Amazon EC2

Amazon Virtual Private Cloud (VPC)

By Abhinay Durishetty
6 mins read

Amazon Virtual Private Cloud(VPC)

Welcome to the wonderful world of AWS VPC! Remember those IPv4 and IPv6 siblings we met back in the Route 53 section? Well, guess what? We're diving even deeper into the magic of VPC, and I promise to make it as easy as sharing a meme.Think of VPC like the secret sauce of AWS – a bit complex, but oh-so-crucial! It's like the VIP section where all the cool AWS services hang out. Trying to do AWS without VPC is like trying to build a sandcastle without sand – not very effective! Now, before we jump into the deep end of VPC, it's important to be familiar with some basic networking concepts. Imagine it as making sure you know the rules of the road before driving a car.

Alright, as we mentioned earlier, you've got to be chummy with IP addressing to really get VPC. It's like knowing the rules of a game before playing. Now, among the IP siblings, IPv4 and IPv6, we're going to focus on IPv4 for now. Think of it as choosing to watch the original movie before diving into the sequels.

Once you're cool with IPv4, you can easily move on to its more complex sibling, IPv6, as you advance. So, without further ado, let's break down IPv4 and see what makes it tick. Ready to learn?

Every AWS infrastructure starts with a VPC. It's the cornerstone, really. So, knowing where to place each AWS service—either out in the public eye or behind closed doors in private—is crucial. It's like knowing where to put the sofa in your living room; placement matters!

Now, if IP addressing sounds like Greek to you, no worries. We're going to start with the ABCs of IP addressing. Trust me, it's a vast subject, kinda like the universe of Marvel movies. But don't sweat it! We'll only delve as deep as you need to feel confident working with VPC.

Remember when we talked about how the internet works? Just like every computer needs a unique name, or an IP address, to get the right information. Well, ISPs and routers make sure you get what you're looking for.

You already know what an IP address is, so let's go into the structure of an IPv4 address.

Structure of an IPv4 address

An IPv4 address is a numerical label that uniquely identifies a device on a network. It looks like this: Each IPv4 address is composed of four decimal numbers separated by dots. Each of these parts between the dots is a binary octet. This is known as dotted-decimal notation. So what is a Binary Octet? The term "octet" refers to a set of 8 bits. In computer science and information technology, bits (binary digits) are the fundamental unit of information and can either be a 1 or a 0. Why only 1s and 0s? Well, computers aren't fans of human languages; they prefer this simple binary language. Computers use binary (a series of 1s and 0s) to process data because electronic circuits inside computers can easily represent the two binary states—on and off—making binary the simplest and most straightforward way to store and manipulate data. As you see from the above picture, In an octet, the bit farthest to the left is called the "most significant bit" (MSB), and the bit farthest to the right is called the "least significant bit" (LSB). The reason they are termed so is because the MSB has the highest value in the octet (128), while the LSB has the lowest (1).

Structure of an IPv4 address

How to Decode an IPv4 Address into Binary?Let's take the IPv4 address as an example:

  • 192: To convert it into an 8-bit binary number, you can represent it as 11000000. This is because 192 = 128 + 64.(1st and 2nd place)
  • 168: It becomes 10101000 in binary, as 168 = 128 + 32 + 8.(1st, 3rd and 5th places)
  • 0: This is simply 00000000 in binary.(Zero)
  • 1: In binary, this is 00000001.(8th place)

Putting it all together, the IPv4 address can be represented in binary as 11000000.10101000.00000000.00000001.

Why Do We Need Both Decimal and Binary Notations?
Humans find decimal numbers easier to read and understand, whereas computers prefer binary for computational efficiency. Therefore, the dotted-decimal notation serves as a more human-friendly representation of the binary data that computers use to process IP addresses.

What is Network ID and Host ID?
An IP address like consists of two parts:

Network ID: Think of this as your "neighborhood" on the internet. In, the Network ID is 192.168.0.

