How to Understand AWS VPC Architecture: Complete Step by Step Guide
By Braincuber Team
Published on April 4, 2026
What You'll Learn:
- IPv4 addressing fundamentals: binary octets, subnet masks, CIDR notation, and private IP ranges
- VPC core components: subnets, route tables, internet gateways, NAT gateways, and VPC router
- How to define CIDR blocks correctly with best practices for networks and hosts planning
- Security Groups vs Network ACLs: stateful vs stateless firewalls with hands-on configuration
- VPC Peering for private routing between VPCs across accounts and regions
- VPC Endpoints: Interface Endpoints and Gateway Endpoints for private AWS service access
- VPN connections: Client VPN, Site-to-Site VPN, and VPN CloudHub architecture
- AWS Direct Connect, Direct Connect Gateway, and Transit Gateway for enterprise networking
- IPv6 in VPC and VPC Flow Logs for traffic monitoring and troubleshooting
Amazon Virtual Private Cloud is a service that lets you launch AWS resources in a logically isolated virtual network that you define. You get complete control over the networking environment including IP address ranges, subnets, routing, firewalls and more. In this complete tutorial, you will learn AWS Virtual Private Cloud from beginner level through to advanced concepts. This step by step guide covers everything from basic IP addressing to enterprise connectivity patterns like Transit Gateway and Direct Connect. Whether you are a beginner or experienced cloud engineer, this beginner guide will show you exactly how VPC networking works in AWS.
IPv4 Addressing Primer
Before diving into VPC, we need to understand IP addressing. An IP address is the address that computers use to communicate with each other. When you type a domain name like example.com into your browser, your computer speaks to a DNS server to resolve that name into an IP address, which is how computers actually communicate.
Structure of an IP Address
An IP address like 192.168.0.1 is known as dotted decimal notation. Each part between the dots is a binary octet, meaning eight values that can either be 1 or 0. On the left hand side we have the most significant bit with a value of 128, and on the right hand side the least significant bit has a value of 1.
Bit Position: 128 64 32 16 8 4 2 1
192 = 128 + 64 = 1 1 0 0 0 0 0 0
168 = 128 + 32 + 8 = 1 0 1 0 1 0 0 0
0 = 0 = 0 0 0 0 0 0 0 0
1 = 1 = 0 0 0 0 0 0 0 1
Result: 192.168.0.1
Network ID vs Host ID
Every IP address has a network ID and a host ID. The network ID will be the same for every computer on the network, while the host ID will be unique for every computer. The subnet mask tells us which portion is the network and which is the host. Where we have 255 in the subnet mask, those bits represent the network ID. Where we have 0, those bits represent the host ID.
| Class | Subnet Mask | Networks | Hosts per Network |
|---|---|---|---|
| Class A | /8 (255.0.0.0) | 126 | 16,777,214 |
| Class B | /16 (255.255.0.0) | 16,382 | 65,534 |
| Class C | /24 (255.255.255.0) | 2,097,150 | 254 |
Private IP Address Ranges (RFC 1918)
These addresses are reserved for private use within your company network. They cannot be used on the public internet.
Class A: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8)
Class B: 172.16.0.0 - 172.31.255.255 (172.16.0.0/12)
Class C: 192.168.0.0 - 192.168.255.255 (192.168.0.0/16)
Classless Inter-Domain Routing (CIDR)
CIDR helps us optimize the IP space by using variable length subnet masks. Instead of sticking to standard classes, we can borrow bits from the network ID to use them for the host ID. A /20 subnet mask gives us 12 host bits and 4,094 addresses, which might be a better configuration than a full /16 with 65,534 addresses when you do not need that many hosts per network.
Amazon VPC Overview
A VPC is a logically isolated portion of the AWS cloud that you can use to deploy your resources inside. It is different from the public space outside of the VPC where services like Amazon S3 sit. This is a private space and you have full control over how you configure your VPC.
VPC Router
The invisible router that handles all routing for connections going outside a subnet. You interact with it by configuring route tables.
Internet Gateway
One per VPC. Handles both egress (outbound) and ingress (inbound) traffic for IPv4. Required for public subnet internet access.
Subnets
Always assigned to one Availability Zone. Cannot span across AZs. Can have multiple subnets in the same AZ.
