efficient use). You can have up to 5 EIPs per region (soft limit).
Key Exam Numbers and Defaults
Maximum VPCs per region: 5 (soft limit)
Maximum subnets per VPC: 200
Maximum security groups per VPC: 500
Maximum rules per security group: 60 inbound + 60 outbound
Maximum network ACLs per VPC: 200
Maximum rules per NACL: 20 (inbound + outbound combined? Actually 20 per NACL, but you can have multiple NACLs)
NAT Gateway: supports up to 55,000 simultaneous connections to a single destination
VPC peering: no transitive peering, no overlapping CIDRs
Default VPC CIDR: 172.31.0.0/16
Reserved IPs per subnet: first 4 + last 1
Configuration and Verification Commands
Using AWS CLI:
Create VPC: aws ec2 create-vpc --cidr-block 10.0.0.0/16
Create subnet: aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
Create IGW: aws ec2 create-internet-gateway then attach: aws ec2 attach-internet-gateway --vpc-id vpc-xxx --internet-gateway-id igw-xxx
Create route: aws ec2 create-route --route-table-id rtb-xxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxx
Create NAT Gateway: aws ec2 create-nat-gateway --subnet-id subnet-xxx --allocation-id eipalloc-xxx
Create VPC peering: aws ec2 create-vpc-peering-connection --vpc-id vpc-xxx --peer-vpc-id vpc-yyy
Create security group: aws ec2 create-security-group --group-name MySG --description "My SG" --vpc-id vpc-xxx
Create network ACL: aws ec2 create-network-acl --vpc-id vpc-xxx
Enable flow logs: aws ec2 create-flow-logs --resource-type VPC --resource-id vpc-xxx --traffic-type ALL --log-group-name my-flow-logs --deliver-logs-permission-arn arn:aws:iam::account:role/FlowLogsRole
Verification commands:
Describe VPC: aws ec2 describe-vpcs --vpc-ids vpc-xxx
Describe subnets: aws ec2 describe-subnets --filters Name=vpc-id,Values=vpc-xxx
Describe route tables: aws ec2 describe-route-tables --filters Name=vpc-id,Values=vpc-xxx
Describe security groups: aws ec2 describe-security-groups --group-ids sg-xxx
Describe network ACLs: aws ec2 describe-network-acls --filters Name=vpc-id,Values=vpc-xxx
Describe flow logs: aws ec2 describe-flow-logs --filter Name=resource-id,Values=vpc-xxx
Interaction with Related Technologies
VPC integrates with many AWS services:
EC2: Instances are launched into subnets, with security groups and key pairs.
ELB: Load balancers are internet-facing (public subnet) or internal (private subnet).
RDS: Databases are placed in private subnets, often using Multi-AZ.
Lambda: Can be configured to run inside a VPC for access to private resources.
ECS: Tasks can use awsvpc network mode for direct ENI attachment.
CloudFront: Can use VPC origins via PrivateLink.
Route 53: Private hosted zones for internal DNS resolution.
Understanding these interactions is critical for designing solutions and troubleshooting connectivity issues on the exam.
Create a VPC and Subnets
First, define the VPC's IP address space using a CIDR block (e.g., 10.0.0.0/16). Then create subnets in different Availability Zones, each with a subset of the VPC CIDR (e.g., 10.0.1.0/24 in us-east-1a, 10.0.2.0/24 in us-east-1b). Subnets are implicitly associated with the main route table initially. For public subnets, you will later modify the route table to include a route to an Internet Gateway. For private subnets, you may add a route to a NAT Gateway for outbound internet access.
Attach Internet Gateway and Configure Public Subnet
Create an Internet Gateway (IGW) and attach it to the VPC. Then create a custom route table for the public subnet and add a default route (0.0.0.0/0) pointing to the IGW. Associate this route table with the public subnet(s). This allows instances in the public subnet with public IPs to communicate with the internet. The IGW performs NAT for instances with public IPv4 addresses, translating their private IP to the public IP for outbound traffic and vice versa for inbound traffic.
Set Up NAT Gateway for Private Subnets
Allocate an Elastic IP address and create a NAT Gateway in a public subnet (e.g., subnet-1a-public). Then create a route table for private subnets and add a default route (0.0.0.0/0) pointing to the NAT Gateway ID. Associate this route table with the private subnets. The NAT Gateway uses its Elastic IP for outbound traffic and maintains connection state so that return traffic is routed back to the correct instance. NAT Gateway is highly available within its AZ; for multi-AZ resilience, deploy a NAT Gateway in each AZ.
Configure Security Groups and Network ACLs
Create security groups (SGs) and associate them with instances. Define inbound rules (e.g., allow SSH from your IP) and outbound rules (e.g., allow all traffic). SGs are stateful, so return traffic is automatically allowed. For subnet-level protection, create network ACLs (NACLs) and associate them with subnets. NACLs are stateless, so you must explicitly allow both inbound and outbound traffic. For example, to allow HTTP from the internet, add inbound rule 100: allow TCP 80 from 0.0.0.0/0 and outbound rule 100: allow TCP ephemeral ports 1024-65535 to 0.0.0.0/0.
