DEV Community

Cover image for Understanding VPCs and Subnets: Foundations for AWS Networking
Brandon Damue
Brandon Damue

Posted on

Understanding VPCs and Subnets: Foundations for AWS Networking

Welcome to the world of AWS networking, where Virtual Private Clouds (VPCs) and subnets form the foundation of your cloud infrastructure. In this article, we will unravel the complexities of networking in AWS, delving into the power and flexibility offered by VPCs and subnets. Whether you're an experienced AWS practitioner or a newcomer to the cloud, this article will serve as your compass, guiding you through the intricacies of VPCs and subnets. So, fasten your seatbelt, because we're about to embark on an enlightening journey that will unlock the secrets to mastering AWS networking and unleashing the full potential of your cloud-based solutions.

What is an Amazon VPC?

VPC stands for Virtual Private Cloud and a VPC in AWS is simply a virtual network within the AWS cloud that lets you provision a logically isolated section of the cloud where you can launch AWS resources in a network that you define. With Amazon VPC, you have complete control over your virtual networking environment, including the selection of your own IP address ranges, creation of subnets, and configuration of route tables and network gateways. You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet (more on this later) for your web servers that have access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet. The diagram below shows a sample VPC with one subnet in each of the Availability Zones in the Region, EC2 instances in each subnet, and an internet gateway to allow communication between the resources in your VPC and the internet.

Image description

Amazon VPC provides a secure and isolated virtual network environment in the cloud, allowing you to customize and scale your network architecture based on your needs. It’s a fantastic tool that brings flexibility and security to your cloud network. With Amazon VPC, you can create your own virtual network environment and customize it to fit your unique needs. It’s like having your own private playground in the cloud! Plus, it seamlessly integrates with other AWS services, making it easy to build and deploy applications. Whether you’re a small startup or a large enterprise, Amazon VPC offers the scalability and control you need to succeed.

What are Subnets?

Subnets are like smaller segments within a VPC that help you organize and manage your resources. Subnets are like dividing an office building into smaller sections, where each section represents a department. In this analogy, subnets are created to organize and manage the network effectively.

Image description

The image above shows two VPCs in an AWS Region. Each VPC has public and private subnets and an internet gateway. You can optionally add subnets in a Local Zone, as shown in the image. A Local Zone is an AWS infrastructure deployment that places compute, storage, and database services closer to your end users. When you use a Local Zone, your end users can run applications that require single-digit millisecond latencies.

Subnet IP address range

Subnet IP address ranges define the range of IP addresses that can be assigned to resources within a subnet. These ranges are specified using CIDR notation, which stands for Classless Inter-Domain Routing. CIDR notation represents an IP address range as a combination of the network address and a prefix length, separated by a forward slash (/). The prefix length indicates the number of bits in the network address that are fixed and not available for host assignment.

For example, a subnet IP address range can be defined as Here, “” represents the network address, and “/24” indicates that the first 24 bits are fixed and the remaining 8 bits are available for host assignment. In this case, the subnet can accommodate up to 256 IP addresses (2⁸). The size of the subnet IP address range depends on the prefix length specified. A smaller prefix length allows for more IP addresses and hosts, while a larger prefix length results in fewer available IP addresses. When designing your VPC and subnet architecture, it’s important to consider the number of resources you plan to deploy and their IP address requirements. By carefully selecting and planning the subnet IP address ranges, you can ensure that you have sufficient addresses to accommodate your resources while avoiding IP address conflicts.

It’s worth noting that AWS reserves five IP addresses within a subnet IP address range. That is, the first four IP addresses and the last IP address in a subnet range are reserved for specific purposes, such as the network address, broadcast address, and AWS services, so keep this in mind when defining an IP address range for your subnet.

