Cargando...
Cargando...
Isolate, secure, and connect your AWS resources with full network control — the backbone of every AWS architecture.
Amazon Virtual Private Cloud (VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network you define. You have complete control over your virtual networking environment, including IP address ranges, subnets, route tables, and network gateways. VPC is the foundational networking layer for virtually every AWS workload — understanding it deeply is non-negotiable for any AWS practitioner.
Provide network isolation, security boundaries, and connectivity control for AWS resources — enabling you to replicate a traditional data center network with the scale and flexibility of the cloud.
Use When
Avoid When
Subnets (Public & Private)
Public subnets have a route to an IGW; private subnets do not. The subnet itself is not inherently public/private — the route table determines this.
Internet Gateway (IGW)
Horizontally scaled, redundant, HA gateway. One per VPC. Enables bidirectional internet access for resources with public IPs.
NAT Gateway (Managed)
Fully managed, AZ-resilient. Supports up to 45 Gbps bandwidth. Replaces NAT Instances for production use.
NAT Instance (Self-managed)
Legacy approach. Requires disabling source/destination check. Single point of failure. Not recommended for production.
Security Groups (Stateful Firewall)
Instance-level, stateful. Return traffic is automatically allowed. Supports allow rules only — no explicit deny.
Network ACLs (Stateless Firewall)
Subnet-level, stateless. Requires explicit inbound AND outbound rules. Supports both allow and deny. Evaluated in rule-number order.
VPC Peering
1-to-1 private connectivity between VPCs. Non-transitive. No overlapping CIDRs. Works cross-account and cross-region.
AWS Transit Gateway Integration
Hub-and-spoke model for connecting thousands of VPCs and on-premises networks. Supports transitive routing.
VPC Endpoints (Gateway)
Free. Supports S3 and DynamoDB only. Routes traffic through AWS backbone without IGW/NAT. Uses route table entries.
VPC Endpoints (Interface / PrivateLink)
Charged. Creates ENIs in your subnet. Supports most AWS services and third-party services. Uses DNS resolution.
AWS PrivateLink
Expose services privately to other VPCs/accounts without VPC peering. One-directional, scalable, secure.
VPC Flow Logs
Captures IP traffic metadata at VPC, subnet, or ENI level. Destinations: CloudWatch Logs, S3, Kinesis Data Firehose.
Site-to-Site VPN
IPsec VPN over public internet. Two tunnels per connection for redundancy. Requires Virtual Private Gateway (VGW) or Transit Gateway.
AWS Direct Connect Integration
Dedicated private network connection. Uses VGW or Direct Connect Gateway for VPC access. Not encrypted by default — use MACsec or VPN over DX for encryption.
Elastic Network Interfaces (ENI)
Virtual NICs. Can be moved between instances in same AZ. Each ENI has its own security groups, EIP, and MAC address.
Elastic IP Addresses (EIP)
Static public IPv4 addresses. Charged when NOT associated with a running instance AND charged per hour for all public IPv4 (as of Feb 2024).
DHCP Option Sets
Customize DNS servers, domain names, NTP servers for VPC. One DHCP option set per VPC at a time.
DNS Resolution & DNS Hostnames
enableDnsResolution (default: true) and enableDnsHostnames (default: false for custom VPCs, true for default VPC). Both must be enabled for Interface Endpoints to work with private DNS.
VPC Sharing (Resource Access Manager)
Share subnets with other AWS accounts in the same AWS Organization. Resources are created in the shared subnet but owned by the participant account.
Reachability Analyzer
Network diagnostic tool. Analyzes connectivity between source and destination without sending actual traffic. Useful for troubleshooting.
Network Access Analyzer
Identifies unintended network access to AWS resources. Helps with compliance and security posture assessment.
Traffic Mirroring
Copy network traffic from ENIs to security appliances for deep packet inspection. Supported on Nitro-based instances.
IPv6 Support
Dual-stack (IPv4 + IPv6). AWS assigns /56 to VPC, /64 to subnets. IPv6 addresses are globally unique and public by default — use EIGWs for egress-only.
Bring Your Own IP (BYOIP)
Advertise your own IPv4/IPv6 address ranges to AWS. Useful for IP reputation preservation during migration.