Host ID: This is your specific "house number" within that internet neighborhood. In, the Host ID is 1.

CIDR Notation
For the Subnet Mask, all the 255s represent 24 bits (8 bits for each 255). So, the network and Subnet Mask can also be written as The /24 indicates that the first 24 bits are used for the Network ID.

Why Do We Care?
The Network ID helps to route your data to the right general area (like getting a package to the correct city). The Host ID helps to get that data to your exact location (like getting a package to your front door).

What is a Subnet Mask?
A Subnet Mask like separates the Network ID from the Host ID in an IP address. When written in binary, becomes 11111111.11111111.11111111.00000000.

How Does It Work?
Use the Subnet Mask to figure out which part of the IP address is the Network ID and which part is the Host ID.

Calculating the Network ID

For the IP address with the Subnet Mask or /24:

The Subnet Mask in binary is 11111111.11111111.11111111.00000000.
Take the part of the IP address where you see 11111111 in the Subnet Mask. That's your Network ID.
So, with

Network ID: 192.168.0 (the part covered by 255 or 11111111 in the Subnet Mask)
Host ID: 1 (the part where the Subnet Mask is 0 or 00000000)

Why is the Subnet Mask Useful?
It helps to organize your network, making it easier to manage devices and route data correctly. It's like knowing which streets in a city are residential and which ones are for businesses.
Classes of Private IPv4 Addresses for VPCs

Class A:
Private Range:
Subnet Mask: or /8
First Assignable Address:
Last Assignable Address:
Total Networks: 1 (Just the 10.x.x.x network)
Usable Addresses per Network: 16,777,214 (because you reserve 2 addresses for network and broadcast)

Class B:
Private Range:
Subnet Mask: or /12
First Assignable Address:
Last Assignable Address:
Total Networks: 16 (Ranges from 172.16.x.x to 172.31.x.x)
Usable Addresses per Network: 65,534 (because you reserve 2 addresses for network and broadcast)

Class C:
Private Range:
Subnet Mask: or /16
First Assignable Address:
Last Assignable Address:
Total Networks: 256 (Ranges from 192.168.0.x to 192.168.255.x)
Usable Addresses per Network: 254 (because you reserve 2 addresses for network and broadcast)

How Is This Information Useful in VPC?
First and Last Assignable Addresses: These help you plan your subnets within the VPC.
Total Networks: Indicates how many subnets you can have within each class.
Usable Addresses per Network: Tells you how many VMs, containers, or services can be in each subnet.

These classes are often the foundation for IP addressing schemes in VPCs, as they allow for a wide range of IPs that won't conflict with public internet addresses.
Alright, I can totally sense the confusion you're experiencing. I can sense the way your eyebrows raised and how you took that deep breath – classic signs of Dilemma. I understand, the load of information seems overwhelming, especially since we haven't even delved into VPC and its terminology yet. So far, we've only talked about IPv4. But don't worry! Together, we're going to unwrap the layers of VPC concepts one by one, like peeling an onion.

I'm pretty certain that at some point in your life, you've encountered a situation where you had to tackle an entirely new subject. Remember that feeling of uncertainty? It's that moment when you admit you don't know much about the topic. Then you likely took a seat, opened your mind to learning, and started asking yourself questions to bridge the gaps in your understanding. Gradually, the haze started to dissipate, and you experienced that 'Aha!' sensation when things finally clicked.

You know what's amazing? The confidence you gained the next time the topic came up. It's an incredible feeling, isn't it? Well, guess what? In this journey, you'll only get that 'Aha!' moment once you dive into hands-on experience with VPC. And let me remind you of something important – "Learning is one of the greatest joys of life." Let's dive in.

What are LAN,WAN,MAN and AWS Availability Zones?
What is LAN?
Local Area Network (LAN) is a network infrastructure that operates within a limited geographic area, such as a home, office, or campus. It enables devices to connect and communicate with each other over short distances, usually within the same building or nearby buildings.