Subnet types

There are different subnet types available, each serving specific purposes within a VPC environment. The subnet types include:

  1. Public Subnet — A public subnet is a subnet that is associated with a route table that has a route to an Internet Gateway (IGW). It allows resources within the subnet to have direct connectivity to the internet. Public subnets are typically used for resources that need to be publicly accessible, such as web servers.
  2. Private Subnet — A private subnet is a subnet that is not directly accessible from the internet. It does not have a route to an IGW. Resources within a private subnet can communicate with each other and with resources in other subnets within the same VPC, but they require a NAT device to access the internet. Private subnets are commonly used for backend application servers or databases that do not need public access.
  3. VPN-only Subnet — A VPN-only subnet is a subnet that is associated with a virtual private gateway (VGW). It is used to establish a Site-to-Site VPN connection between your VPC and an on-premises network. Resources within a VPN-only subnet can communicate with resources in other subnets within the same VPC and with the on-premises network via the VPN connection.
  4. Isolated Subnet — An isolated subnet has no routes to destinations outside its VPC. Resources in an isolated subnet can only access or be accessed by other resources in the same VPC.

As we have just seen, each subnet type has its own characteristics and usage scenarios. By appropriately configuring and utilizing these different subnet types, you can build a flexible and secure network architecture within your AWS environment.

It is important to note that each subnet must be associated with a route table, which specifies the allowed routes for outbound traffic leaving the subnet. Every subnet that you create is automatically associated with the main route table for the VPC. You can change the association, and you can change the contents of the main route table.

Subnet Security

In subnets, security is primarily achieved through the use of network access control lists (NACLs) and security groups. These mechanisms provide control over inbound and outbound traffic to and from subnets, helping to enforce security policies and protect resources within the subnets.

Network ACLs: Network ACLs act as virtual firewalls at the subnet level. They control traffic flow in and out of the subnet based on rules that allow or deny specific protocols, ports, or IP addresses. Network ACLs are stateless, meaning that they evaluate each network packet individually, without considering the traffic flow.

Security Groups: Security groups, on the other hand, act as virtual firewalls at the instance level. They control inbound and outbound traffic for EC2 instances within the subnet. Security groups are stateful, which means that they allow return traffic automatically for requests initiated from the instances.

By defining and configuring appropriate network ACLs and security groups, you can implement granular control over the traffic that is allowed to access resources within your subnets. This helps in enforcing security best practices, preventing unauthorized access, and protecting your applications and data. It’s important to note that subnet security is just one aspect of a comprehensive security strategy in AWS. Other security measures, such as encryption, identity and access management, and monitoring, should also be implemented to ensure a robust and secure environment.

Security best practices for your VPC

When it comes to VPCs, security is of paramount importance. Implementing robust security measures ensures the protection of your resources and data in the cloud. In this section, we will explore essential security best practices for an Amazon VPC. From configuring network access controls to implementing encryption and monitoring. These best practices are general guidelines and don’t represent a complete security solution. Because they might not be appropriate or sufficient for your environment, it is recommended that you treat them as helpful considerations rather than prescriptions.

  • Use AWS Network Firewall to monitor and protect your VPC by filtering inbound and outbound traffic.
  • When you add subnets to your VPC to host your application, create them in multiple Availability Zones. An Availability Zone is one or more discrete data centres with redundant power, networking, and connectivity in an AWS Region. Using multiple Availability Zones makes your production applications highly available, fault-tolerant, and scalable.
  • Use security groups to control traffic to EC2 instances in your subnets.
  • Use network ACLs to control inbound and outbound traffic at the subnet level
  • Use VPC Flow Logs to monitor the IP traffic going to and from a VPC, subnet, or network interface.
  • Manage access to AWS resources in your VPC using AWS IAM identity federation, users, and roles.

Wrap Up

Amazon VPCs and subnets can seem complex at first, but they offer incredible flexibility and security for your cloud infrastructure. We’ve explored the ins and outs of VPCs, subnets, routing, and security, uncovering the key considerations for building a robust network environment. Remember, don’t be overwhelmed by the intricacies — take it step by step, ask questions, and experiment. With a solid understanding of VPCs and subnets, you’ll be well on your way to creating secure and scalable cloud architectures. Embrace the journey, and don’t hesitate to reach out if you need any further guidance. Thank you for your time!

Top comments (0)