VPC Basics
- VPC is region-specific. Subnets are AZ-specific.
- Default VPC has one public subnet per AZ with internet access.
- CIDR block range: /16 (65,536 IPs) to /28 (16 IPs).
- AWS reserves 5 IP addresses in each subnet.
- One Internet Gateway per VPC. Attach it and update route tables.
Subnets & Routing
- Public subnet: route table has 0.0.0.0/0 → IGW.
- Private subnet: route table has 0.0.0.0/0 → NAT Gateway.
- NAT Gateway is in a public subnet, managed, and AZ-resilient.
- For HA: deploy one NAT Gateway per AZ.
- Route tables are evaluated with the most specific route first.
Security Groups vs NACLs
- Security Groups: stateful, allow rules only, instance-level.
- NACLs: stateless, allow & deny rules, subnet-level.
- Default SG: denies all inbound, allows all outbound.
- Default NACL: allows all inbound and outbound.
- Use NACLs to block specific IP addresses.
Connectivity
- VPC Peering: non-transitive, cross-region, cross-account.
- Transit Gateway: hub-and-spoke for connecting multiple VPCs.
- VPC Endpoints: Gateway (S3, DynamoDB) or Interface (other services).
- Site-to-Site VPN: encrypted over internet, quick to set up.
- Direct Connect: dedicated private connection, 1–10 Gbps.
Practice VPC Questions
Put your knowledge to the test with practice questions.