5.1 VPC Architecture — Subnets, Route Tables, and Gateways
Key Takeaways
- A VPC spans a single Region; each subnet lives in exactly one Availability Zone, so a Multi-AZ design needs at least one subnet per AZ.
- A subnet is public only because its route table sends 0.0.0.0/0 to an Internet Gateway — the label is determined by routing, not a checkbox.
- Private subnets reach the internet outbound-only through a NAT Gateway placed in a public subnet; deploy one NAT Gateway per AZ for resilience.
- Security groups are stateful and attach to ENIs (allow-only); Network ACLs are stateless and operate at the subnet boundary with numbered allow/deny rules.
- AWS reserves 5 IP addresses in every subnet, so a /24 (256 addresses) yields 251 usable IPs — a frequent capacity-planning trap on the exam.
Quick Answer: A Virtual Private Cloud (VPC) is your logically isolated network in one AWS Region. A subnet is public only when its route table sends 0.0.0.0/0 to an Internet Gateway (IGW); a private subnet reaches the internet outbound-only through a NAT Gateway sitting in a public subnet. Deploy a NAT Gateway in each Availability Zone for high availability, and remember AWS reserves 5 IPs per subnet.
CIDR and IP Address Planning
The VPC primary IPv4 CIDR block ranges from /16 (65,536 addresses) to /28 (16 addresses). Subnets carve smaller ranges out of it. The single most-tested numeric trap is that AWS reserves 5 addresses in every subnet: the network address, the VPC router, the DNS/Route 53 Resolver address, one reserved for future use, and the broadcast address.
| Subnet CIDR | Total addresses | Usable after 5 reserved |
|---|---|---|
| /28 | 16 | 11 |
| /27 | 32 | 27 |
| /24 | 256 | 251 |
| /20 | 4,096 | 4,091 |
If a question says "a /24 subnet has filled up at 251 instances," do not assume a bug — that is the architectural ceiling. CIDR blocks of peered or connected VPCs cannot overlap, so allocate non-overlapping ranges (for example 10.0.0.0/16, 10.1.0.0/16) from the start.
Subnets, Route Tables, and the Public/Private Distinction
Each subnet associates with exactly one route table, but a route table can serve many subnets. The longest-prefix-match (most specific route) wins, and the local route covering the VPC CIDR can never be deleted.
| Destination | Target | Effect |
|---|---|---|
| 10.0.0.0/16 | local | Intra-VPC traffic stays inside the VPC |
| 0.0.0.0/0 | igw-xxxx | Public subnet — direct internet |
| 0.0.0.0/0 | nat-xxxx | Private subnet — outbound via NAT |
| pl-xxxx (S3 prefix list) | vpce-xxxx | Private S3 access via Gateway Endpoint |
A reference three-tier layout spans two AZs: public subnets host the Application Load Balancer and NAT Gateways; private app subnets host EC2/ECS; isolated database subnets host RDS with no internet route at all.
Gateways
- Internet Gateway (IGW): horizontally scaled, redundant, fully AWS-managed. One per VPC. An instance needs a public IP and an IGW route to be reachable.
- NAT Gateway: managed, highly available within a single AZ, scales to 100 Gbps, costs roughly $0.045/hour plus $0.045/GB processed. It must live in a public subnet. For cross-AZ resilience, deploy one per AZ and point each AZ's private route table at the local NAT Gateway — otherwise an AZ failure severs outbound traffic for the others and incurs cross-AZ data charges.
Security Groups vs. Network ACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | ENI / instance | Subnet |
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both directions) |
| Rules | Allow only | Allow and deny, numbered, lowest number first |
| Default | Deny all inbound, allow all outbound | Default ACL allows all; custom ACL denies all |
On the Exam: "Block a specific malicious IP range" → Network ACL deny rule (security groups cannot deny). "Allow web tier to talk to app tier" → reference the web tier's security group as the source in the app tier's group.
Worked Example — Designing a Two-AZ Three-Tier VPC
Suppose you are asked to design a resilient VPC for a web application. Walk through it the way the exam expects. First, choose a VPC CIDR large enough to grow into but small enough to avoid waste: 10.0.0.0/16 gives 65,536 addresses. Second, split each tier across two Availability Zones so a single-AZ outage never takes the whole stack down. A clean layout is:
- Public subnets: 10.0.0.0/24 (AZ-a) and 10.0.1.0/24 (AZ-b) — hold the ALB and one NAT Gateway each.
- Private app subnets: 10.0.10.0/24 (AZ-a) and 10.0.11.0/24 (AZ-b) — hold EC2/ECS workloads.
- Private data subnets: 10.0.20.0/24 (AZ-a) and 10.0.21.0/24 (AZ-b) — hold RDS Multi-AZ.
Third, wire the routing. The two public subnets share a route table whose 0.0.0.0/0 points to the IGW. Each private app subnet gets its own route table sending 0.0.0.0/0 to the NAT Gateway in its own AZ — never to a single shared NAT Gateway, which would create a cross-AZ dependency and data-transfer charges. The data subnets have no 0.0.0.0/0 route at all, so the database can never reach the internet.
Common Traps
| Trap | Reality |
|---|---|
| "Make a subnet public by ticking a box" | Public status comes from an IGW route, not a setting |
| "One NAT Gateway is Multi-AZ" | NAT Gateway is HA only within one AZ; deploy per AZ |
| "Use a security group to deny an IP" | Security groups allow only; use a Network ACL deny rule |
| "A /24 holds 256 instances" | Only 251 usable after the 5 reserved addresses |
| "NACL change applies instantly to existing connections" | NACLs are stateless and evaluate every packet, so changes affect in-flight flows immediately |
Keeping security groups stateful (return traffic auto-allowed) and NACLs stateless (you must allow ephemeral return ports 1024–65535 explicitly) straight in your head resolves a large share of networking questions.
An application in a private subnet needs to download OS patches from the internet but must never be reachable from the internet. Which component enables this?
An architect carves a /24 subnet and expects to launch 256 EC2 instances in it. Why will this fail?