5.1 VPC Architecture — Subnets, Route Tables, and Gateways

Key Takeaways

A VPC spans a single Region and contains subnets that each reside in a single Availability Zone.
Public subnets have a route to an Internet Gateway; private subnets route internet traffic through a NAT Gateway or NAT Instance.
Each subnet has exactly one route table; a route table can be associated with multiple subnets.
NAT Gateways are managed, highly available within an AZ, and cost \$0.045/hour plus \$0.045/GB processed — deploy one per AZ for high availability.
An Internet Gateway is horizontally scaled, redundant, and highly available — you do not manage its availability.

Last updated: March 2026

VPC Architecture — Subnets, Route Tables, and Gateways

Quick Answer: A VPC is your private network in AWS. Public subnets have a route to the Internet Gateway (IGW). Private subnets route outbound internet traffic through a NAT Gateway. Route tables control traffic flow. Deploy NAT Gateways in each AZ for high availability.

VPC Overview

A Virtual Private Cloud (VPC) is a logically isolated section of the AWS Cloud where you launch resources.

Feature	Detail
Region scope	A VPC spans a single Region
CIDR block	Primary IPv4 range (e.g., 10.0.0.0/16 = 65,536 IPs)
Secondary CIDR	Can add secondary CIDR blocks
IPv6	Optional, /56 block from Amazon's pool
Default VPC	One per Region, created automatically, has IGW and public subnets

Subnets

Subnets are segments of a VPC's IP range within a single AZ.

Public vs. Private Subnets

Feature	Public Subnet	Private Subnet
Route to IGW	Yes (0.0.0.0/0 → igw-xxx)	No
Auto-assign public IP	Typically enabled	Disabled
Resources	ALB, NAT Gateway, bastion hosts	Application servers, databases
Internet access	Direct (bidirectional)	Outbound only (via NAT Gateway)

Typical Multi-Tier Architecture

VPC (10.0.0.0/16)
├── Public Subnet AZ-a (10.0.1.0/24)
│   ├── ALB
│   └── NAT Gateway
├── Public Subnet AZ-b (10.0.2.0/24)
│   ├── ALB
│   └── NAT Gateway
├── Private Subnet AZ-a (10.0.10.0/24)
│   └── Application Servers (EC2/ECS)
├── Private Subnet AZ-b (10.0.20.0/24)
│   └── Application Servers (EC2/ECS)
├── Private Subnet AZ-a (10.0.100.0/24)
│   └── Databases (RDS, ElastiCache)
└── Private Subnet AZ-b (10.0.200.0/24)
    └── Databases (RDS, ElastiCache)

Route Tables

A route table contains rules (routes) that determine where network traffic is directed.

Destination	Target	Meaning
10.0.0.0/16	local	Traffic within the VPC stays local
0.0.0.0/0	igw-xxx	All other traffic goes to the Internet Gateway (public subnet)
0.0.0.0/0	nat-xxx	All other traffic goes to NAT Gateway (private subnet)

Key Rules

Each subnet must be associated with exactly one route table
A route table can be associated with multiple subnets
The most specific route wins (longest prefix match)
The local route (VPC CIDR) cannot be removed

Internet Gateway (IGW)

Feature	Detail
Purpose	Allows communication between VPC resources and the internet
Availability	Horizontally scaled, redundant, HA — you do NOT manage it
Requirements	Attach to VPC + route table entry + public IP on instance
Bidirectional	Allows both outbound and inbound internet traffic

NAT Gateway

Feature	Detail
Purpose	Allows private subnet resources to access the internet (outbound only)
Availability	HA within a single AZ
For cross-AZ HA	Deploy one NAT Gateway per AZ
Cost	$0.045/hour + $0.045/GB data processed
Bandwidth	Up to 100 Gbps
Deployed in	Public subnet (needs route to IGW)

NAT Gateway vs. NAT Instance

Feature	NAT Gateway	NAT Instance
Management	AWS managed	You manage (EC2 instance)
Availability	HA within AZ	Manual HA (scripting)
Bandwidth	Up to 100 Gbps	Depends on instance type
Cost	$0.045/hr + data	EC2 instance pricing
Security groups	Cannot associate	Can associate
Use case	Production (recommended)	Legacy, cost-sensitive

On the Exam: Always choose NAT Gateway over NAT Instance for production workloads. NAT Instance is legacy and only appropriate when cost is the primary constraint.

Test Your Knowledge

An application in a private subnet needs to download software updates from the internet but should NOT be reachable from the internet. Which component enables this?

Internet Gateway attached to the private subnet

NAT Gateway in a public subnet with a route from the private subnet

Elastic IP on the private instances

VPC peering with a public VPC

Test Your Knowledge

A company wants their NAT Gateway setup to be highly available across Availability Zones. What should they do?

Deploy a single NAT Gateway — it is automatically Multi-AZ

Deploy a NAT Gateway in each AZ and configure route tables accordingly

Use an Internet Gateway instead — it is Multi-AZ by default

Deploy two NAT Gateways in the same AZ for redundancy

Up Next

5.2 VPC Connectivity — Peering, Transit Gateway, and Direct Connect

Continue learning

AWS Solutions Architect Associate

1Introduction

2Domain 1: Design Secure Architectures (30%)

3Domain 2: Design Resilient Architectures (26%)

4Domain 3: Design High-Performing Architectures (24%)

5Domain 4: Design Cost-Optimized Architectures (20%)

6VPC and Networking Deep Dive

7Migration, Transfer, and Hybrid Services

8Serverless Architecture and Application Services

9Advanced Topics and Exam Scenarios