Default VPC
Auto-created per region. Has /16 CIDR (172.31.0.0/16), /20 subnets per AZ, IGW, and main route table with IGW route. Can be deleted but only one default VPC per region.
Private Service Consumption
high freqUse Interface VPC Endpoints backed by PrivateLink to access AWS services (SSM, Secrets Manager, ECR, etc.) or expose your own services to other VPCs/accounts without peering. Traffic never leaves the AWS network. Requires enableDnsHostnames and enableDnsResolution on the VPC. Exam frequently tests when to use PrivateLink vs. VPC Peering vs. Gateway Endpoints.
Dedicated Hybrid Connectivity
high freqConnect on-premises to AWS VPCs via dedicated private circuits. Use a Virtual Private Gateway (VGW) for single-VPC access or a Direct Connect Gateway for multi-VPC/multi-region access. DX does NOT encrypt traffic by default — layer a Site-to-Site VPN over DX for encryption. Exam tests DX vs. VPN trade-offs (latency, reliability, cost, encryption).
Hub-and-Spoke Network Topology
high freqTransit Gateway (TGW) acts as a regional router connecting thousands of VPCs and on-premises networks. Supports transitive routing (unlike VPC Peering). Use TGW route tables to segment traffic between environments. Supports multicast, inter-region peering, and Network Manager integration. Exam tests TGW vs. VPC Peering decision criteria.
Private S3 Access via Gateway Endpoint
high freqGateway Endpoints for S3 provide free, private access to S3 from within a VPC without requiring NAT Gateway or IGW. Add the endpoint route to relevant route tables. Cannot be used over VPN/Direct Connect (use Interface Endpoint for that). Bucket policies can restrict access to specific VPC endpoints using aws:sourceVpce condition.
VPC-Based Access Control via Resource Policies
high freqUse IAM resource policies with VPC conditions (aws:sourceVpc, aws:sourceVpce) to restrict API access to specific VPCs or VPC endpoints. Common for S3 bucket policies, SQS queue policies, and API Gateway resource policies. Exam tests combining IAM policies with VPC endpoint policies for defense-in-depth.
Multi-Tier Application Architecture
high freqClassic 3-tier architecture: public subnet (ALB/NLB), private subnet (EC2 app tier), isolated subnet (RDS). Security groups control inter-tier traffic. NACLs add subnet-level defense. NAT Gateway enables private subnet internet egress. Exam tests subnet design, security group vs. NACL use cases, and HA across AZs.
Centralized Egress via Inspection VPC
high freqRoute all outbound internet traffic through a centralized egress VPC containing NAT Gateways and optionally a firewall appliance (AWS Network Firewall or third-party). Use TGW route tables to force traffic through the inspection VPC before reaching the internet. Reduces NAT Gateway costs and centralizes security controls.
AWS ALWAYS reserves 5 IP addresses in every subnet: .0 (network), .1 (VPC router), .2 (DNS), .3 (future use), and the last address (broadcast). For a /28 subnet: 16 - 5 = 11 usable IPs. You WILL see a calculation question about this.
Security Groups are STATEFUL (return traffic automatically allowed) and support ALLOW rules only. NACLs are STATELESS (must explicitly allow both directions) and support both ALLOW and DENY. When you need to block a specific IP address, you MUST use a NACL — security groups cannot deny.
VPC Peering is NON-TRANSITIVE. If VPC A peers with VPC B, and VPC B peers with VPC C, VPC A CANNOT communicate with VPC C through VPC B. You need either direct peering (A-C) or AWS Transit Gateway for transitive routing. This is tested on every exam level.
Gateway Endpoints (S3 and DynamoDB) are FREE and use route table entries. Interface Endpoints (PrivateLink) cost money and use DNS + ENIs. When a question asks for the 'most cost-effective' private access to S3 from within a VPC, the answer is always Gateway Endpoint.
A public subnet is defined by having a route to an Internet Gateway in its route table — NOT by any property of the subnet itself. The 'Auto-assign public IP' setting is separate. An instance in a 'public subnet' with no public IP is still unreachable from the internet.
