Basics of AWS Virtual Private Cloud

(VPC)
Virtual Private Cloud (VPC) is one of the (essential) services from AWS that offers cloud users the
ability to create isolated instances of virtual data centers. VPC offers complete control over the cloud
networking for the instances created in the AWS cloud. It allows us to create multiple subnets for
micro segmenting the virtual instances in different subnets and leverage the network ACL and
Security Groups to control inter-subnet communication. It also offers internet connectivity to the
instances created in the AWS cloud. 
 
Any EC2 or other instances created in the AWS must be associated with a VPC to get network
connectivity.  
 
Each AWS region will be assigned with a unique VPC. In other words, VPC is local to the region. AWS
assigns a default VPC for each region for each cloud user. The default VPC created by AWS is
assigned with a CIDR of 172.31.0.0/16. This default VPC can be deleted on a per-region basis and the
users are free to create their own instance of VPC for better control.  
 
Below is a snapshot from the AWS console that highlights different options to create the default VPC
and the custom VPC. 
 

 
Using the "Create default VPC" option will create the default VPC for the respective region with a
CIDR of 172.31.0.0/16 and auto-creates subnets for each availability zones (AZ) in the region by
assigning a block of subnets from the CIDR. For example, Ohio is one of the regions with 3 AZ. When
a default VPC is created in this region, there will be 3 subnets created with /20 block assigned from
the CIDR as shown below: 
 

 
Using the "Create VPC" option will create a custom VPC and the user must assign a CIDR value and
create the subnets for relevant AZ manually. 
 
Below is an example figure that shows a total of 3 VPCs in N. Virginia (US-East), Ohio (US-Central),
and Mumbai (Asia-Pacific) regions. For clarity, we illustrated different CIDR while in reality, the
default VPC will always have 172.31.0.0/16.  
 
 

 
 
Each region will have more than one AZ and a subnet is assigned for each AZ. In the N. Virginia
region, there are 6 AZs. Each AZ will have a unique subnet that is assigned from the region CIDR
block. For example: 
 All AZs in N. Virginia region is assigned with subnets from 172.31.0.0/16 
 All AZs in Ohio region is assigned with subnets from 172.32.0.0/16 
 All AZs in Mumbai region is assigned with subnets from 172.33.0.0/16 
 
Each default VPC will also come with its own dedicated Internet Gateway that connects all the
subnets to the internet.  
 
Each Subnet will have its own Route table with a minimum of 2 entries as below: 
 
 Local destination address. 
 The default route (0.0.0.0/0) pointing to the VPC's Internet Gateway  
  
Below is a snapshot of one of the subnets from the Ohio region where it could be noted that the
Route table is populated with 2 entries as explained earlier. 
 

 
The Network ACL for the default VPC will have rules for both inbound and outbound traffic. By
default, it allows all traffic both inbound and outbound direction which as the readers could imagine
is a serious security threat and not a recommended design. Below is a snapshot of the Network ACL
from the Ohio region. 
 

 
When an EC2 instance is created in one of the AZ, the IP address from the respective subnet is
assigned to the instance and the Route table with a default route pointing to Internet GW will offer
full connectivity to the EC2 instance.