Why LAN?
Fast Data Transfer:
Imagine sending a large video file from your computer to another computer in the same room. With LAN, this transfer is fast and efficient.

Setting up a LAN generally involves one-time costs for networking hardware, like switches and routers, but doesn't usually incur monthly fees.

Resource Sharing:
Need to print a document? LANs let you share printers, files, and other resources easily between connected devices.

Low Latency:
Forget buffering. LANs offer low latency, which is ideal for real-time applications like video conferencing and gaming.

What is WAN?
Wide Area Network (WAN) is a network that covers a broad area, typically spanning regions or even countries. WANs allow organizations to connect their local networks to other local networks, facilitating data sharing and communication over large distances.

Why WAN?
Global Reach:
Imagine being able to access your company’s data from anywhere in the world. WAN makes this possible.

WAN can grow as your organization expands, connecting new sites and remote offices easily.

Centralized Data:
Store your company's data in a central location and access it from anywhere using WAN.

Flexible Connections:
Connect via various methods like leased lines, broadband, or even satellite.
What is MAN?
Metropolitan Area Network (MAN) sits between a local area network (LAN) and a wide area network (WAN). It typically spans a city or a large campus and is ideal for connecting multiple LANs within a specific geographic area.

Why MAN?
High-Speed Connections:
MAN offers faster data transfer rates than WAN but covers a larger area than LAN.

Regional Networking:
Connect multiple offices within the same city effortlessly.

For businesses operating in a metropolitan area, MAN can be more cost-effective than using multiple WAN connections.

What are AWS Availability Zones?
AWS Availability Zones (AZs) are isolated locations within an AWS region, designed to be fault-tolerant to issues like power failures, network issues, or natural disasters. Each AZ has its own power, cooling, and networking to isolate from failures in other AZs.

Why AWS Availability Zones?
High Availability:
If one zone experiences issues, your applications can continue to run in another zone.

Disaster Recovery:
In case of a disaster, data can be immediately available in another zone.

Low Latency:
Multiple zones in a region allow you to serve users with lower latency.

Data Redundancy:
Storing data in multiple zones protects it from loss due to a zone failure.

Seamless Scaling:
Quickly expand your application to other zones or even other regions as needed.

Balanced Workloads:
Distribute traffic to applications across multiple zones for balanced workloads.


  1. VPC
  2. Subnets
  3. Route Table
  4. Internet Gateway
  5. Nat Gateway
  6. Security Group
  7. Elastic IPs
  8. NACL (Network Access Control List) [We can ignore this part for now]
Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources in a logically isolated virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 for most resources in your virtual private cloud, helping to ensure secure and easy access to resources and applications. To understand VPC better, it's essential to familiarize yourself with the following key terminologies:

1. VPC (Virtual Private Cloud)
What it is: A virtual network within the AWS cloud.
Example: Think of a VPC as a gated community. Inside this gated community, you have your own rules, access control, and security measures.
Why it works that way: It is isolated from other virtual networks, providing a secure environment for your AWS resources.
Why not another way: An open network would expose resources to potential threats and unauthorized access.

2. Subnet
What it is: A range of IP addresses in your VPC.
Example: Within the gated community (VPC), there are different lanes or sectors. These are your subnets.
Why it works that way: Subnets allow you to organize your network, allocate resources, and implement security policies effectively.
Why not another way: Without subnets, your VPC would be one big flat network, which could lead to inefficiencies and security risks.

3. Route Table
What it is: A set of rules that determine where network traffic is directed.
Example: Think of the route table as road signs within your gated community directing traffic to different lanes or exits.
Why it works that way: It helps in the efficient flow of data between subnets or outside the VPC.
Why not another way: Without a route table, there would be no way to manage or direct traffic, leading to chaos.