NAT Gateway
Enables outbound-only internet connectivity for instances in private subnets. Must be placed in a public subnet with an Elastic IP.
Defining VPC CIDR Blocks
When you create a VPC, you must specify your CIDR block. This is the overall block of addresses from which you then create the addresses you assign to your subnets. Getting this right from the beginning is critical because you cannot increase or decrease the size of an existing CIDR block.
Rules and Guidelines
CIDR Block Size Range
The CIDR block size can be between a /16 and /28 subnet mask. This determines the maximum number of addresses available for your VPC.
No Overlapping CIDRs
The CIDR block cannot overlap with any existing CIDR block associated with the VPC. This is critical for VPC peering, even across different accounts and regions.
Reserved Addresses
The first four and last IP address in each subnet are not available for use by your instances. AWS reserves these for internal purposes.
Use RFC 1918 Ranges
AWS recommends using CIDR blocks from the RFC 1918 private IP ranges. These give you plenty of scope for planning your network architecture.
Critical: Plan CIDR Blocks Carefully
You cannot increase or decrease the size of an existing CIDR block after creation. Bigger CIDR blocks are typically better as they give you more flexibility down the road. Make sure you plan correctly for enough networks and hosts before creating your VPC.
CIDR Block Example
Let us say we have a VPC CIDR block of 10.0.0.0/16. That is the overall block of addresses. From this, we create subnets with longer subnet masks. For example, 10.0.1.0/24, 10.0.2.0/24, and 10.0.3.0/24. Each of these subnets will have up to 254 potential hosts (minus 5 reserved addresses by AWS).
VPC CIDR: 10.0.0.0/16 (65,536 addresses)
Public Subnets:
Public 1a: 10.0.1.0/24 (us-east-1a) - 254 hosts
Public 1b: 10.0.2.0/24 (us-east-1b) - 254 hosts
Private Subnets:
Private 1a: 10.0.3.0/24 (us-east-1a) - 254 hosts
Private 1b: 10.0.4.0/24 (us-east-1b) - 254 hosts
Note: AWS reserves 5 addresses per subnet
(first 4 + last 1), so usable hosts = 249
VPC Wizard Options
The VPC Wizard helps you create a VPC without having to do much manual work. There are four pre-configured options available.
| Wizard Option | What You Get |
|---|---|
| Single Public Subnet | /16 CIDR with a /24 public subnet and an attached Internet Gateway |
| Public and Private Subnets | Public and private subnets with a NAT Gateway (requires Elastic IP allocation) |
| Public/Private + Hardware VPN | Public subnets, private subnets, and a VPN tunnel (requires customer gateway IP from your data center) |
| Private Only + Hardware VPN | Private subnet only with VPN connection, no internet routing from the subnet |
Creating a Custom VPC with Subnets
Let us walk through creating a custom VPC with public and private subnets across two Availability Zones. We will use a 10.0.0.0/16 CIDR block with four subnets.
Create the VPC
Go to the VPC dashboard and create a new VPC with the CIDR block 10.0.0.0/16. Enable DNS hostnames under Actions. Leave tenancy as default to avoid additional costs.
Create Subnets
Create four subnets: Public 1a (us-east-1a, 10.0.1.0/24), Public 1b (us-east-1b, 10.0.2.0/24), Private 1a (us-east-1a, 10.0.3.0/24), Private 1b (us-east-1b, 10.0.4.0/24).
Enable Auto-Assign Public IPs
For each public subnet, go to Actions and modify auto-assign IP settings to enable automatic assignment of public IPv4 addresses to instances launched in those subnets.
Create Private Route Table
Create a new route table for private subnets. Under subnet associations, explicitly associate Private 1a and Private 1b with this route table.
Create and Attach Internet Gateway
Create an Internet Gateway and attach it to your VPC. Then edit the main route table to add a route for 0.0.0.0/0 pointing to the Internet Gateway.
Security Groups vs Network ACLs
Security Groups and Network Access Control Lists (NACLs) are two different types of firewalls that you can apply in your AWS environment. Understanding the difference between them is essential for proper VPC security architecture.
