Conceptual Foundations

The Components You Will Use and Why

Before creating any resource, you need to understand what each component does architecturally — not just what it is, but what decision it encodes.

VPC and CIDR Block

A VPC is a logically isolated section of the AWS network. The CIDR block you assign to it defines the total IP address space available to all subnets inside it. Choosing 10.0.0.0/16 gives you 65,536 addresses to subdivide. This is a common choice for production because it leaves room to carve out many subnets without overlap, and it falls within the RFC 1918 private ranges which are non-routable on the public internet.

CIDR sizing is an architectural commitment. Once set, a VPC CIDR cannot be changed without rebuilding. Think ahead: if you anticipate VPC peering (connecting two VPCs), both VPCs must have non-overlapping CIDRs. Plan accordingly.

Subnets

A subnet is a subdivision of the VPC CIDR assigned to a specific AZ. The “public” or “private” designation is not an AWS property — it is a routing behavior. A subnet is public if its route table contains a route to an Internet Gateway (IGW). A subnet is private if it does not.

Subnets are your primary isolation boundary within a VPC. Every ENI (network interface) in AWS is placed in exactly one subnet. Placing resources in different subnets lets you apply different routing rules and different network ACLs to each tier.

Internet Gateway (IGW)

The IGW is the VPC-level attachment point to the public internet. It is horizontally scaled, redundant, and managed by AWS — you do not pay per hour for the IGW itself. Attaching it to the VPC is a prerequisite for any subnet to have public routing, but attaching it does not automatically make any subnet public. The route table is what makes the difference.

NAT Gateway

A NAT Gateway allows resources in private subnets to initiate outbound connections to the internet while blocking all unsolicited inbound connections. It is stateful: it tracks connection state and routes return traffic correctly.

NAT Gateways are AZ-scoped resources. In production, you place one per AZ and route each private subnet to the NAT Gateway in the same AZ. This ensures that if one AZ fails, the surviving AZs still have outbound internet access. Using a single NAT Gateway across all AZs is cheaper but introduces a cross-AZ dependency and a single point of failure for outbound routing.

Route Tables

A route table is an ordered set of rules that determines where traffic from a subnet goes. Each subnet is associated with exactly one route table. The VPC has a “main” route table as a default, but you should always create explicit route tables and associate them manually — relying on the main route table makes your routing implicit and error-prone in production.

Every route table includes a local route (10.0.0.0/16 → local) that cannot be removed. This allows all resources within the VPC to communicate with each other regardless of subnet boundaries.

Security Groups

Security groups are stateful, instance-level firewalls. They are attached to ENIs, not to subnets. Because they are stateful, if an outbound connection is allowed, the return traffic is automatically permitted without a separate inbound rule.

The production pattern for multi-tier security is security group chaining: instead of specifying IP ranges in your application tier security group, you specify the security group ID of the load balancer tier as the source. This means only resources that are members of the load balancer security group can reach the application tier — regardless of what IP they are on. This is more robust than IP-based rules because IPs change (scaling events, replacements) but group membership is explicit.