AWS VPC Explained: Complete Guide to CIDR, Subnets, and Route Tables
Master AWS VPC fundamentals - CIDR calculation, public vs private subnets, and route table configuration. Essential SAA-C03 exam content included.
Related Exam Domains
- Domain 1: Design Secure Architectures
- Domain 2: Design Resilient Architectures
Key Takeaway
VPC (Virtual Private Cloud) is your own logically isolated virtual network within AWS. You define IP ranges with CIDR blocks, place resources in subnets, and control traffic flow with route tables.
Exam Tip
Exam Essential: AWS reserves 5 IPs per subnet, VPC CIDR range is /16 to /28, Public subnet = Internet Gateway route (0.0.0.0/0 → IGW)
When Should You Use VPC?
Almost every AWS resource (EC2, RDS, Lambda, etc.) runs inside a VPC. VPC is the foundational networking service for AWS usage.
VPC is Required For
- Deploying EC2 instances
- Running private RDS databases
- Connecting on-premises networks to AWS
- Network isolation for security requirements
Default VPC vs Custom VPC
When you create an AWS account, a default VPC (172.31.0.0/16) is automatically created in each region. However, for production environments, creating a custom VPC is recommended for better security and design control.
Understanding CIDR: IP Address Range Calculation
CIDR Notation Explained
CIDR (Classless Inter-Domain Routing) is a method for expressing IP address ranges.
10.0.0.0/16
│ │
│ └── Netmask (number of fixed bits from the left)
└── Network starting address
Common CIDR Blocks
| CIDR | IP Count | Use Case |
|---|---|---|
| /16 | 65,536 | Entire VPC (large scale) |
| /20 | 4,096 | Large subnet |
| /24 | 256 | Typical subnet |
| /28 | 16 | Minimum subnet (AWS minimum) |
AWS VPC CIDR Restrictions
- Allowed range:
/16(65,536) to/28(16) - Recommended ranges (RFC 1918):
10.0.0.0/8172.16.0.0/12192.168.0.0/16
- Not allowed:
127.0.0.0/8(loopback),169.254.0.0/16(link-local)
Exam Tip
Exam Tip: VPC CIDR cannot be changed after creation! However, you can add Secondary CIDR blocks.
Subnets: Public vs Private Differences
A subnet is an IP address range within a VPC where resources are actually placed.
Key Subnet Rules
- One subnet exists in only one Availability Zone (AZ)
- Subnet CIDR must be within the VPC CIDR range
- AWS reserves 5 IPs in each subnet
AWS Reserved IP Addresses (Exam Must-Know!)
Example for 10.0.0.0/24 subnet:
| IP Address | Purpose |
|---|---|
| 10.0.0.0 | Network address |
| 10.0.0.1 | VPC router |
| 10.0.0.2 | AWS DNS server |
| 10.0.0.3 | Reserved for future use |
| 10.0.0.255 | Broadcast address |
Exam Tip
Sample Exam Question: "You need 29 EC2 instances. Can you use a /27 subnet (32 IPs)?" → Answer: No! 32 - 5 (reserved) = 27 < 29. You need a /26 subnet (64 - 5 = 59 IPs).
Public Subnet vs Private Subnet
| Aspect | Public Subnet | Private Subnet |
|---|---|---|
| Internet Gateway Route | Direct route (0.0.0.0/0 → IGW) | No route |
| Public IP | Auto-assign available | Typically none |
| External Access | Possible | Not possible |
| Internet Access | Direct | Requires NAT Gateway |
| Use Cases | Web servers, Load balancers, Bastion hosts | Databases, Application servers |
Requirements for a Public Subnet
- Internet Gateway (IGW) attached to VPC
- Route table has
0.0.0.0/0 → IGWroute - Instance has Public IP or Elastic IP assigned
Internet Access from Private Subnets
For private subnet resources to access the internet (e.g., downloading patches), a NAT Gateway is required.
