AWS VPC Cheat Sheet: Key Concepts for AWS Solutions Architect Associate Exam
Amazon Virtual Private Cloud (VPC) is the foundation of networking in AWS. It allows you to define a logically isolated virtual network within AWS. Understanding VPC is crucial for the AWS Solutions Architect Associate exam.
π 1. VPC Basics
VPC (Virtual Private Cloud) β Your private network in AWS.
Subnets β Logical division of a VPC into public & private subnets.
Route Tables β Define how traffic is routed between subnets and external networks.
Internet Gateway (IGW) β Allows public access to the internet.
NAT Gateway / NAT Instance β Allows private subnets to access the internet without being directly exposed.
VPC Peering β Connects two VPCs privately (no transitive peering).
Transit Gateway β A central hub to connect multiple VPCs & on-prem networks.
π 2. IP Addressing & Subnetting
CIDR (Classless Inter-Domain Routing) β Defines the IP address range for a VPC (e.g., 10.0.0.0/16).
AWS reserves 5 IPs per subnet (first 4 and last 1 IP address .0, .1, .2, .3, .255).
.0: Network address
.1: Reserved by AWS for the VPC router
.2: Reserved by AWS for mapping to Amazon-provided DNS
.3: Reserved by AWS for future use
.255: Network broadcast address.
Public Subnet β Has a route to the Internet Gateway (IGW).
Private Subnet β No direct internet access, uses NAT Gateway/Instance.
Private IP β assigned from the subnet range
Public IP β assigned from the Amazonβs pool of Public IPs
Elastic IP (EIP) β Static public IP address for NAT Gateway or EC2.
π 3. Security & Access Control
Security Groups (SGs) β Stateful firewall controlling inbound/outbound traffic at the instance level.
Network ACLs (NACLs) β Stateless firewall controlling traffic at the subnet level.
VPC Flow Logs β Captures IP traffic logs (useful for security monitoring).
AWS PrivateLink β Securely connects VPC to AWS services without using the internet.
VPC Endpoints:
Interface Endpoint β Uses AWS PrivateLink (for services like SQS, SNS, S3, DynamoDB).
Gateway Endpoint β Route-based for S3 and DynamoDB only (free).
π 4. High Availability & Connectivity
Multi-AZ Deployment β Distribute subnets across multiple Availability Zones (AZs) for redundancy.
VPN (Virtual Private Network) β Connects on-premises data centers to AWS securely.
Direct Connect (DX) β Dedicated private connection between on-premises and AWS (better performance than VPN).
Transit Gateway β A central hub for many-to-many VPC & on-prem connections.
π 5. Best Practices & Exam Tips
β Always place databases in private subnets to avoid direct internet exposure.
β Use NAT Gateway instead of NAT Instance (fully managed, highly available).
β Security Groups are stateful, while NACLs are stateless.
β VPC Peering does not support transitive routing (use Transit Gateway instead).
β S3 Gateway Endpoints are free, while Interface Endpoints incur charges.
β Flow Logs help with network monitoring & troubleshooting.
β Direct Connect is better than VPN for low latency & high bandwidth needs.
β Use PrivateLink to connect securely to AWS services inside VPC.
π Final Thoughts
Understanding AWS VPC is critical for designing secure, scalable, and high-performance architectures. Mastering subnets, security, and connectivity options will help you ace the AWS Solutions Architect Associate exam and build real-world AWS solutions.
