AWS VPC Networking Security Groups

AWS VPC: Build a Production-Ready Network Architecture

BR
Ben Rodriguez
Solutions Architect
Jul 05, 2025
22 min read

What You'll Learn

How to architect a production-ready AWS VPC — public vs private subnets, Internet Gateways, NAT Gateways, Route Tables, and Security Groups.

What is a VPC?

Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS Cloud where you launch AWS resources in a virtual network that you define. It is the foundational networking layer for AWS.

Standard Production VPC Architecture (3-Tier)

VPC (10.0.0.0/16)
Internet Gateway (IGW)
Availability Zone A (us-east-1a)
Public Subnet 10.0.1.0/24
Has route to IGW. Public IPs. (NAT Gateway, Bastion Host, ALB)
Private App Subnet 10.0.10.0/24
Route to NAT Gateway. No Public IP. (EC2, ECS, EKS workers)
Private DB Subnet 10.0.20.0/24
No internet access at all. (RDS, ElastiCache)
Availability Zone B (us-east-1b)
Public Subnet 10.0.2.0/24
Has route to IGW. Public IPs. (NAT Gateway, Bastion Host, ALB)
Private App Subnet 10.0.11.0/24
Route to NAT Gateway. No Public IP. (EC2, ECS, EKS workers)
Private DB Subnet 10.0.21.0/24
No internet access at all. (RDS, ElastiCache)

Core VPC Components Explained

Internet Gateway (IGW)

A horizontally scaled, redundant component that allows communication between your VPC and the internet. You attach one IGW to your VPC.

NAT Gateway

Lives in the Public Subnet. Allows instances in private subnets to connect to the internet (e.g., to download OS updates) but prevents the internet from initiating connections to those instances.

Route Tables

A set of rules that determine where network traffic is directed.

  • Public Route Table: Destination 0.0.0.0/0 → Target igw-12345 (Internet Gateway)
  • Private Route Table: Destination 0.0.0.0/0 → Target nat-12345 (NAT Gateway)

Security: Security Groups vs NACLs

Security Groups (SG)

  • • Operates at the Instance level (EC2, RDS).
  • Stateful: If you allow incoming traffic, the return traffic is automatically allowed.
  • Allow rules only: You cannot create "deny" rules. By default, all inbound is denied.
  • • Evaluate all rules before deciding.

Network ACLs (NACL)

  • • Operates at the Subnet level.
  • Stateless: You must explicitly allow BOTH inbound and outbound traffic.
  • Allow AND Deny rules: You can explicitly block specific IPs.
  • • Evaluated in order (lowest number first).
AWS CLI — Creating the basics 
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16
# outputs vpc-0abc123...

# Enable DNS Hostnames
aws ec2 modify-vpc-attribute --vpc-id vpc-0abc123 --enable-dns-hostnames

# Create Public Subnet
aws ec2 create-subnet --vpc-id vpc-0abc123 --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
# Enable auto-assign public IP
aws ec2 modify-subnet-attribute --subnet-id subnet-0def456 --map-public-ip-on-launch

# Create Internet Gateway and attach to VPC
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-0abc123 --internet-gateway-id igw-012345

# Note: For production, NEVER do this manually. Use Terraform!

Keep Reading

D
DevOps

Docker Networking Demystified: Bridge, Host & Overlay

8 min read Read More
C
Cloud

AWS IAM Roles vs Users vs Policies

10 min read Read More
P
Programming

Understanding Python's GIL & Multiprocessing

14 min read Read More