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance/ENI level | Subnet level |
| Type | Stateful firewall | Stateless firewall |
| Rules | ALLOW rules only (implicit deny) | ALLOW and DENY rules |
| Return Traffic | Automatically allowed (stateful) | Requires explicit outbound rule |
| Rule Processing | All rules evaluated | Processed in numerical order, stops at first match |
| Source Options | IP, CIDR, or Security Group ID | IP or CIDR only |
Stateful vs Stateless Firewalls
A stateful firewall (Security Group) will allow return traffic automatically. If you allow inbound traffic on port 80 to your web server, the return traffic going back to the client is automatically allowed. You only need the inbound rule.
A stateless firewall (Network ACL) checks for an allow rule for both directions. You need both the inbound rule and the outbound rule. Even if it is the same connection, the NACL treats them separately and does not understand that the return traffic is part of the same connection.
NACL Rule Numbering Strategy
Network ACL rules are processed in numerical order and processing stops at the first matching rule. Use rule numbers like 100, 200, 300 to leave room for inserting new rules between existing ones. A deny rule must come before the catch-all allow rule to be effective.
VPC Peering
VPC peering enables private routing between VPCs using private IPv4 and IPv6 addresses. Traffic stays on the AWS global network and never touches the public internet. When crossing regions, the traffic is encrypted.
No Overlapping CIDRs
CIDR blocks must NOT overlap between peered VPCs. This applies across all VPCs, regions, and accounts.
No Transitive Peering
VPC A peered to VPC B peered to VPC C does NOT allow A to reach C. You need a full mesh topology for multi-VPC connectivity.
Route Table Updates Required
Both sides need route table entries: destination = remote VPC CIDR, target = peering connection ID. Security group rules must also allow traffic from the peer VPC CIDR.
VPC Endpoints
VPC Endpoints allow you to connect using private IP addresses to public AWS services without going through the internet. There are two types of VPC endpoints.
Interface Endpoint
Creates an ENI with a private IP in your subnet. Uses DNS entries to redirect traffic. Supports many AWS services and AWS PrivateLink. Uses security groups for access control.
Gateway Endpoint
Uses a route table entry with a prefix list. Supports only Amazon S3 and DynamoDB. Uses VPC endpoint policies instead of security groups.
VPN Connections
AWS Client VPN
Client VPN connects individual client computers (Windows, Mac, Linux) to a VPC. It uses an encrypted connection over the internet using SSL/TLS on port 443. The VPN endpoint is associated with subnets and creates network interfaces within them. It uses third-party VPN client software like OpenVPN and performs source NAT from the client CIDR to the VPC CIDR.
AWS Site-to-Site VPN
Connects corporate data centers or offices to AWS over an encrypted IPsec tunnel. Components include a Virtual Private Gateway (VGW) on the AWS side and a Customer Gateway on the customer side. Supports static routes or BGP peering for dynamic routing. Can serve as a backup connection for Direct Connect.
AWS VPN CloudHub
This is not a standalone service but an architectural pattern using Site-to-Site VPN. It uses a hub-and-spoke topology where the AWS VPC is the hub and customer offices are the spokes. Multiple customer gateways, each with a unique BGP ASN, connect to a single VGW. This enables communication between office to VPC, VPC to office, and office to office via the VGW hub.
AWS Direct Connect
Direct Connect provides a dedicated private physical connection into AWS, not over the public internet. It offers speeds of 1 Gbps, 10 Gbps, or 100 Gbps at select locations, or 50 Mbps and above via APN partners.
| Component | Description |
|---|---|
| Private VIF | Connects to VPCs in the same region via a VGW. Uses 802.1Q VLANs and BGP. Multiple private VIFs needed for multiple VPCs in the same region. |
| Public VIF | Connects to public AWS services in ANY region. Does NOT provide internet access. |
| DX Gateway | Allows a single DX connection to connect to VGWs in multiple regions. Traffic between regions travels over the AWS global backbone. |
| Transit VIF | A special VIF type only for Direct Connect to Transit Gateway associations. |
Critical: Direct Connect is NOT Encrypted
DX connections are not encrypted by default. To encrypt traffic over Direct Connect, you must run an IPsec VPN over the DX connection. This is a common exam question and production security requirement.
AWS Transit Gateway
The Transit Gateway is described as a Cloud Router -- a central hub that interconnects VPCs and on-premises networks. It solves the complexity of full-mesh VPC peering, which requires N*(N-1)/2 connections.
