Design secure VPCs with public, private, and database subnets. Master Security Groups, NACLs, NAT Gateways, and VPC connectivity options.
VPC — Your Private Network in AWS
A VPC is your own private, isolated section of the AWS cloud. Think of it as your own personal data center network inside AWS — you control the IP addresses, subnets, routing, and security rules.
Teacher Note: Imagine VPC is like your office building. Public subnets are the reception and lobby (anyone can access). Private subnets are the offices and server rooms (only employees can enter). Database subnets are the vault (only specific servers can reach it).
Three-Tier Architecture — The Standard Design
Internet
|
[Internet Gateway]
|
+--Public Subnet (ALB, NAT Gateway)--+
|
+--Private Subnet (EC2, ECS, Lambda)--+
|
+--Database Subnet (RDS, ElastiCache)--+
Key VPC Components
| Component | Purpose | Key Fact |
|---|
| Internet Gateway (IGW) | Allows internet traffic IN and OUT for public subnets | One per VPC, bidirectional |
| NAT Gateway | Lets private subnets reach internet (outbound only) | Deploy one per AZ for HA |
| Security Groups | Instance-level stateful firewall — Allow rules only | Return traffic auto-allowed |
| NACLs | Subnet-level stateless firewall — Allow AND Deny rules | Must allow ephemeral ports for return traffic |
| Route Tables | Control where traffic flows between subnets | Each subnet needs one |
| VPC Endpoints | Access AWS services (S3, DynamoDB) without internet | FREE for Gateway type |
Security Groups vs NACLs
| Feature | Security Group | NACL |
|---|
| Level | Instance (EC2, RDS) | Subnet |
| State | Stateful — return traffic auto-allowed | Stateless — must allow both directions |
| Rules | Allow only | Allow AND Deny |
| Order | All rules evaluated | Rules evaluated in number order |
| Use case | Primary access control | Block specific IPs, additional layer |
Connecting VPCs and Networks
- VPC Peering: direct connection between two VPCs — NOT transitive (A-B-C does not mean A can reach C)
- Transit Gateway: hub-and-spoke for many VPCs — solves the transitive peering limitation
- Site-to-Site VPN: encrypted tunnel over internet to on-premises — quick to set up
- Direct Connect: dedicated private line to AWS — consistent latency, expensive, 1-3 months to provision
- PrivateLink: expose your service to other VPCs privately without peering or public internet
Exam Tip: Most common exam trap: Security Groups are STATEFUL (return traffic auto-allowed). NACLs are STATELESS (you must add rules for BOTH directions including ephemeral ports 1024-65535 for TCP responses).