VPC Exam Summary

These notes were written while preparing for my AWS solution architect exam and are collected from different sources and AWS documentation. Primarily, they’re notes for me, but you might find them useful too.

Since the AWS is changing quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them.

Please let me know in the comments if you have any updates which you’d like me to add.

VPC (Virtual Private Cloud)

  • VPC is the virtual network dedicated to your AWS account.
  • A VPC consist of the following components:
    1. Subnets
    2. Route tables
    3. DHCP (Dynamic Host Configuration Protocol)
    4. Security Groups
    5. ACL (Network Access Control Lists)
  • A VPC optional components consist of:
    1. IGW (Internet Gateways)
    2. EIP (Elastic IP)
    3. ENI (Elastic Network Interface)
    4. Endpoints
    5. Peering
    6. NAT instances and Nat Gateways (Network Address Translation)
    7. VPG (Virtual Private Gateway)
    8. CGW (Customer Gateway)
    9. VPN (Virtual Private Network)


  • A subnet is a range of IP addresses in your VPC. Each subnet is either private or public, or VPN-only. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that should not be directly connected to the internet.
  • Each AWS account comes with a default VPC which has a public subnet in each of the AZs within the region with a netmask of /20.
  • Upon creation of a VPC, you must specify an IPv4 CIDR block for the VPC. Max allowed block size is /16 (65536 IP Addresses) and the minimum is /28 (16 IP Addresses)
  • It is recommended that you specify a private CIDR block based on RFC 1918
    • –
    • –
    • –
  • A VPC spans all the Availability Zones in the region
  • The first four IP addresses and the last IP address in each subnet CIDR block are not available for use.
  • A Public Subnet is one in which the associated route table direct the subnets traffic toward an IGW.
  • A Private Subnet is one in which the associated route table doesn’t direct the traffic to the IGW.
  • VPN-only Subnet does not have a route to the IGW but it has its traffic routed to a virtual private gateway  (VPG) for a site-to-site VPN connection and does not have a route to the IGW.
  • After creating a VPC,  you can add one or more subnets in each AZ. Each subnet resides within one AZ and cannot span AZs.
  • You can have multiple subnets in one AZ

Route Tables:

  • Each VPC comes with one main route table which acts as a default route table for all the new subnets.
  • A Route Table contains a set of rules, called routes, that are used to determine where network traffic is directed.
  • Each subnet in VPC needs to be associated with one route table.
  • A subnet can be associated with only one route table.
  • Multiple subnets can use one single shared route tables.
  • You use route tables to make a subnet private, public by directing traffic to IGW or not.
  • You can modify the default route table that comes with default VPC.
  • If you don’t explicitly associate a subnet with a particular route table, that subnet is implicitly associated with the main route table.
  • You can not remove the main route table, but you can replace it with a custom one.
  • Each routing rule specifies a destination CIDR and a target.
  • AWS uses the most specific route that matches the traffic.
  • IPv4 and IPv6 are treated separately. is not equal to all IPv6 addresses. You can use ::/0 for all IPv6 addresses.
  • It is a good practice to not allow internet access in the main route table and allow internet access only from custom route tables. This protects accidental internet access for new subnets that are not explicitly associated with a custom route table. (They will use main route table implicitly)
  • To enable internet access for instances in a private subnet, create a NAT Gateway or launch a NAT instance in a public subnet, and then add a route for the private subnet to route IPv4  ( and optionally IPv6 (::/0 )to the NAT device.
  • If you enable VPC Peering Connection, you need to add a route to one or more of your VPC route tables. You need to specify all or part of the other VPC CIDR block as a destination and the Peering Connection as the target. The owner of other VPC needs to do the same on one or more of his/her route tables to route the traffic to your VPC.
  • Route propagation allows a virtual private gateway to automatically propagate routes to the route tables so that you don’t need to manually enter VPN routes to your table.

Internet Gateways

  • IGW provides two purposes:
    1. To provide a target in your VPC route tables for internet routable traffic.
    2. To perform network address translation for instances that have either EIP or public IP in your VPC.
  • IGW supports both IP v4 and v6.
  • Each VPC can have only one IGW.
  • To use the IGW your router must contain a rule that points all the internet traffic to your IGW.
  • An egress-only internet gateway is an AWS component that only allows outbound communication over IPv6 only from instances in your VPC to the internet.
  • An egress-only internet gateway is for use with IPv6 traffic only.

NAT (Network Address Translation)

  • You can use a NAT device to enable instances in your private subnet to connect to internet or AWS services, but prevent the internet from initiating connections with your instances.
  • AWS NAT devices are also PAT devices, meaning they do port address translation.
  • NAT devices are not supported for IPv6 traffic. (You can use egress-only traffic to achieve similar functionality)
  • AWS offers two kinds of NAT devices
    1. NAT Gateway (Recommended because of better availability and bandwidth)
    2. NAT instance.

NAT Gateway:

  • NAT gateways are not supported for IPv6 traffic.
  • You need to specify an EIP for a NAT gateway and must specify the public subnet that your NAT gateway belongs to upon creation of your NAT Gateway.
  •  After you’ve created a NAT gateway, you must update the route table associated with one or more of your private subnets to point Internet-bound traffic to the NAT gateway. This enables instances in your private subnets to communicate with the internet
  • Each NAT gateway is created in a specify AZ.
  • To achieve AZ independent architecture, create a NAT gateway in each AZ and configure your routing tables to ensure that resources in each AZ use the NAT gateway in the same AZ.  In this case, if the NAT gateway’s AZ is down the other resources in other AZs are not dependent on that gateway and work fine independent of the down IGW. Some people use one IGW for all their subnets to lower the cost and if the AZ with IGW goes down all other subnets will be affected since there is no IGW.
  • A NAT gateway supports 5 Gbps of bandwidth and automatically scale up to 45 Gbps.
  • A NAT gateway support, UDP, TCP, and ICMP.
  • Port forwarding is not supported for NAT gateways.

