This is your go-to short guide to learn about AWS VPC concepts. Unlike Azure, AWS offers you a wide range of features to configure networking. At first it might seem complicated but once understood, you feel more flexible in your design.
In this article I am not writing about every little VPC feature. There are tons of guides you can find on Google to cover the whole feature set. My intention is to give you a deep insight into the most common concepts in a very short article with a hopefully clear illustration. I will break down my article into simple questions and answers so it makes reading it much simpler…
Q. What is a VPC?
A. VPC (Virtual Private Cloud) is a virtual network defined with an IP address range assigned to it. You could have multiple VPCs in a single AWS Account. Inside every VPC you could create one or multiple Subnets.
Q. What is a Public Subnet?
A. In short, a Public Subnet is a subnet with a route to the Internet. An Internet Gateway connects a VPC/Subnet to the Internet.
To make a Subnet public, you will need to create a Route Table with a route to the Internet Gateway and assign the Route Table to the Subnet. (The illustration at the bottom of this page should explain it.)
Q. Are your resources (i.e. EC2 Instances) inside a Public Subnet accessible from the Internet?
A. Yes, as long as they have public IP addresses, they are accessible from the Internet; unless they are explicitly denied access to (using Security Groups/Network ACLs).
Q. What is a Private Subnet?
A. A private Subnet is a subnet with NO direct route to the Internet (Internet Gateway). There are almost always only resources with private IP addresses inside a Private Subnet.
Q. Are your resources (i.e. EC2 Instances) inside a Private Subnet able to access the Internet?
A. Even if your resources in a Private Subnet have public IP addresses, they still are not able to access the Internet.
In order to achieve Internet access in a Private Subnet, you need to deploy a NAT Gateway in a separate Public Subnet (see the illustration at the bottom of this page). You will then create a Route Table with a route to this NAT Gateway and then assign it to your Private Subnet. In this case, your resources have private IP addresses and yet are able to access the Internet.
Q. Are your resources inside a Private Subnet accessible from the Internet?
A. No, they are not. Because they are behind the NAT Gateway and they also do not have public IP addresses.
Q. What is a VPN Gateway?
A. A VPN Gateway connects your VPC through a VPN tunnel to your on-premise gateway/network.
You can then create a route (in your Route Table) to send traffic from your Private Subnet to this VPN Gateway. You can also assign this Route Table to your Public Subnets but from a security perspective it is not suggested at all.