Security Groups = STATEFUL + ALLOW ONLY. NACLs = STATELESS + ALLOW AND DENY. To BLOCK a specific IP, you MUST use a NACL. This distinction determines the correct answer on dozens of exam questions.
VPC Peering is NON-TRANSITIVE. A→B and B→C does NOT mean A→C. Use AWS Transit Gateway when you need transitive routing across multiple VPCs. This is tested on every exam level from CLF-C02 to SAP-C02.
Gateway Endpoints (S3 + DynamoDB) are FREE and work only within the VPC. Interface Endpoints (PrivateLink) cost money but work over Direct Connect/VPN from on-premises. Always choose Gateway Endpoint for cost optimization when access is VPC-internal only.
For Interface Endpoints to work with private DNS (so applications use the standard AWS service endpoint like s3.amazonaws.com), the VPC must have both enableDnsResolution AND enableDnsHostnames set to true. This is a common troubleshooting scenario on the exam.
NAT Gateways are AZ-specific. For high availability, deploy one NAT Gateway per AZ and configure each AZ's private subnet route table to point to the NAT Gateway in the SAME AZ. Using a single NAT Gateway creates a single point of failure AND cross-AZ data transfer charges.
Direct Connect does NOT encrypt traffic by default. To encrypt traffic over Direct Connect, either use MACsec (Layer 2 encryption on dedicated connections) or establish a Site-to-Site VPN over the Direct Connect connection (VPN over DX). Exam frequently asks about encryption requirements for hybrid connectivity.
VPC Flow Logs capture metadata ONLY — source IP, destination IP, ports, protocol, bytes, packets, action (ACCEPT/REJECT), and status. They do NOT capture packet contents/payload. They also do NOT capture DNS queries (use Route 53 Resolver query logs for that), DHCP traffic, or traffic to the instance metadata service (169.254.169.254).
The primary CIDR block of a VPC CANNOT be modified after creation. You can add up to 4 secondary CIDR blocks (5 total) to expand address space. Plan your IP addressing strategy before deploying — this is an irreversible architectural decision.
AWS Wavelength and AWS Outposts extend VPC constructs to the edge. For Wavelength Zones, AWS manages the physical carrier infrastructure — customers are NOT responsible for carrier connectivity hardware. The shared responsibility model does NOT change for edge services — AWS still owns the physical infrastructure.
When troubleshooting connectivity issues: (1) Check Security Group rules (stateful, allow only), (2) Check NACL rules (stateless, remember ephemeral ports 1024-65535 on outbound), (3) Check route tables (correct target for destination), (4) Check IGW attachment, (5) Check public IP assignment. Use VPC Reachability Analyzer to automate this.
Common Mistake
Security groups can be used to block (deny) traffic from specific IP addresses
Correct
Security groups support ALLOW rules ONLY. You cannot create a DENY rule in a security group. To block specific IP addresses or CIDR ranges, you MUST use a Network ACL, which supports both ALLOW and DENY rules.
This is one of the most common wrong answers on certification exams. When a scenario says 'block traffic from a known malicious IP,' the answer is always NACL, never security group. Remember: SGs = stateful + allow only; NACLs = stateless + allow and deny.
Common Mistake
VPC Peering allows transitive routing — if A peers with B and B peers with C, A can reach C
Correct
VPC Peering is strictly non-transitive. Traffic cannot pass through an intermediate VPC. Each pair of VPCs that needs to communicate requires its own peering connection. For transitive routing across many VPCs, use AWS Transit Gateway.
This misconception leads candidates to choose VPC Peering for complex multi-VPC architectures when Transit Gateway is the correct answer. Remember the rule: peering = point-to-point, non-transitive. TGW = hub-and-spoke, transitive.
Common Mistake
A subnet is 'public' because of a setting on the subnet itself
Correct
A subnet becomes 'public' solely because its associated route table contains a route to an Internet Gateway (0.0.0.0/0 → igw-xxxxx). The subnet has no inherent 'public' property. Additionally, instances in that subnet need a public IP (or EIP) to actually be internet-accessible.
Candidates often look for a 'make public' checkbox on subnets. The 'Auto-assign public IPv4 address' setting is separate and only affects whether instances get a public IP — it does NOT make a subnet public. The route table is the definitive factor.
