A VPC is a private network space in AWS. EC2 instances run inside subnets, and subnets belong to a VPC.
VPC and Subnet
A VPC is a logically isolated network area. A subnet groups resources based on security or operational needs.
Common split:
- Public Subnet: web servers, load balancers, public-facing resources
- Private Subnet: databases and internal services
Typical inbound path:
Internet -> Internet Gateway -> Network ACL -> Security Group -> EC2Internet Gateway
An Internet Gateway enables two-way internet communication for a VPC.
For a public EC2 instance to be reachable:
- The subnet route table points to the IGW.
- The resource has a public IP.
- The security group allows inbound traffic.
- The NACL allows inbound and outbound traffic.
NAT Gateway
NAT Gateway lets private subnet instances access the internet, but prevents the internet from initiating access to those instances.
Typical use: private EC2 instances downloading patches or calling external APIs.
VPN and Direct Connect
Client VPN: secure access for remote workers.
Site-to-Site VPN: encrypted tunnel between on-premises networks and VPC.
Direct Connect: dedicated physical connection with low latency and high bandwidth.
PrivateLink: private access to AWS, third-party, or custom services without public internet.
Transit Gateway
Transit Gateway is a central hub for connecting multiple VPCs and on-premises networks. It is useful for multi-VPC, multi-account, hybrid architectures.
Security Group vs NACL
Security Group is an instance-level firewall.
- Stateful
- Allow rules only
- Controls individual resources
- Return traffic is automatically allowed
Network ACL is a subnet-level firewall.
- Stateless
- Allow and deny rules
- Controls an entire subnet
- Inbound and outbound rules both matter
Memory aid:
- Security Group is the instance guard
- NACL is the subnet border checkpoint
Security groups are used more often. NACLs are useful for coarse subnet boundary control.