AWS Virtual Private Cloud

Abimuktheeswaran Chidambaram
5 min readMay 18, 2023

Amazon Virtual Private Cloud (Amazon VPC) provides a logically isolated (separate) area in AWS Cloud where you can launch AWS resources in a virtual network. It is a regional service that spans multiple AZs within the region. By default, VPC includes an internet gateway, and each default subnet (public subnet). Each instance that you launch into a public subnet has a private IPv4 address and a public IPv4 address. In this article, we will discuss the following chapters.

  1. Accessing the other networks from VPC
  2. IP address
  3. Subnets

1. Accessing the other networks from VPC

1.1 Internet Gateway is used to connect the instances in VPC to the internet using a public subnet through the Amazon EC2 network edge. It supports public IPV4 and IPV6 addresses. For communication using IPv4, the internet gateway also performs network address translation (NAT). For communication using IPv6, your VPC and subnet must have an associated IPv6 CIDR block, and your instance must be assigned an IPv6 address from the range of the subnet. You can assign an elastic IP address to your instances.

If a subnet is associated with a route table that has a route to an internet gateway, it’s known as a public subnet. If a subnet is associated with a route table that does not have a route to an internet gateway, it’s known as a private subnet. Ensure that your network access control lists and security group rules allow the desired internet traffic to flow to and from your instance.

Internet Gateway

1.2 NAT Gateway uses a NAT (Network Address Translation) device to enable your instances to connect to the internet outside your VPC. It allows outbound connections but does not accept incoming connections. It supports private IPV4 addresses. You can route traffic from a public NAT gateway (or) private NAT gateway to connect outside of your VPCs through a Transit gateway (or) Virtual Private Gateway. There are two types of NAT Gateway. They are the Public NAT gateway and Private NAT gateway.

Instances in private subnet connect to the internet via a Public NAT gateway. It uses a private IPV4 address. In the case of a public NAT gateway, the Internet gateway maps the private IPV4 address with Elastic IP Address.

public NAT gateway

Instances in private subnet connect to other VPCs or on-premise networks via a private NAT gateway. It uses a private IPV4 address.

Private NAT gateway

You can Monitor the NAT gateway metrics using CloudWatch. It provides the data of metrics at every 1-minute interval. It keeps the data up to 15 months.

1.3 To connect with multiple VPCs (or) on-premise network use AWS Transit Gateway. For more details click the link

1.4 An Egress-only Internet Gateway is a VPC component that allows outbound communication from instances to the Internet over IPv6. It is stateful. Use NAT64 to enable instances in IPv6-only subnets to communicate with IPv4-only resources within VPCs, between VPCs, in your on-premises networks, or over the internet.

1.5 Virtual Private Gateway is the AWS side of the VPN connection. A customer gateway is a physical device or software application on the customer side of the VPN connection.

1.6 VPC peering Connection connects two VPCs within the region using private IPv4, IPV6 address. It allows you to route traffic between them privately. For more details click here

1.7 AWS Private Link is used to establish the private connectivity between VPC and supported AWS services. For more details click here

1.8 To access the on-premise network from your VPC use AWS Site-to-Site VPN without a public network. For more details click here

2. IP address

IP address enable resources in your VPC to communicate with each other, and with resources over the internet. Amazon VPC IP Address Manager (IPAM) is a VPC feature that makes it easier for you to plan, track, and monitor IP addresses for your AWS workloads. There are two types of IP addresses. They are IPV4 and IPV6. IPV4 is the 32 bits with 4 groups of 3 decimal digits Ex: IPV6 is the 128 bits with 8 groups of 4 decimal digits Ex: 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

Classless Inter-Domain Routing (CIDR) notation is a way of representing an IP address and its network mask. The format of these addresses is as follows:

IPV4 CIDR block has IPV4 address followed by slash then range (range from 0–32). Ex:

IPV6 CIDR block has 4 groups separated by a colon, followed by a double colon, then slash, and finally range (range from 1–128). Ex: 2001:db8:1234:1a00::/56

3. Subnet

3.1 Subnet is used to split the IP address into multiple IP addresses. So it helps to avoid the wastage of IP addresses. You can create the subnet in one availability zone and it cannot span. If you create a VPC of IPV4 CIDR block in VPC, then it will become a subnet of IPV4 of CIDR block.

3.2 Security in subnet: To protect your AWS resources, AWS recommends that you use private subnets. AWS has the following features for security. Security groups allow inbound and outbound traffic at the subnet level. Supports allow rules only. It is stateful. Network ACLs allow or deny inbound and outbound traffic at the subnet level. Supports both allow and deny rules. It is stateless.

3.3 Subnet Route Table Each subnet in your VPC must be associated with a route table, which controls the routing for the subnet. The route table has a set of rules called a route. Every route table specifies target and destination also it contains local to communicate within VPC.

Last Updated: 07-Jan-2024