AWS Networking Basics: VPC, Subnets, Internet Gateway, Route Tables, and Security Groups

Amazon Web Services (AWS) provides powerful networking capabilities that allow users to build secure, scalable cloud architectures. If you're just getting started with cloud infrastructure, understanding AWS networking components is essential. In this article, we’ll break down the basics of:

• VPC (Virtual Private Cloud)
• Subnets (Public and Private)
• Internet Gateway
• Route Tables
• Security Groups

1. VPC (Virtual Private Cloud)

A Virtual Private Cloud (VPC) is your own logically isolated section of AWS. It functions like a traditional network you'd have in your own on-premises data center, but hosted in the AWS cloud. You define everything: IP ranges, subnets, routing, firewalls, and more.

You can think of a VPC as the foundational layer on which your AWS infrastructure is built. Nothing gets deployed in AWS without being placed inside a VPC (even if it's the default one).

Every AWS account comes with a default VPC, but in production, you often create a custom VPC with specific configurations.

Sure! Let’s expand on public and private subnets in AWS with more detail and a real-world scenario to clarify their purpose, usage, and how they function in a secure architecture.

2. Subnets (Public and Private) — In Detail with Real-Life Example

When you create a Virtual Private Cloud (VPC) in AWS, one of the first steps is dividing its IP address space into smaller, manageable blocks called subnets.

Each subnet represents a range of IP addresses in a specific AWS Availability Zone (AZ). Subnets are essential for organizing your resources, controlling access, and enabling availability across zones.

You generally categorize subnets into two types based on how you want resources within them to communicate with the outside world:

• Public Subnets
• Private Subnets

🔓 Public Subnet

A public subnet is one where the resources inside it (e.g., EC2 instances) can directly access the internet and are also reachable from the internet — as long as the right permissions are in place.

To qualify as a public subnet:

• It must be associated with a route table that has a route to an Internet Gateway (IGW).
• The resources inside (e.g., EC2 instances) must have a public IP address or an Elastic IP attached.

🔒 Private Subnet

A private subnet is designed for resources that should not be exposed to the public internet.

Resources in a private subnet:

• Do not have a direct route to the Internet Gateway.
• Can still initiate outbound connections using a NAT Gateway (for downloading patches, calling external APIs).
• Cannot be reached from the internet directly.

3. Internet Gateway (IGW)

An Internet Gateway (IGW) is a critical component that connects your Virtual Private Cloud (VPC) to the public internet. It is fully managed, scalable, and highly available by AWS, allowing resources in your VPC—like EC2 instances—to send and receive traffic to and from the internet. Without an IGW, even if your instances have public IP addresses, they won’t be able to reach the internet or be reached from it. The IGW acts as a bridge between the internal AWS network and the external world, supporting both inbound and outbound traffic.

To provide internet access to resources, the setup must be correct. First, the EC2 instance must reside in a public subnet—one whose route table has a route to the Internet Gateway. Second, the VPC must have the IGW explicitly attached. Finally, the subnet’s route table must include a default route (0.0.0.0/0) that points to the IGW. Additionally, the instance must have either a public IP or an Elastic IP, and its security group must allow appropriate inbound/outbound traffic. When these conditions are met, the EC2 instance can communicate freely with the internet.

What It Does:

• Enables instances in public subnets to access the internet.
• Supports both inbound and outbound traffic.

To enable internet access from your EC2 instance, you must:

1. Place it in a public subnet.
2. Attach an internet gateway to your VPC.
3. Associate a route in the route table pointing 0.0.0.0/0 to the IGW.

4. Route Tables

A Route Table contains a set of rules (routes) that determine where network traffic is directed.

How It Works:

• Each subnet in your VPC must be associated with a route table.
• Public subnets include a route to the Internet Gateway.
• Private subnets typically route traffic only within the VPC or to a NAT Gateway if internet access is needed for outbound requests.

Example:

A typical route table configuration includes:

• For local VPC traffic: 10.0.0.0/16 → local
• For internet access: 0.0.0.0/0 → igw-xxxxxx

This example route table allows the subnet to communicate locally within the VPC and also access the internet.

5. Security Groups

Security Groups in AWS act as virtual firewalls that control traffic to and from your EC2 instances. They operate at the instance level, meaning the rules you define are applied directly to individual EC2 resources rather than the entire subnet. Security Groups are stateful—if you allow an inbound connection, the corresponding outbound response is automatically allowed, and vice versa. This makes them easier to manage compared to traditional firewall rules. You can attach multiple Security Groups to an instance, and the rules from all of them are aggregated.

For example, consider a web server hosted on an EC2 instance. You might configure its Security Group to allow inbound HTTP traffic on port 80 and HTTPS on port 443 from any IP address (0.0.0.0/0), enabling public access to your website. However, to ensure secure administrative access, you'd restrict SSH (port 22) to only your office or home IP address. Outbound rules can also be defined—for instance, allowing the instance to access external services on port 443 for API calls. With Security Groups, you maintain tight, instance-level control over who can access your infrastructure and how.

For a web server, you might allow:

• Inbound HTTP (port 80) from anywhere (0.0.0.0/0)
• Inbound HTTPS (port 443) from anywhere
• SSH (port 22) only from your IP address

How These Components Work Together

Let’s say you want to host a web application:

1. Create a VPC with two subnets: one public, one private.
2. Attach an Internet Gateway to the VPC.
3. In the public subnet, launch an EC2 instance with a public IP and security group allowing HTTP/HTTPS.
4. Add a route in the public subnet's route table to point internet traffic to the Internet Gateway.
5. In the private subnet, host your database, only allowing access from the web server using security group rules.

Conclusion

Understanding AWS networking is essential for designing secure, scalable, and well-architected cloud environments. By mastering the foundational components—like VPCs, subnets, Internet Gateways, route tables, and security groups—you gain the ability to control traffic flow, protect your infrastructure, and ensure high availability for your applications.