Skip to content

Key Points#

Virtual Private Cloud (VPC)

A VPC is a software defined network that you use to contain your AWS resources. It depends a networking boundary around those resources, a boundary that you further reduce down into smaller software defined networks called subnets (something we cover later on.) The best way of thinking of a VPC is like the router you have at home, the one your Internet provider gave you: it's a private network that lets all the devices "attached" to it talk to each other, but it also enables you to talk to other devices on the public Internet too.

A VPC resides inside of a single AWS account and represents a network.

A very common VPC CIDR range is /16.


Subnets are used to further divide up a VPC network into smaller units that act as smaller network boundaries. These boundaries are used to define customise routing behaviour for the resources inside the subnet, as well as security policies that restrict traffic to and from the subnet called Network Access Control Lists (NACL).

A subnet has a Route Table attached to it which defines the rules about how traffic is routed inside of the VPC and to external destination IP addresses. This Route Table also defines if the subnet is a private or public subnet.

Subnets have their own CIDR range which has to be smaller than the VPC's CIDR. If your VPC is a /16, then you subnet has to be a /17 or smaller, to the smallest unit allowed in AWS: a /28.

A common subnet CIDR range is /24 (256 address in theory; 251 in AWS).

Internet Gateways (IGW)

IGWs are attached to VPCs and act as a router between the resources inside the VPC and the public Internet. They're completely transparent to the resources using them, and all that's required to use an IGW is a Route Table rule that directs traffic aimed for any IP address outside of the subnet or VPC range (

IGWs also allow traffic to come into a VPC, introducing security concerns when used.

The resources inside of a VPC need a public IPv4 or IPv6 address before they're able to use the attached IGW for sending or receiving traffic to or from the public Internet.

NAT Gateways (NATGW)

NATGWs are managed devices that you create inside of a subnet (which is inside of a VPC) to provide Network Address Translation (NAT) to the resources inside the subnet. The objective is to avoid public IPv4 or IPv6 addresses being attached to EC2 Instances directly, but still allowing the to send (but not receive) traffic to the public Internet.

NATGWs provide NAT services which literally "translate" the private IP addresses of your resources to a single public IPv4 or IPv6 address (and back again) so that your resources can download information from external networks on the public Internet.

NATGWs are not attached to the VPC like an IGW is. In fact, a NATGW is actually specific to a subnet, which means it's bound to the availability of an AWS Availability Zone (AZ). If that AZ goes down, your NATGW cannot provide NAT services to the resources inside the AZ. NATGWs are, therefore, not redundant like an IGW.

Route Tables

A Route Table is attached to a subnet and acts as a set of rules for where traffic should be sent. By default, every Route Table has a rule that allows the subnet to speak to every other subnet inside of the same VPC. You can add additional rules for when a subnet is outside of the VPC or for when the IP addresses is a public IP.

When a Route Table offers a rule to the subnet that routes traffic to the public Internet, the subnet is considered a "public subnet, otherwise it's known as private.

When using the rule to direct traffic to the public Internet, the Route Table can send the traffic to an IGW, a NATGW, a security appliance (something we don't cover in this course) or some other routing device.