Private Subnet EC2 → NAT Gateway (Public Subnet) → Internet Gateway → Internet
NAT Gateway Characteristics:
- Outbound only (blocks inbound from internet)
- Placed in public subnet
- Incurs charges (hourly + data processing)
Route Tables: Controlling Traffic Flow
What is a Route Table?
A route table is a set of rules that determine where network traffic is directed. Every subnet must be associated with exactly one route table.
Route Table Components
| Destination | Target | Description |
|---|---|---|
| 10.0.0.0/16 | local | VPC internal communication (default) |
| 0.0.0.0/0 | igw-xxxxx | All external traffic → Internet Gateway |
| 0.0.0.0/0 | nat-xxxxx | All external traffic → NAT Gateway |
Public/Private Subnet Route Table Examples
Public Subnet Route Table:
10.0.0.0/16 → local
0.0.0.0/0 → igw-xxxxxx (Internet Gateway)
Private Subnet Route Table:
10.0.0.0/16 → local
0.0.0.0/0 → nat-xxxxxx (NAT Gateway)
Route Priority
AWS applies the most specific route (Longest Prefix Match).
Example: Destination is 10.0.1.50
10.0.0.0/16→ local10.0.1.0/24→ specific target
→ 10.0.1.0/24 is selected (/24 is more specific than /16)
VPC Architecture Examples
Typical 3-Tier Architecture
VPC (10.0.0.0/16)
├── Availability Zone A
│ ├── Public Subnet (10.0.1.0/24) - ALB, Bastion
│ ├── Private Subnet (10.0.2.0/24) - EC2 (App)
│ └── Private Subnet (10.0.3.0/24) - RDS (DB)
│
├── Availability Zone B
│ ├── Public Subnet (10.0.11.0/24) - ALB
│ ├── Private Subnet (10.0.12.0/24) - EC2 (App)
│ └── Private Subnet (10.0.13.0/24) - RDS (DB)
│
└── Internet Gateway, NAT Gateway
High Availability Design Recommendations
- Production: Use at least 2 Availability Zones
- Dev/Test: Single AZ acceptable for cost savings
- Deploy identical subnet configurations in each AZ
SAA-C03 Exam Focus Points
- ✅ Subnet IP Calculation: Required IPs + 5 (AWS reserved)
- ✅ Public Subnet Requirements: IGW + Route Table (0.0.0.0/0 → IGW) + Public IP
- ✅ VPC CIDR Limits: /16 to /28, cannot change after creation (only Secondary CIDR can be added)
- ✅ NAT Gateway: Outbound internet for private subnets, placed in public subnet
- ✅ VPC Peering: Cannot connect if CIDRs overlap
Exam Tip
Sample Exam Question: "EC2 instances in a private subnet need to download software updates from the internet. These instances should not be directly accessible from the internet. What is the most appropriate solution?" → Answer: NAT Gateway (allows outbound only, blocks inbound)
Frequently Asked Questions
Q: Does VPC cost money?
VPC itself is free. However, NAT Gateway, VPC Endpoints, public IPv4 addresses, and data transfer incur charges.
Q: Can I change VPC CIDR later?
The Primary CIDR cannot be changed. However, you can add Secondary CIDR blocks to expand the IP range.
Q: Can one subnet span multiple Availability Zones?
No. A subnet exists in exactly one Availability Zone. To use multiple AZs, you must create separate subnets in each AZ.
Q: What's the difference between Internet Gateway and NAT Gateway?
- Internet Gateway (IGW): Bidirectional (both inbound and outbound), only one per VPC
- NAT Gateway: Unidirectional (outbound only), for private subnets, recommended one per AZ
Q: What happens if CIDRs overlap in VPC peering?
Connection is not possible. When planning VPC peering, design CIDR ranges to not overlap in advance.
Q: Can I delete the default VPC?
You can delete it, but it's not recommended. Some AWS services require the default VPC. If deleted, you can recreate it from the AWS console.
Related Posts
- Security Groups vs NACLs: Which One Should You Use?
- NAT Gateway vs NAT Instance Comparison
- VPC Endpoints: Connect to AWS Services Without Internet