Skip to content

VPC Concepts

General Info

  • Each VPC is isolated even if it shares its IP address space
  • Max 5 VPC within 1 Region (soft limit)
  • Spans all AZs in a single region


Basics Optional
  • Subnet
  • Route Table
  • DHCP Option Set
  • Security Groups
  • ACLs
  • IGW
  • EIP
  • ENI
  • Endpoint
  • Peering
  • NAT


  • Segment of VPC IP address range
  • Defined by CIDR blocks

    Protocol Size Address Ranges
    IPv4 /28 (16 addresses) - /16 (65,536 addresses) Up to 5 (1 primary and 4 secondary)
    IPv6 /56
  • Within a single AZ (cannot span AZ)
  • Should not overlap any network with which they are connected
  • Can be shared across accounts
IP Addresses
  • Internal IP address range is always private (non-routable over the Internet)
  • 5 IP addresses are reserved in every subnet
    • X.X.X.0: network address
    • X.X.X.1: VPC router
    • X.X.X.2: Amazon DNS server
    • X.X.X.3: reserved for future use
    • X.X.X.255: network broadcast address (reserved as broadcast not supported in AWS)


Class Description
Public Route table includes an IGW (Internet Gateway)
  • Route table does not include an IGW
  • Indirect access to Internet via NAT
  • Route table does not include an IGW
  • Route table directs traffic to VPG
Default VPC
  • 1 in each Region (, with 1 default Subnet (/20) in each AZ
  • Has an IGW by default, and instances are given public IP addresses → default VPC is public
  • All instances get a public and private IP address by default at launch time

Addressing (RT/EIP/ENI)

Route Tables (RT)
  • Each VPC has a main route table
    • default to Private Subnet
    • can be modified/replaced
    • each subnet can have only one RT associated to it
  • Each RT has a default route (local route)
    • enable comms in the VPC
    • cannot be modified/removed
  • Targets
    • Each route specifies a destination CIDR + target
    • Most specific route determines how to route the traffic

DHCP Option Sets

Domain Name Servers IP address of <=4 domain name servers
default = AmazonProvidedDNS
Domain Name desired domain name (
default = domain name of the region
NTP Servers IP addressed of <=4 NTP
Netbios Name Servers <=4
Netbios Node Type 2
Elastic IPs (EIP)
  • Static Public IP in the pool for the Region
  • Charged even when they are not associated to an EC2
  • Rules
    • 1st allocate the EIP, then assign to EC2
    • EIP is specific to a Region (max 5)
    • 1-1 relationship: network interface <--> EIP
    • EIP can be moved
      • instance
      • VPC
      • but in SAME region
    • Need to be explicitly released
Elastic Network Interfaces (ENI)
  • Virtual NI associated with a Subnet, attached to 1 Instance
  • Has 1+ IP addresses, 1 MAC address, 1+ security groups
  • Can have 1 PUBLIC IP, multiple PRIVATE IPs
  • Instances with a public/elastic IP also get a public DNS hostname
  • Created independently from an instance → persists regardless of the lifetime of any instances to which it is attached