Enable VPC Flow Logs for Monitoring
Create a CloudWatch Logs log group (or specify an S3 bucket) and an IAM role that grants permissions to publish logs. Use the AWS CLI or Console to create flow logs for the VPC, subnet, or specific network interface. Specify the traffic type (ALL, ACCEPT, REJECT). Flow logs capture metadata about IP traffic (source/dest IP, ports, protocol, action, packet/byte counts). Logs are published every 10 minutes to CloudWatch or every 5 minutes to S3. Analyze logs to identify blocked traffic or troubleshoot connectivity issues.
In enterprise environments, VPCs are the foundation for multi-tier applications. A typical three-tier architecture consists of: a public subnet for load balancers, private subnets for application servers, and private subnets for databases. For example, a financial services company might deploy an internet-facing Application Load Balancer in a public subnet, EC2 instances running a web application in private subnets (with auto scaling), and an RDS MySQL Multi-AZ database in isolated private subnets. The database subnets have no route to the internet; only the application servers can connect to the database via security group allow rules. To meet compliance, VPC Flow Logs are enabled and sent to a centralized S3 bucket for security analysis. The company also uses AWS Direct Connect to connect their on-premises data center to the VPC, with a Virtual Private Gateway and BGP routing for failover.
Another scenario: a SaaS provider needs to isolate multiple customer environments. They create separate VPCs for each customer (or use separate subnets with strict NACLs). They use VPC peering to connect customer VPCs to a shared services VPC (e.g., for Active Directory or monitoring). However, they must ensure CIDRs do not overlap. For large-scale connectivity, they use AWS Transit Gateway to interconnect hundreds of VPCs and on-premises networks, with centralized routing and security appliances.
Common misconfigurations: forgetting to disable source/destination check on NAT instances (not relevant for NAT Gateway), overlapping CIDR blocks in peering, not updating route tables after creating peering, and incorrectly assuming security groups are stateless (they are stateful). Performance considerations: NAT Gateway can handle up to 45 Gbps, but if you need more, distribute traffic across multiple NAT Gateways. For Direct Connect, bandwidth can be 50 Mbps to 100 Gbps; you must order the correct port speed. When troubleshooting, always check route tables, security groups, and NACLs first.
What goes wrong: a common issue is that an instance in a private subnet cannot access the internet because the NAT Gateway is in a different AZ with no route to it, or the NAT Gateway's security group (if using a NAT instance) blocks traffic. Another issue is that flow logs show REJECT traffic because a NACL is blocking the ephemeral ports for outbound responses. Engineers must remember that NACLs are stateless and need separate outbound rules for return traffic.
The SOA-C02 exam tests VPC knowledge extensively under Domain 5: Networking. Key objectives include: 5.1 Implement networking features (VPC, subnets, route tables, NAT, IGW, security groups, NACLs), 5.2 Configure connectivity (VPC peering, VPN, Direct Connect, Transit Gateway), and 5.3 Manage DNS and content delivery (Route 53, CloudFront). Expect about 15-20% of questions to involve VPC concepts.
Common wrong answers and why: 1. Security groups are stateless – Many candidates think SGs are stateless like NACLs. Reality: SGs are stateful; return traffic is automatically allowed. The exam loves to test this distinction. 2. NAT Gateway is highly available across AZs by default – NAT Gateway is AZ-specific. To achieve HA, you must deploy one in each AZ and configure route tables accordingly. The exam may present a scenario where a NAT Gateway in one AZ fails and instances in another AZ lose internet access. 3. VPC peering supports transitive routing – Peering is non-transitive. If VPC A is peered with VPC B, and VPC B with VPC C, VPC A cannot communicate with VPC C unless they are directly peered. The exam may ask how to connect three VPCs. 4. Network ACLs are evaluated after security groups – Actually, NACLs are evaluated at the subnet boundary before SGs (for inbound) and after SGs (for outbound). But the exam may ask about the order of evaluation.
Specific numbers and terms to memorize:
Default VPC CIDR: 172.31.0.0/16
Reserved IPs: first 4 and last 1 in each subnet
Maximum VPCs per region: 5 (default)
Maximum security groups per VPC: 500
Maximum rules per security group: 60 inbound + 60 outbound
NACL rule limit: 20 per NACL
NAT Gateway connection limit: 55,000 simultaneous connections to a single destination
Flow logs: delivered every 10 minutes to CloudWatch, every 5 minutes to S3
Edge cases: When a VPC has multiple CIDRs, route tables must include routes for each CIDR. If you delete the default VPC, you can recover it by contacting AWS support (within a limited time). For inter-region VPC peering, you cannot use security group references across regions (you must use CIDR). The exam may ask about DNS resolution options for VPC peering (enable DNS resolution for the peer VPC).
To eliminate wrong answers, focus on the underlying mechanism: think about packet flow. For example, if an instance cannot reach the internet, check the route table (is there a default route?), the IGW (is it attached?), the NAT Gateway (is it in a public subnet with an EIP?), and the security group/NACL (are outbound rules allowing traffic?). Always verify the direction of traffic: inbound vs outbound, and whether the component is stateful or stateless.
