VPC Networking & Security Architecture

VPC Architecture

A VPC (Virtual Private Cloud) is your isolated network in AWS.

┌─────────────────────────────────────────────────────────┐
│                    VPC (10.0.0.0/16)                      │
│                                                          │
│  ┌─────────────────────────────────────────────────────┐ │
│  │              Public Subnets                          │ │
│  │  ┌──────────────┐  ┌──────────────┐                │ │
│  │  │ 10.0.1.0/24  │  │ 10.0.2.0/24  │  (ALB, NAT)   │ │
│  │  │    AZ-1a     │  │    AZ-1b     │                │ │
│  │  └──────────────┘  └──────────────┘                │ │
│  └─────────────────────────────────────────────────────┘ │
│                                                          │
│  ┌─────────────────────────────────────────────────────┐ │
│  │              Private Subnets                         │ │
│  │  ┌──────────────┐  ┌──────────────┐                │ │
│  │  │ 10.0.10.0/24 │  │ 10.0.11.0/24 │  (App servers) │ │
│  │  │    AZ-1a     │  │    AZ-1b     │                │ │
│  │  └──────────────┘  └──────────────┘                │ │
│  └─────────────────────────────────────────────────────┘ │
│                                                          │
│  ┌─────────────────────────────────────────────────────┐ │
│  │              Database Subnets                        │ │
│  │  ┌──────────────┐  ┌──────────────┐                │ │
│  │  │ 10.0.20.0/24 │  │ 10.0.21.0/24 │  (RDS, Redis) │ │
│  │  │    AZ-1a     │  │    AZ-1b     │                │ │
│  │  └──────────────┘  └──────────────┘                │ │
│  └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────┘

Creating a VPC

# Create VPC
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=nextgen-vpc}]'
 
# Enable DNS
aws ec2 modify-vpc-attribute --vpc-id vpc-xxx --enable-dns-hostnames '{"Value":true}'
 
# Create Internet Gateway
aws ec2 create-internet-gateway \
  --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=nextgen-igw}]'
 
aws ec2 attach-internet-gateway --internet-gateway-id igw-xxx --vpc-id vpc-xxx

Subnets

# Public subnet (AZ-1a)
aws ec2 create-subnet \
  --vpc-id vpc-xxx \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-1a}]'
 
# Private subnet (AZ-1a)
aws ec2 create-subnet \
  --vpc-id vpc-xxx \
  --cidr-block 10.0.10.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=private-1a}]'
 
# Enable auto-assign public IP for public subnets
aws ec2 modify-subnet-attribute \
  --subnet-id subnet-xxx \
  --map-public-ip-on-launch

Route Tables

# Public route table (routes to Internet Gateway)
aws ec2 create-route-table --vpc-id vpc-xxx
aws ec2 create-route \
  --route-table-id rtb-xxx \
  --destination-cidr-block 0.0.0.0/0 \
  --gateway-id igw-xxx
 
# Associate with public subnets
aws ec2 associate-route-table --route-table-id rtb-xxx --subnet-id subnet-public
 
# Private route table (routes to NAT Gateway)
aws ec2 create-route \
  --route-table-id rtb-private \
  --destination-cidr-block 0.0.0.0/0 \
  --nat-gateway-id nat-xxx

NAT Gateway

NAT Gateway allows private subnet instances to access the internet (for updates) without being directly accessible.

# Allocate Elastic IP for NAT
aws ec2 allocate-address --domain vpc
 
# Create NAT Gateway in public subnet
aws ec2 create-nat-gateway \
  --subnet-id subnet-public-1a \
  --allocation-id eipalloc-xxx \
  --tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=nextgen-nat}]'

Security Layers

Security Groups (Stateful)

# Web tier — allows HTTP/HTTPS from anywhere
aws ec2 create-security-group \
  --group-name web-sg \
  --description "Web tier" \
  --vpc-id vpc-xxx
 
aws ec2 authorize-security-group-ingress \
  --group-id sg-web \
  --protocol tcp --port 80 --cidr 0.0.0.0/0
 
aws ec2 authorize-security-group-ingress \
  --group-id sg-web \
  --protocol tcp --port 443 --cidr 0.0.0.0/0
 
# App tier — allows traffic only from web tier
aws ec2 authorize-security-group-ingress \
  --group-id sg-app \
  --protocol tcp --port 3000 \
  --source-group sg-web
 
# DB tier — allows traffic only from app tier
aws ec2 authorize-security-group-ingress \
  --group-id sg-db \
  --protocol tcp --port 5432 \
  --source-group sg-app

Network ACLs (Stateless)

Rule	Type	Port	Source	Action
100	HTTP	80	0.0.0.0/0	Allow
110	HTTPS	443	0.0.0.0/0	Allow
120	SSH	22	10.0.0.0/16	Allow
*	All	All	0.0.0.0/0	Deny

Security Groups vs NACLs

Feature	Security Group	NACL
Level	Instance	Subnet
State	Stateful	Stateless
Rules	Allow only	Allow + Deny
Evaluation	All rules	Ordered by number
Default	Deny all inbound	Allow all

VPC Peering & Endpoints

# VPC Endpoint for S3 (no internet needed)
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-xxx \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids rtb-private
 
# VPC Peering between environments
aws ec2 create-vpc-peering-connection \
  --vpc-id vpc-staging \
  --peer-vpc-id vpc-production

Summary

You've learned:

Multi-tier VPC architecture design
Public and private subnet configuration
NAT Gateways for outbound internet access
Defense-in-depth with Security Groups and NACLs
VPC Endpoints and Peering for secure connectivity

Next Steps

You now have a complete AWS compute foundation. Combine with Terraform for infrastructure as code, and CloudWatch for monitoring your entire AWS environment.

Learning Objectives