4. Internet Gateway
What it is: A horizontally scalable, redundant gateway allowing communication between resources in a VPC and the internet.
Example: This is like the main gate of your gated community that connects you to the external world.
Why it works that way: It allows resources within your VPC to access the internet securely.
Why not another way: Without an Internet Gateway, your VPC resources wouldn't be able to communicate with the outside world unless you set up a VPN or Direct Connect.

5. NAT Gateway (Network Address Translation Gateway)
What it is: A managed service that enables instances in a private subnet to connect to the internet but prevents the internet from initiating a connection with those instances.
Example: Imagine a one-way mirror at a security checkpoint within your gated community. People inside can look and go out, but those outside can't see or enter directly through it.
Why it works that way: NAT Gateway allows outbound traffic (e.g., for updates, APIs) while maintaining the private nature of the subnet.
Why not another way: Simply allowing direct two-way internet access to private resources would expose them to unnecessary risks.

NAT Gateways are generally used in conjunction with private and public subnets. Instances in a private subnet that need to access the internet can have their traffic routed through a NAT Gateway residing in a public subnet.

6. Security Group
What it is: A virtual firewall that controls inbound and outbound traffic for one or more instances.
Example: Think of security groups as the security system installed in each house within the community.
Why it works that way: Security groups are more instance-level security measures and are stateful (unlike NACLs which are stateless).
Why not another way: Without security groups, you wouldn't have fine-grained control over the network traffic to and from your instances.

7. Elastic IPs (EIP)
What it is: A static, public IPv4 address that you can allocate to your AWS account, which you can associate or disassociate with an instance on-the-fly.
Example: Imagine having a reserved parking spot in a public area. You can use this spot whenever you want, and if you change cars, you can easily reassign the spot to the new car.
Why it works that way: Elastic IPs provide a way to have a fixed public IP address that can be quickly remapped to any instance in your VPC. This can be useful for fault-tolerance and high availability.
Why not another way: Using a dynamic public IP address (which changes every time you stop and start your instance) could cause issues with DNS mapping and could complicate network configurations.

Elastic IPs are useful for various use-cases, such as:
Failover: Quickly reroute traffic to another instance.
High Availability: Swap IPs between instances in different availability zones.
DNS Mapping: Helpful when you have a domain pointing to a specific IP address, and you don't want to update DNS records if you switch instances.

8. NACL (Network Access Control List)
What it is: A layer of security that acts as a firewall for controlling network traffic in and out of a subnet.
Example: These are like the security guards at each lane or sector within your gated community.
Why it works that way: They filter traffic based on IP protocol, port number, and source/destination IP address.
Why not another way: Without NACLs, your subnets would be exposed to unauthorized or malicious traffic.

Imagine you're building a house. Before you start adding rooms and furniture, you need to set up the foundation – that's where the VPC (Virtual Private Cloud) comes in. Think of the VPC as the blueprint for your AWS infrastructure. It's like defining the boundaries of your virtual space.

Now, let's say you're building a website. You need two things: a web server to show the website and a database to store information. Just like in your house, you might have a living room and a storage room.

The web server is like your living room – it's where guests (users) come in and see the nice stuff (your website). Since you want everyone to see it, the web server needs to be accessible from the outside, which means it's in the "public" part of your virtual space.

On the other hand, the database is like your storage room – it's where you keep important things, but you don't want just anyone to access it. It's the heart of your website, so it needs to be well-protected. That's why the database is in the "private" part of your virtual space. It's not directly accessible from the outside.

Here's where it gets interesting. When a user fills out a web form on your website (let's say they're ordering a cool gadget), the web server needs to talk to the database to save that order. But you don't want the database to talk to strangers on its own – that would be risky. So, the web server acts like a bridge. It takes the user's order, walks over to the private storage room (database), and says, "Hey, store this safely for me."

This clever setup ensures that even though the web server is in the public part, it's the only one allowed to chat with the private database. This keeps your data safe from prying eyes.