Common Mistake
AWS is responsible for physical infrastructure in Wavelength Zones and Outposts, but customers are responsible for carrier network connectivity
Correct
AWS maintains full responsibility for ALL physical infrastructure in Wavelength Zones, including the carrier network integration hardware. The shared responsibility model does not shift physical hardware responsibility to customers just because the infrastructure is at an edge location or carrier facility.
This is a top misconception in exam questions about edge computing. AWS manages the physical hardware, carrier interconnects, and infrastructure. Customers are responsible for their workloads, configurations, and data — same as in any AWS region. 'Edge location' does not mean 'customer manages hardware.'
Common Mistake
NAT Gateways are VPC-level resources that serve all subnets in a VPC
Correct
NAT Gateways are AZ-specific resources deployed in a specific subnet. Each AZ should have its own NAT Gateway for high availability. Private subnets in AZ-A should route through the NAT Gateway in AZ-A, not through a NAT Gateway in AZ-B (which would incur inter-AZ data transfer charges and create an AZ dependency).
A single NAT Gateway design is a SPOF and creates unnecessary cross-AZ data transfer costs. Exam scenarios testing HA and cost optimization will require you to know that NAT Gateways must be deployed per-AZ with per-AZ route tables.
Common Mistake
VPC Flow Logs can be used to capture packet payloads for deep packet inspection
Correct
VPC Flow Logs only capture connection metadata (5-tuple: src IP, dst IP, src port, dst port, protocol) plus bytes, packets, action, and status. They do NOT capture packet payloads. For deep packet inspection, use Traffic Mirroring (copies actual packets to an inspection appliance) or AWS Network Firewall.
Candidates confuse flow logs with full packet capture. When exam questions ask about 'inspecting packet contents,' 'payload analysis,' or 'IDS/IPS,' the answer involves Traffic Mirroring or Network Firewall — not Flow Logs.
Common Mistake
Gateway Endpoints for S3 work when accessed from on-premises via Direct Connect or VPN
Correct
Gateway Endpoints are NOT accessible from on-premises networks via Direct Connect or VPN. They only work from within the VPC itself (via route table entries). For private S3 access from on-premises, you must use an Interface Endpoint for S3 (which creates an ENI with a private IP that is routable over DX/VPN).
This is a classic hybrid connectivity trap. The free Gateway Endpoint seems like the obvious choice, but it's architecturally incompatible with on-premises access. Interface Endpoints cost money but are accessible over private network connections.
Common Mistake
Deleting the default VPC is permanent and cannot be recovered
Correct
You CAN recreate a default VPC if you accidentally delete it, using the AWS Console or CLI ('ec2 create-default-vpc'). However, you can only have ONE default VPC per region, and you cannot make a custom VPC the default VPC.
Candidates either fear deleting the default VPC (thinking it's unrecoverable) or don't know the recreation procedure. More importantly, exam questions sometimes test whether you know the default VPC's CIDR (172.31.0.0/16) and its properties (IGW attached, /20 subnets per AZ, public IP auto-assignment enabled).
NACL = 'No Automatic Connection Logging' (stateLESS — you must explicitly allow BOTH directions, like a border checkpoint that checks passports going IN and OUT separately)
SG = 'Stateful Guardian' (remembers the conversation — if you let traffic IN, the response automatically gets OUT)
The 5 reserved IPs in a subnet: 'Never Rover Fights Dirty' = Network address, Router (.1), Reserved DNS (.2), Future use (.3), Directed broadcast (last IP)
VPC Peering = 'Phone calls, not conference calls' — each pair needs its own direct line, you can't relay through a third party
Gateway Endpoint = 'FREE Gate for S3 and DynamoDB' (the two Ds: Direct and DynamoDB, plus S3)
Public subnet = 'Route to IGW = Road to Internet' — no route, no public access, regardless of any other setting
NACL rules: 'Lower number wins' — evaluated lowest rule number first, like a numbered priority queue
CertAI Tutor · SAA-C03, SAP-C02, DEA-C01, DOP-C02, SCS-C02, AIF-C01, CLF-C02, DVA-C02 · 2026-02-21
In the Same Category
Comparisons
Guides & Patterns