Virtual Networks (VPC)
[!NOTE] This module explores the core principles of Virtual Networks (VPC), deriving solutions from first principles and hardware constraints to build world-class, production-ready expertise.
1. The Need for Isolation: What is a VPC?
Imagine moving your company’s infrastructure into a massive, bustling public building (the public cloud). By default, this is a multi-tenant environment—your servers are running on the same physical hardware as a competitor’s servers. How do you ensure your network traffic remains invisible and completely isolated?
The answer is the Virtual Private Cloud (VPC).
A VPC allows you to carve out a logically isolated, private section of the cloud. You are granted complete control over your virtual networking environment, including the selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways.
The Analogy: Think of the public cloud as a giant office building. Creating a VPC is like leasing an entire private floor. You get to decide the floor plan (subnets), who gets past the elevator (NACLs), and which rooms have windows facing the street (Internet Gateways).
2. The Anatomy of a VPC
A VPC is constructed from several fundamental networking primitives. To build a robust architecture, you must understand how these components interact.
2.1 CIDR Blocks (The IP Range)
When you create a VPC, you assign it an IPv4 CIDR block, such as 10.0.0.0/16. This defines the total pool of IP addresses available (in this case, 65,536 IPs). All resources within the VPC draw from this pool.
2.2 Subnets (The Floor Plan)
You divide the VPC’s large CIDR block into smaller, localized chunks called Subnets (e.g., 10.0.1.0/24). Subnets are tied to specific physical Availability Zones (data centers).
- Public Subnet: A subnet whose traffic is routed to an Internet Gateway (IGW). This is your “public lobby”—ideal for Load Balancers and Web Servers.
- Private Subnet: A subnet with no direct route to the Internet. This is your “secure vault”—mandatory for Databases, Application Servers, and internal caches.
2.3 Route Tables (The Directory)
A Route Table is a set of rules (routes) that determines where network traffic from your subnet or gateway is directed. Every subnet must be associated with a route table. If a packet’s destination isn’t explicitly defined, it is dropped.
2.4 Network Security: Security Groups vs NACLs
Cloud security operates at two distinct layers. Mixing these up is a frequent source of production outages.
| Feature | Security Groups (SGs) | Network ACLs (NACLs) |
|---|---|---|
| Scope | Operates at the Instance (VM) level. | Operates at the Subnet level. |
| State | Stateful: If you send a request out, the response is automatically allowed back in. | Stateless: You must explicitly define rules for both inbound AND outbound traffic. |
| Rules | Supports allow rules only. | Supports both allow and deny rules. |
| Analogy | The bouncer at the door of a specific room. | The security checkpoint at the elevator bank. |
3. Advanced Routing & Gateways
How do private resources access the internet without exposing themselves? And how do different VPCs talk to each other?
3.1 NAT Gateway (The Concierge)
If a private subnet server (like a Database) needs to download a security patch from the Internet, it cannot use an Internet Gateway directly, as it lacks a public IP.
- Instead, it sends traffic to a NAT Gateway located in the Public Subnet.
- The NAT Gateway strips the private IP, replaces it with its own public IP, and forwards the request to the Internet.
- Crucially: The Internet can never initiate a connection inbound to the NAT Gateway. It only routes responses to outbound requests.
3.2 VPC Peering & Transit Gateways
VPC Peering allows you to connect two VPCs (even across different regions or accounts) so they can communicate using Private IPs, bypassing the public internet entirely.
The Transitivity Problem: VPC Peering is not transitive. If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A cannot talk to VPC-C. You would need a direct peer between A and C. In complex enterprise environments with hundreds of VPCs, managing a full mesh of peering connections becomes a nightmare. The solution is a Transit Gateway, which acts as a central hub-and-spoke router connecting multiple VPCs and on-premise networks.
4. Interactive: Public vs Private Routes
Let’s observe routing in action. Attempt to send traffic from a Private Database to the outside world. Without a valid route to an Internet Gateway (IGW) or NAT Gateway, the traffic will be “black-holed”.
Target: [None]