A VPC spans all AZs in a region; subnets are AZ-specific.
Each subnet reserves the first 4 IP addresses and the last 1 (e.g., .0, .1, .2, .3, .255 for /24).
Internet Gateway (IGW) is required for public subnets; it's a horizontally scaled, redundant component.
NAT Gateway is AZ-specific; deploy one per AZ for high availability; supports up to 45 Gbps.
NAT Gateway has a default TCP idle timeout of 350 seconds.
Security groups are stateful; network ACLs are stateless.
VPC peering is non-transitive and requires non-overlapping CIDRs.
VPC Flow Logs capture metadata (not payload) and can be sent to CloudWatch Logs or S3.
Default VPC CIDR is 172.31.0.0/16; default VPC has an IGW and a default route for public subnets.
Maximum 5 VPCs per region (soft limit), 200 subnets per VPC, 500 security groups per VPC.
These come up on the exam all the time. Here's how to tell them apart.
Security Group
Stateful: return traffic is automatically allowed.
Operates at the instance level (ENI).
Supports allow rules only (no explicit deny).
Evaluates all rules before allowing traffic (no rule number order).
Default SG allows all outbound, denies all inbound.
Network ACL
Stateless: return traffic must be explicitly allowed.
Operates at the subnet level.
Supports both allow and deny rules.
Rules are evaluated in numeric order (lowest to highest), first match applies.
Default NACL allows all inbound and outbound; custom NACL denies all by default.
Mistake
Security groups are stateless like network ACLs.
Correct
Security groups are stateful: if you allow inbound traffic, the outbound return traffic is automatically allowed, regardless of outbound rules. Network ACLs are stateless and require explicit inbound and outbound rules for return traffic.
Mistake
A NAT Gateway provides high availability across Availability Zones automatically.
Correct
A NAT Gateway is deployed in a single AZ. For high availability, you must create a NAT Gateway in each AZ and configure route tables for each subnet to use its local NAT Gateway. If one AZ fails, only subnets in that AZ lose internet access.
Mistake
VPC peering allows transitive routing between multiple VPCs.
Correct
VPC peering is a one-to-one relationship and does not support transitive routing. If VPC A is peered with VPC B, and VPC B with VPC C, VPC A cannot communicate with VPC C through VPC B. Each pair must have a direct peering connection.
Mistake
You can modify the CIDR block of an existing VPC.
Correct
You cannot change the primary CIDR block of a VPC after creation. However, you can add secondary CIDR blocks (up to 5) if needed. The primary CIDR is fixed.
Mistake
VPC Flow Logs capture the actual packet data (payload).
Correct
Flow logs capture metadata about IP traffic (source/dest IP, ports, protocol, packet/byte counts, action) but do NOT capture the contents of the packets (payload). They are used for network monitoring and troubleshooting, not for deep packet inspection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A public subnet has a route to an Internet Gateway (IGW) in its route table, allowing instances with public IPs to communicate with the internet. A private subnet does not have a direct route to an IGW; it can use a NAT Gateway or NAT instance for outbound-only internet access. Instances in private subnets typically have private IPs only and are not directly reachable from the internet.
You cannot directly access an instance in a private subnet from the internet. Instead, use a bastion host (jump server) in a public subnet, or set up a VPN connection or Direct Connect. Alternatively, you can use an Application Load Balancer with an internal target group and a public-facing ALB in a public subnet, or use AWS Systems Manager Session Manager without needing a public IP.
A NAT Gateway enables instances in a private subnet to initiate outbound traffic to the internet (e.g., for software updates) while preventing inbound connections from the internet. It is a managed service that scales automatically. Use it when you need high availability and minimal management overhead. For lower cost or specific configurations, you might use a NAT instance, but NAT Gateway is recommended for production.
No, you can attach only one Internet Gateway to a VPC at a time. However, you can have multiple VPCs, each with its own IGW. For multiple public subnets, you use a single IGW and route tables.
You can use a Site-to-Site VPN (via Virtual Private Gateway and Customer Gateway), AWS Direct Connect (dedicated private connection), or a combination of both. VPN uses the internet with IPsec encryption; Direct Connect provides a private, consistent connection. You can also use Transit Gateway to simplify connectivity when you have multiple VPCs.
VPC endpoints allow private connections to AWS services (e.g., S3, DynamoDB) without traversing the internet. Gateway endpoints are free and used for S3 and DynamoDB; Interface endpoints (AWS PrivateLink) are used for many other services and incur hourly charges. Use endpoints to improve security and reduce data transfer costs.
Common causes: (1) The NAT Gateway is in a different subnet/AZ and the route table for the private subnet does not point to it (or points to a different NAT Gateway). (2) The NAT Gateway's Elastic IP is not properly allocated or associated. (3) The security group of the instance blocks outbound traffic. (4) The network ACL associated with the subnet blocks outbound traffic (stateless, need outbound rule for ephemeral ports). (5) The route table for the private subnet does not have a default route (0.0.0.0/0) pointing to the NAT Gateway.
You've just covered VPC for SysOps — now see how well it sticks with free SOA-C02 practice questions. Full explanations included, no account needed.
Done with this chapter?