NAT Instances:

  • AMIs include the string “amznamivpcnat” are AMIs ready to launch a NAT instance.
  • You need to disable source/destination checks for a NAT instance. This is because each EC2 instance performs source/destination check by default to make sure that it sends/receives traffic that either the source or destination is itself, however, NAT instances must send/receive traffic that the source or destination are not themselves.
  • You can associate a NAT instance with a security group just like other EC2 instances, however, you can not associate a NAT gateway with a security group.
  • You can use a NAT instance as a bastion or jump server.

DHCP (Dynamic Host Configuration Protocol)

  • DHCP Provides a standard for passing configurations to hosts on a TCP/IP network. You can set parameters such as Domain Name, DNS, and netbios-node-type.
  • You can set up to 4 DNS servers
  • You can set the IP address of up to four Network Time Protocol (NTP)
  • You can set the IP address of up to four NetBIOS name server
  • You can specify NetBIOS node type 1,2,4,8.
  • After you create a set of DHCP options, you can’t modify them. If you want your VPC to use a different set of DHCP options, you must create a new set and associate them with your VPC

VPC Peering

  • A VPC peering connection is a networking connection between 2 VPCs which could be in different accounts or different regions.
  • VPC peering enables you to route traffic between two VPCs privately just like they are part of one VPC.

Elastic IP

  • EIP is a static, public IPv4 address.
  • You can associate EIPs with any instance or network interface for your VPC.
  • In case of failure of an instance, you can remap the EIP to another instance.
  • If you associate the EIP with the network interface, you can move all the attributes of the network interface from one instance to another in a single step.
  • There is a charge for EIPs that are not in use, associated with a stopped instance, or an unattached network interface.
  • Each account is limited to 5 EIP.
  • An EIP address is accessed through the Internet gateway of a VPC. If you have set up a Site-to-Site VPN connection between your VPC and your network, the VPN traffic traverses a virtual private gateway, not an Internet gateway, and therefore cannot access the Elastic IP address.

VPC Endpoints

  • A VPC Endpoints enables you to connect your VPC privately to supported AWS services by a PrivateLink without using an internet gateway, NAT instance or device, VPN connections, or AWS Direct Connect Connection.
  • There are two types of VPC Endpoints:
    1. Interface Endpoints
    2. Gateway Endpoints
  • An Interface Endpoint is an elastic network interface with a private IP address that serves as an entry point for traffic destined to a supported AWS service.
  • A Gateway Endpoint is a gateway that is a target for a specified route in your route table, used for traffic destined to either S3 or DynamoDB.
  • For each interface endpoint, you can choose only one subnet per Availability Zone.
  • An interface endpoint supports TCP traffic only.
  • Endpoints are supported within the same region only. You cannot create an endpoint between a VPC and a service in a different region.

Security Groups

  • A security group acts as a virtual firewall for your instances to control inbound and outbound traffic.
  • A security group is a stateful firewall. A stateful firewall allows the return traffic regardless of any rules.  It means that the response of allowed outbound rules can be flow in regardless of the inbound rules and vice versa.
  • You can add up to 500 security groups per VPC.
  • You can have up to 50 inbounds and 50 outbound rules per security group.
  • You can assign up to 5 security groups for each instance.
  • Security group protection is in instance level, not subnet level.
  • If you don’t assign a security group for the instance at the launch time, the instance will be associated with the default security group.
  • Default security group:
    • Allows communication between all resources within the security group
    • Allows all outbound traffic.
    • Deny all other traffic.
  • You can’t delete a default security group
  • Security groups only support allow rules and not deny.
  • You add rules that control the inbound and separate rules for outbound traffic in security groups.

Network Access Control List

  • ACL is an optional layer of security
  • ACL acts as a stateless firewall for controlling traffic in and out in subnet level.
  • Each VPC comes with a default modifiable default network ACL which allows all inbound and all outbound traffic.
  • By default, each custom ACL denies all inbound and outbound traffic.
  • You can associate an ACL with multiple subnets, however, one subnet can be associated only with one ACL at a time.
  • When you associate a subnet with an ACL, the previous association is removed.
  • A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.
  • ACL evaluate rules in order, starting with the lowest number. As soon as a rule matches traffic, it’s applied regardless of any higher numbered rule.

Accessing a Corporate Network

  • You can connect your VPC to your corporate data center using an IPsec Site-to-Site VPN connection.
  • A Site-to-Site VPN connection consists of a virtual private gateway attached to the VPC and a customer gateway located in your corporate data center.

Accessing the Internet

  • Default VPC has an internet gateway and all the EC2 instances have a private and a public IPv4 associated with them when you launch them in default VPC.
  • If you launch an instance into a non-default VPC, it has only private IPv4 by default.
  • You can enable internet access fo instances in a non-default subnet (subnets of non-default VPC) by attaching an internet gateway to its VPC and associate EIP for the instances.
  • You also can use a NAT (Network Address Translation) device to allow an instance in a VPC initiate outbound connection to the internet but prevent the unsolicited inbound connection from the internet.