Home›Guides›AWS›AWS VPC Explained — Subnets, Route Tables, NAT Gateway & Security Groups

☁️ AWS

AWS VPC: Subnets, Route Tables, and Security

VPC is the networking layer of AWS. Here's what the exam tests — subnets, routing, and the security group vs NACL distinction.

Examifyr·2026·6 min read

VPC fundamentals

A VPC is your isolated private network in AWS. You control IP ranges, subnets, routing, and gateways.

# VPC (Virtual Private Cloud):
# - Logically isolated section of AWS
# - You define the IP address range (CIDR block)
# - Spans all Availability Zones in a region
# - Default VPC exists in every region

# CIDR block: defines IP range
# 10.0.0.0/16 = 65,536 addresses (10.0.0.0 - 10.0.255.255)
# 10.0.1.0/24 = 256 addresses (10.0.1.0 - 10.0.1.255)

# Availability Zone → Subnet
# A subnet lives in ONE Availability Zone
# Best practice: at least 2 AZs for high availability

Public vs private subnets

A public subnet has a route to the internet gateway. A private subnet does not.

# Public subnet:
# - Has route: 0.0.0.0/0 → Internet Gateway
# - Resources can have public IP addresses
# - Accessible from the internet (if security group allows)
# - Use: web servers, load balancers, bastion hosts

# Private subnet:
# - No route to Internet Gateway
# - Resources only have private IP addresses
# - NOT directly accessible from internet
# - Use: databases, application servers, caches

# For private subnet to reach internet (e.g., download patches):
# NAT Gateway (in public subnet) → Internet Gateway
# Private subnet route: 0.0.0.0/0 → NAT Gateway

Note: NAT Gateway allows private subnet instances to initiate outbound internet connections but blocks inbound connections from the internet.

Security groups vs Network ACLs

Both filter traffic, but at different levels and with different statefulness.

# Security Groups:
# - Instance level (attached to ENI)
# - Stateful: return traffic automatically allowed
# - Only Allow rules (no Deny)
# - Evaluated as a group (all rules checked)

# Network ACLs (NACLs):
# - Subnet level
# - Stateless: must explicitly allow inbound AND outbound
# - Both Allow and Deny rules
# - Rules evaluated in order by rule number (lowest first)

# Example: allow web traffic
# Security Group (instance):
# Inbound: Allow TCP 80 from 0.0.0.0/0
# (outbound automatically allowed — stateful)

# NACL (subnet):
# Inbound:  Allow TCP 80 from 0.0.0.0/0
# Outbound: Allow TCP 1024-65535 (ephemeral ports) to 0.0.0.0/0

Note: This stateful vs stateless distinction is the most commonly tested VPC concept. NACLs require both inbound AND outbound rules for any connection.

VPC connectivity

Various options for connecting VPCs to each other and to on-premises networks.

# VPC Peering:
# - Direct connection between two VPCs
# - Traffic stays on AWS network (not internet)
# - No transitive peering (A-B-C doesn't mean A-C)

# Transit Gateway:
# - Hub connecting many VPCs and on-premises
# - Enables transitive routing
# - Simplifies complex multi-VPC architectures

# VPN (Virtual Private Gateway + Customer Gateway):
# - Encrypted tunnel from on-premises to VPC
# - Over public internet

# Direct Connect:
# - Dedicated physical line from on-premises to AWS
# - More reliable, consistent bandwidth
# - NOT over the internet

Note: VPN is over the internet (encrypted). Direct Connect is a dedicated physical line. Direct Connect is more expensive but provides consistent latency.

Exam tip

Security groups vs NACLs is the #1 VPC exam question. Key differences: SGs are stateful/instance-level/allow-only; NACLs are stateless/subnet-level/allow+deny. Also know: NAT Gateway for private→internet outbound only.

🎯

Think you're ready? Prove it.

Take the free AWS readiness test. Get a score, topic breakdown, and your exact weak areas.

Take the free AWS test →

Free · No sign-up · Instant results

← Previous

AWS IAM Explained — Users, Roles, Policies & Least Privilege Principle

AWS Lambda Explained — Event-Driven Functions, Triggers & Execution Model

← All AWS guides