AWS Private Networking

Virtual Private Cloud (VPC):

  • A private network within AWS. It's our private data center inside the AWS platform.

  • Can be configured to be public/private or a mixture.

  • Regional (can't span regions), highly available, and can be connected to our data center and corporate networks.

  • Isolated from other VPCs by default.

  • VPC and subnet: max /16 (65,536 IPs) and minimum /28 (16 IPs)

  • VPC subnets cannot span AZs (1:1 mapping)

  • Certain IPs are reserved in subnets.

Region Default VPC:

  • Required for some services, used as a default for most.

  • Pre-configured with all required networking/security

  • Configured using a /16 CIDR block (

  • A /20 public subnet in each AZ, allocating a public IP by default.

  • Attached internet gateway with a "main" route table sending all IPv4 traffic to the internet gateway using a route.

  • A default DHCP option set attached.

  • SG: Default - all from itself, all outbound.

  • NACL: Default - allow all inbound and outbound.

Custom VPC:

  • Can be designed and configured in any valid way.

  • We need to allocate IP ranges, create subnets, and provision gateways and networking, as well as design and implement security.

  • When we need multiple tiers or a more complex set of networking.

  • Best practice is to not use default for most production things.