Egress Options

Internet Gateway (IGW) Definition
  • Allows EC2 to communicate with Internet
  • IGW provides a target in RT for Internet routable traffic
  • Performs NAT for instances that have PUBLIC IPs
  • Only 1 IGW can be attached per VPC and each IGW can only be attached to a single VPC
  • HA + Redundant + Horizontally scaled → fault tolerant
  • EC2 in VPC are only aware of their PRIVATE IP
  • Traffic
    • Instance --> Internet = IGW translates reply address to instance's PUBLIC IP or EIP
    • Internet --> Instance = IGW translates dest address (PUBLIC IP) to the PRIVATE IP
  • Creation
    1. Create public subnet with internet access
      • attach IGW to VPC
      • create RT rule for all non-local traffic: -> IGW
      • configure SG & ACL to allow relevant traffic
    2. Enable EC2 to send/receive traffic from Internet (assign a Public IP or EIP)
Egress Only Internet Gateway
  • Only used to enable outbound IPv6 traffic from the VPC
  • Does not support NAT
NAT Gateway (NAT-GW) Definition
  • Allows private subnets to indirect access to the Internet (by default, any instance launched in a PRIVATE subnet is not able to communicate with Internet through IGW)
  • Allows OUTBOUND but prevents INBOUND (prevents unsolicited inbound connections but allow outbound connections for instances without a PUBLIC IP)
  • Within a public subnet, in a specific AZ
  • You cannot assign a SG to a NAT gateway
  • HA + Single AZ
  • High-level
    • The subnet's NACL applies, but NAT Gateways aren't in any security groups
    • Has an EIP
    • Connects to an IGW
  • Process
    • Configure RT of PRIVATE subnet to direct Internet-bound traffic to NAT-GW ( -> NAT-GW)
    • Allocate an EIP & associate it with the NAT-GW
NAT-GW vs NAT Instances
CharacteristicsNAT InstanceNAT-GW
High availabilityUse AutoScaling groups and multiple subnetsDeploy in each AZ and more than 1 private subnet
PerformanceDepends on the NAT instance type and sizeIt can scale up to 45 Gbps
MaintenanceYou need to manage SW updates/patchesManaged by AWS
Type and sizeYou chooseSingle offering
Traffic monitoringCloudWatch standard instance metricsPredefined CloudWatch metrics for NAT gateways
VPC Peerings Definition
  • Connection between 2 VPCs (can be in different account, but same region)
  • 1-to-1 relationship
  • Does not support transitive routing
  • Created through request/accept protocol
  • Can't peer 2 VPCs with overlapping CIDR blocks
  • Can't peer 2 VPCs in different regions
  • Can't have more than 1 peering between some 2 VPCs (1-to-1 relationship)
  • VPC peering connections in the same region do not use encryption, but the connections are labeled as private
  • Cross-region connections use encryption and also use the AWS private network
VPC Endpoints Definition
  • Creates a private connection between VPC & another AWS service
  • Use a proxy to pass traffic to the service API endpoint, bypassing the AWS network entirely
  • Without requiring access to the Internet or through a NAT/VPN/Direct Connect
  • Currently supports S3 & Dynamo, and no cross-region
  • HA + Redundant + Horizontally scaled → fault tolerant
  • Specify the VPC
  • Specify the service (com.amazonaws.<region>.<service>)
  • Specify the policy (full access or custom)
  • Specify the RT (SERVICE (destination) --> ENDPOINT (target))
Example - No Endpoint
  • all internet traffic is directed to IGW-1
  • any traffic from the subnet that is destined for another service will be sent to the IGW
Example - With Endpoint
  • all S3 traffic is directed to the VPC Endpoint (in the same region)
  • traffic for different regions goes through IGW-1
  • Endpoint policies: resource policies that constrain what service actions are possible via that endpoint
  • S3 bucket policies can limit access to a specific endpoint or VPC using aws:sourceVpce and aws:sourceVpc:
    { "Sid": "specific-vpc-endpoint",
    "Condition": { "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" } }
  • Similarly can use aws:sourceVpce in an identity policy for DynamoDB
Gateway Endpoint
  • Gateway in the VPC that you route to with a special-case entry in route tables
  • S3 and DynamoDB only (they don't have interface endpoints) in the SAME region
  • Not attached to a subnet
  • See Choosing Your VPC Endpoint Strategy for Amazon S3 for selecting the right VPC endpoint type to access Amazon S3
Interface Endpoint (PrivateLink)
  • ENI with a private IP address
  • Several services including EC2, ELB, SNS, CloudWatch, Systems Manager, and various Marketplace products
  • Has an endpoint specific DNS hostname
  • Private DNS allows you to use the normal hostname for the services, by creating a DNS zone in the VPC using Route53 that has a record for the service that resolves to the interface's private IP address
Transit Gateway
  • A hub that controls how traffic is routed among all the connected networks which act like spokes
  • Instead of lots of (1:1) VPC peering relationships and lots of (1:1) VPN connections, connect each VPC to the single transit gateway and manage centrally

Virtual Private Networks

Virtual Private GW (VPG)
  • Allows to connect an existing data center to a VPC
  • IPSec VPN concentrator attached to a VPC on the AWS side
  • Need a corresponding customer gateway (CGW) in the other network(s)
  • HA + Active/Passive
Customer GW (CGW)
  • On the customer side
  • VPN tunnel established after traffic is generated from customer side
  • CGW IP must be unique in a region
  • Dynamic Routing: if CGW supports BGP
  • Static Routing: if CGW does not support BGP (RTs need updating to point at customer gateway)


Kind Service Price
Traffic Inbound traffic from Internet free
Outbound cross-region traffic charged + fees based on the gateway used
Same-AZ network traffic free EXCEPT if a public IP is the destination
Different-AZ network traffic charged if the resource is AZ scoped
Gateways Internet Gateway free
NAT Gateways charged hourly and based on throughput
VPGs charged hourly and for VPN throughput
Gateway Endpoints free
Transit Gateway Attachments charged hourly and for traffic throughput
Interface Endpoints and Privatelink charged hourly and for traffic throughput
Networking Route tables and NACLs free
VPC Peering connections charged hourly and for traffic throughput (even to the same AZ)
Traffic Mirroring charged hourly per ENI that has mirroring enabled
VPC Flow logs charged according to the amount of traffic processed


  • Dedicate WAN link to AWS
    • Does not involve the Internet
    • It uses dedicated, private network connections between your intranet and Amazon VPC
  • Alternative backend to Virtual Private Gateway instead of "vanilla internet"
  • Doesn't use encryption
  • Virtual interfaces can be
    • private: access to a VPC
    • public: access to AWS public endpoints
  • Can have multiple interfaces per connection if its fast enough