And you're right, AWS VPC helps set up this security dance. It's like having a security team that checks every guest's ID before they can enter your house. They make sure only the right people (or in this case, the right servers) can access certain areas.

So, in a nutshell:

  • VPC is your virtual blueprint.
  • Web server is the public living room.
  • Database is the private storage room.
  • AWS is the security team that makes sure everything's safe and sound.

Think of your VPC like a big piece of land you own. On this land, you're going to build your house (your AWS infrastructure). Now, just like you might have a front yard and a backyard in your real home, you can divide your VPC land into smaller areas called subnets.

Each of these subnets has its own job and level of privacy. It's like if you divide your land into a public area (front yard) and a private area (backyard).

Here's why we divide it:
Imagine you're hosting a barbecue party. You want everyone to enjoy the food and music in the front yard (public subnet), but you don't want strangers wandering into your personal space in the backyard (private subnet).

In the same way, by splitting your VPC land into subnets, you can control who gets to access different parts. This is important because different parts of your AWS infrastructure need different levels of security. You can give your public-facing stuff (like the web server) access to the public subnet, and keep your more sensitive things (like the database) in the private subnet.

By doing this, you can fine-tune the permissions. You're like the boss of your land, deciding who can go where. And just like a boss, you can make sure everything runs smoothly and securely.

Remember, these concepts might sound a bit tricky at first, but once we dive into setting up a VPC, it'll all start to click.

Let's dive into the practical aspect of AWS VPC. Take a look at the picture below: there's a WEB server in subnet 2 (which is public), and a database server in subnet 1 (which is private).

Remember the CIDR notation from the IPv4 part? It's a way we figure out how many IP addresses we need. CIDR, short for "Classless Inter-Domain Routing," helps us manage IP addresses smartly. With CIDR, we decide the number of IPs for our VPC.

In this case, we chose, which means we have 256 IPs. Look at the picture below: the 256 (represented by is divided into two subnets. The first subnet,, provides 128 IPs, and the second subnet,, gives another 128 IPs. That adds up to a total of 256 IPs.

Now, before you raise that "why" question, hold on! You might want to refresh your memory on IPv4 to fully get it. But don't worry, I'll break it down for you in the next section.

Let's use another example of a CIDR range, like, to understand how it works. This CIDR range means there are 512 available IP addresses. Here's how we calculate that:

The netmask is 23, which means there are 32 bits in total and 23 of them are dedicated to the network part. The remaining bits, which are 32 - 23 = 9 bits, are available for the host addresses.

When we raise 2 to the power of 9 (2^9), we get 512. So, there are 512 possible combinations of host addresses within this CIDR range.

Now, let's look at the IP addresses themselves. The range starts at and goes up to The numbers change in the last section (the fourth octet), while the first three sections (octets) remain the same.

For example:
Then, the fourth octet increases by 1 and the third octet resets to 0:
This pattern continues until we reach, and we can't go beyond 255 in any of the octets, as we've discussed earlier in the document. This is how the IP addresses are organized within the given CIDR range.

Let us look at another example. Imagine we have the CIDR range, which provides a total of 256 IP addresses. Now, we're going to divide this range into three subnets, each with different IP allocations:

Subnet 1 - 128 IPs:

IP Range: to
Subnet 1 takes the first half of the original range, accommodating IP addresses from to This gives us 128 IPs.
Subnet 2 - 64 IPs:

IP Range: to
Subnet 2 starts right after Subnet 1, at IP address, and goes up to This gives us another 64 IPs.

Subnet 3 - 64 IPs:

IP Range: to
Subnet 3 occupies the remaining addresses, starting at IP address and ending at This provides the final 64 IPs.
By splitting the original CIDR range into these three subnets, we've met your specifications for the number of IPs in each subnet: 128 IPs for Subnet 1, and 64 IPs for both Subnet 2 and Subnet 3.