You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Amazon Virtual Private Cloud (VPC) is the foundational networking layer of AWS. It lets you provision a logically isolated section of the AWS cloud where you launch resources in a virtual network that you define. Think of a VPC as your own private data centre inside AWS — except you never have to rack a server or run a cable.
Every resource you create on AWS — an EC2 instance, an RDS database, a Lambda function connected to your data tier — ultimately lives inside a VPC. Without understanding VPCs you cannot:
VPC is not an optional add-on; it is the network fabric that everything else plugs into.
Before we deep-dive in later lessons, here is a bird's-eye view of the components that make up a VPC:
| Component | Purpose |
|---|---|
| VPC | Your private network, defined by a CIDR block |
| Subnet | A range of IPs within the VPC, tied to one Availability Zone |
| Internet Gateway (IGW) | Allows public subnets to reach the internet |
| NAT Gateway | Allows private subnets outbound-only internet access |
| Route Table | Rules that direct traffic within and outside the VPC |
| Security Group | Stateful firewall at the instance / ENI level |
| Network ACL (NACL) | Stateless firewall at the subnet level |
| VPC Peering | Connect two VPCs over private IPs |
| Transit Gateway | Hub-and-spoke connectivity for many VPCs |
| VPN Gateway | Encrypted tunnel to an on-premises network |
| AWS Direct Connect | Dedicated private link to AWS |
| VPC Endpoint | Private access to AWS services without the internet |
| Elastic Network Interface (ENI) | Virtual network card attached to instances |
Every VPC must be created with a primary CIDR block (Classless Inter-Domain Routing). CIDR notation tells AWS the range of private IP addresses available inside the VPC.
A CIDR block looks like this: 10.0.0.0/16
10.0.0.0) is the network address./16) is the prefix length — it tells you how many bits are fixed.| CIDR Block | Prefix | Available IPs | Common Use |
|---|---|---|---|
10.0.0.0/8 | 8 bits fixed | ~16.7 million | Large enterprise |
10.0.0.0/16 | 16 bits fixed | 65,536 | Standard VPC |
10.0.0.0/24 | 24 bits fixed | 256 | Single subnet |
10.0.0.0/28 | 28 bits fixed | 16 | Very small subnet |
AWS allows VPC CIDR blocks ranging from /16 (65,536 IPs) to /28 (16 IPs). RFC 1918 private address ranges are recommended:
10.0.0.0/8172.16.0.0/12192.168.0.0/16In every subnet, AWS reserves five IP addresses:
| Address | Purpose |
|---|---|
First IP (e.g. 10.0.1.0) | Network address |
Second IP (e.g. 10.0.1.1) | VPC router |
Third IP (e.g. 10.0.1.2) | DNS server |
Fourth IP (e.g. 10.0.1.3) | Reserved for future use |
Last IP (e.g. 10.0.1.255) | Broadcast (not supported but reserved) |
So a /24 subnet gives you 256 − 5 = 251 usable addresses.
Every AWS account comes with a default VPC in each Region. It is pre-configured with:
/16 CIDR block: 172.31.0.0/16/20)0.0.0.0/0 to the IGWThe default VPC is great for quick experiments, but for production you should always create a custom VPC with subnets and security controls tailored to your workload.
A well-designed custom VPC typically follows a multi-tier pattern:
Region: eu-west-2
┌──────────────────────────────────────────────────┐
│ VPC 10.0.0.0/16 │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Public Subnet │ │ Public Subnet │ │
│ │ 10.0.1.0/24 │ │ 10.0.2.0/24 │ │
│ │ AZ-a │ │ AZ-b │ │
│ │ Web / ALB │ │ Web / ALB │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Private Subnet │ │ Private Subnet │ │
│ │ 10.0.3.0/24 │ │ 10.0.4.0/24 │ │
│ │ AZ-a │ │ AZ-b │ │
│ │ App Servers │ │ App Servers │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
│ ┌──────────────────┐ ┌──────────────────┐ │
│ │ Private Subnet │ │ Private Subnet │ │
│ │ 10.0.5.0/24 │ │ 10.0.6.0/24 │ │
│ │ AZ-a │ │ AZ-b │ │
│ │ Databases │ │ Databases │ │
│ └──────────────────┘ └──────────────────┘ │
│ │
└──────────────────────────────────────────────────┘
This three-tier layout — public, application, data — is the backbone of most production architectures on AWS.
When you create a VPC you choose a tenancy model:
| Tenancy | Description | Cost |
|---|---|---|
| Default | Instances may share physical hardware with other accounts | Standard pricing |
| Dedicated | All instances run on single-tenant hardware | Premium pricing |
Most workloads use default tenancy. Dedicated tenancy is typically required by compliance regimes that forbid shared hardware (e.g., certain government or financial regulations).
An ENI is a virtual network card. Every EC2 instance has at least one. ENIs carry:
You can detach an ENI from one instance and attach it to another — useful for failover scenarios where you want to move a private IP between instances without changing DNS.
Here is a simplified flow for a user requesting a web page hosted in AWS:
At no point does the database need a public IP or direct internet access — it sits safely in a private subnet.
Environment, Team, and CostCentre for visibility and billing.Amazon VPC is the networking foundation of every AWS architecture. It gives you complete control over IP addressing, subnet layout, routing, and security. Understanding CIDR notation, the distinction between public and private subnets, and the role of gateways and route tables is essential before you build anything in production on AWS.
In the next lesson we will dive into subnets — the building blocks of VPC design — and explore how public and private subnets work in detail.