VPCs attach to the Transit Gateway with one subnet per AZ specified. It supports attachments to VPNs, Direct Connect Gateways, third-party appliances, and other Transit Gateways for cross-region and cross-account connectivity. Most importantly, it supports transitive routing between on-premises, the Transit Gateway, and all connected VPCs, which dramatically simplifies large-scale multi-VPC, multi-region architectures.
Using IPv6 in a VPC
IPv4 uses 32-bit addresses with approximately 4.3 billion possible addresses in dotted decimal notation. IPv6 uses 128-bit addresses with hexadecimal notation and virtually unlimited addresses.
IPv6 CIDR Assignment
AWS assigns a /56 IPv6 CIDR block to the VPC. Subnets within the VPC use /64 IPv6 CIDRs, each supporting 18 million trillion addresses.
All IPv6 Addresses Are Publicly Routable
Unlike IPv4, there is no NAT for IPv6 in AWS. All IPv6 addresses are publicly routable by default.
Egress Only Internet Gateway
For outbound-only IPv6 access, use an Egress Only Internet Gateway. This is the IPv6 equivalent of a NAT Gateway for IPv4.
VPC Flow Logs
VPC Flow Logs capture IP traffic information to and from network interfaces. Data can be stored in CloudWatch Logs or Amazon S3. Flow logs can be created at three levels: VPC level, Subnet level, or Network Interface (ENI) level.
Step 1: Create CloudWatch Log Group with retention period
Step 2: Create IAM role with inline policy:
- CreateLogGroup, CreateLogStream, PutLogEvents
- DescribeLogGroups, DescribeLogStreams
Step 3: Edit trust relationship for vpc-flow-logs.amazonaws.com
Step 4: Create flow log with "All Traffic" capture
Step 5: Set aggregation interval (1 minute recommended)
Use Cases: Troubleshooting, security analysis, compliance
VPC Architecture Summary
| Component | Purpose | Key Detail |
|---|---|---|
| VPC | Logically isolated virtual network | Regional, cannot span regions. Default limit: 5 per region |
| Subnet | Segment of VPC IP address range | Always in one AZ. Cannot span multiple AZs |
| Internet Gateway | Enables internet access for VPC | One per VPC. Both ingress and egress for IPv4 |
| NAT Gateway | Outbound internet for private subnets | Must be in public subnet. Requires Elastic IP |
| Security Group | Instance-level stateful firewall | ALLOW rules only. Return traffic auto-allowed |
| Network ACL | Subnet-level stateless firewall | ALLOW and DENY. Explicit rules for both directions |
| VPC Peering | Private routing between VPCs | No transitive peering. No overlapping CIDRs |
| VPC Endpoint | Private access to AWS services | Interface (ENI) or Gateway (route table) types |
| Transit Gateway | Central hub for VPC interconnection | Supports transitive routing. Simplifies mesh networks |
| Direct Connect | Dedicated private connection to AWS | NOT encrypted. Use IPsec VPN over DX for encryption |
Frequently Asked Questions
What is the difference between a Security Group and a Network ACL?
Security Groups operate at the instance level and are stateful (return traffic is automatically allowed). Network ACLs operate at the subnet level and are stateless (require explicit inbound and outbound rules). Security Groups only support ALLOW rules while NACLs support both ALLOW and DENY.
Can a VPC span multiple AWS regions?
No. A VPC is always within a single region and cannot span across regions. However, you can connect VPCs across regions using VPC Peering, Transit Gateway, or Direct Connect Gateway.
What is the difference between a NAT Gateway and an Internet Gateway?
An Internet Gateway allows both inbound and outbound internet traffic for public subnets. A NAT Gateway only allows outbound traffic for private subnets and must be placed in a public subnet with an Elastic IP assignment.
Why is AWS Direct Connect not encrypted?
Direct Connect uses a dedicated physical connection that does not traverse the public internet, so AWS does not encrypt it by default. For sensitive data, you should run an IPsec VPN tunnel over the Direct Connect connection to add encryption.
How many IP addresses does AWS reserve in each subnet?
AWS reserves the first four and last IP address in each subnet (5 total). For a /24 subnet with 256 addresses, only 251 are usable for your instances and resources.
Need Help with AWS Network Architecture?
Our experts can help you design secure, scalable VPC architectures and enterprise connectivity solutions on AWS.