VPC Networking
Build an isolated network with subnets, gateways, routing, and security layers.
A VPC is your isolated virtual network in AWS, defined by a CIDR block. You
divide it into subnets (each in one AZ). A subnet is public if its route
table sends 0.0.0.0/0 to an Internet Gateway; otherwise it’s private.
Key components:
- Internet Gateway (IGW) — internet access for public subnets
- NAT Gateway — lets private subnets reach the internet outbound only
- Route tables — direct traffic between subnets and gateways
- Security groups (stateful, per-instance) and NACLs (stateless, per-subnet)
- VPC peering / Transit Gateway — connect VPCs
graph TD IGW["Internet Gateway"] --> PUB["Public subnet: ALB + NAT"] PUB --> APP["Private subnet: app servers"] APP --> DB["Private subnet: database"] APP -->|outbound via NAT| IGW
- Plan a VPC: a /16 with two public and two private subnets across two AZs.
- Explain what makes a subnet public versus private.
- Describe why a database should be in a private subnet.
- Compare a security group (stateful) with a network ACL (stateless).
Cheat Sheet▾
| Component | Role |
|---|---|
| VPC | Isolated virtual network |
| Subnet | AZ-scoped segment |
| Internet Gateway | Public internet access |
| NAT Gateway | Outbound-only for private subnets |
| Route table | Traffic direction |
| Security group | Stateful, per-instance |
| NACL | Stateless, per-subnet |
Common Interview Questions▾
What makes a subnet public or private?
A public subnet has a route to an Internet Gateway (0.0.0.0/0 → IGW). A private subnet has no such route; it reaches the internet only outbound through a NAT Gateway, if at all.
What's the difference between a security group and a NACL?
Security groups are stateful, attach to instances, and have only allow rules. NACLs are stateless, apply at the subnet level, support allow and deny rules evaluated in order, and require explicit return-traffic rules.
Why put databases in private subnets?
To remove any direct internet route, shrinking the attack surface. They’re reached only from the application tier within the VPC.