Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS VPC Fundamentals: CIDR, Subnets, Route Tables, NAT**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-vpc-fundamentals-cidr-subnets-route-tables-nat

TECH **AWS VPC Fundamentals: CIDR, Subnets, Route Tables, NAT**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~7 min read

AWS VPC Fundamentals: CIDR, Subnets, Route Tables, NAT

A Hyper-Practical, Zero-Fluff Study Guide for AWS Solutions Architect – Associate


1. What This Is & Why It Matters

You’re a cloud engineer at a fintech startup. Your team just migrated a monolithic app to AWS, but now: - Security teams demand strict network isolation between payment processing and customer-facing APIs.
- DevOps complains that private instances can’t reach the internet for updates (but must stay private).
- Finance wants to avoid a $5K/month NAT Gateway bill because someone misconfigured subnets.

VPC Fundamentals are the foundation of AWS networking. If you mess this up: - Your database gets exposed to the internet (hello, ransomware).
- Your app crashes because instances can’t talk to each other.
- Your AWS bill skyrockets due to misrouted traffic.

This guide gives you the superpower to:
✅ Design secure, scalable networks from scratch.
✅ Debug "why can’t my instance reach the internet?" in 5 minutes.
✅ Pass the AWS SAA exam by mastering the 20% of VPC concepts that appear in 80% of questions.


2. Core Concepts & Components


? VPC (Virtual Private Cloud)

  • Definition: A logically isolated network in AWS where you launch resources (EC2, RDS, etc.).
  • Production Insight: Always start with a non-overlapping CIDR block (e.g., 10.0.0.0/16). Overlapping CIDRs break VPC peering and VPNs.

? CIDR (Classless Inter-Domain Routing)

  • Definition: A method to allocate IP addresses (e.g., 10.0.0.0/16 = 65,536 IPs).
  • Production Insight: Use /24 (256 IPs) for subnets—small enough to avoid waste, large enough for scaling. Avoid /28 (16 IPs) unless you love subnet math headaches.

? Subnet

  • Definition: A segment of a VPC’s IP range where you place resources (public/private).
  • Production Insight: Never put databases in public subnets. Use private subnets + NAT for outbound internet access.

? Route Table

  • Definition: A set of rules ("routes") that determine where network traffic is directed.
  • Production Insight: Every subnet must be associated with a route table. Default route tables are dangerous—always create custom ones.

? Internet Gateway (IGW)

  • Definition: A VPC component that allows communication between instances and the internet.
  • Production Insight: Only attach one IGW per VPC. It’s free, but misconfigurations expose private instances.

? NAT Gateway/Instance

  • Definition: Allows private instances to access the internet (e.g., for updates) without exposing them.
  • Production Insight: NAT Gateways cost ~$0.045/hour + data processing fees. NAT Instances are cheaper but require manual scaling.

? Security Group (SG)

  • Definition: A virtual firewall for instances (stateful: allows return traffic automatically).
  • Production Insight: Default SGs allow all outbound traffic—restrict this in production.

? Network ACL (NACL)

  • Definition: A stateless firewall at the subnet level (evaluates inbound/outbound traffic separately).
  • Production Insight: NACLs are your last line of defense. Use them to block specific IPs (e.g., known attackers).


3. Step-by-Step: Build a Secure VPC with Public/Private Subnets


Prerequisites

  • AWS account with admin IAM permissions.
  • AWS CLI installed (aws configure set up).
  • Basic familiarity with aws ec2 commands.

Task: Deploy a VPC with:

  • 1 public subnet (for a bastion host).
  • 1 private subnet (for a database).
  • NAT Gateway for private subnet internet access.
  • Custom route tables.


Step 1: Create the VPC

aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'

Output:


{
  "Vpc": {
"VpcId": "vpc-1234567890abcdef0",
"CidrBlock": "10.0.0.0/16" } }

Verify:


aws ec2 describe-vpcs --vpc-ids vpc-1234567890abcdef0


Step 2: Create Subnets

Public Subnet (10.0.1.0/24)

aws ec2 create-subnet \
  --vpc-id vpc-1234567890abcdef0 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=PublicSubnet}]'

Private Subnet (10.0.2.0/24)

aws ec2 create-subnet \
  --vpc-id vpc-1234567890abcdef0 \
  --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1a \
  --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=PrivateSubnet}]'

Verify:


aws ec2 describe-subnets --filters "Name=vpc-id,Values=vpc-1234567890abcdef0"


Step 3: Create an Internet Gateway (IGW)

aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]'

Output:


{
  "InternetGateway": {
"InternetGatewayId": "igw-1234567890abcdef0" } }

Attach IGW to VPC:


aws ec2 attach-internet-gateway --vpc-id vpc-1234567890abcdef0 --internet-gateway-id igw-1234567890abcdef0


Step 4: Create Route Tables

Public Route Table

aws ec2 create-route-table --vpc-id vpc-1234567890abcdef0 --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PublicRT}]'

Add route to IGW:


aws ec2 create-route \
  --route-table-id rtb-1234567890abcdef0 \
  --destination-cidr-block 0.0.0.0/0 \
  --gateway-id igw-1234567890abcdef0

Associate with Public Subnet:


aws ec2 associate-route-table --subnet-id subnet-1234567890abcdef0 --route-table-id rtb-1234567890abcdef0

Private Route Table

aws ec2 create-route-table --vpc-id vpc-1234567890abcdef0 --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PrivateRT}]'

Associate with Private Subnet:


aws ec2 associate-route-table --subnet-id subnet-abcdef1234567890 --route-table-id rtb-abcdef1234567890


Step 5: Create a NAT Gateway

Allocate Elastic IP (EIP)

aws ec2 allocate-address --domain vpc --tag-specifications 'ResourceType=elastic-ip,Tags=[{Key=Name,Value=MyNAT-EIP}]'

Output:


{
  "AllocationId": "eipalloc-1234567890abcdef0",
  "PublicIp": "203.0.113.42"
}

Create NAT Gateway in Public Subnet

aws ec2 create-nat-gateway \
  --subnet-id subnet-1234567890abcdef0 \
  --allocation-id eipalloc-1234567890abcdef0 \
  --tag-specifications 'ResourceType=natgateway,Tags=[{Key=Name,Value=MyNAT}]'

Output:


{
  "NatGateway": {
"NatGatewayId": "nat-1234567890abcdef0" } }

Add route to Private Route Table:


aws ec2 create-route \
  --route-table-id rtb-abcdef1234567890 \
  --destination-cidr-block 0.0.0.0/0 \
  --nat-gateway-id nat-1234567890abcdef0


Step 6: Verify Connectivity

Launch a Test Instance in Private Subnet

aws ec2 run-instances \
  --image-id ami-0c55b159cbfafe1f0 \  # Amazon Linux 2
  --instance-type t2.micro \
  --subnet-id subnet-abcdef1234567890 \
  --tag-specifications 'ResourceType=instance,Tags=[{Key=Name,Value=PrivateTest}]'

SSH into a bastion host in the public subnet, then:


ssh -i "key.pem" ec2-user@<private-instance-ip>

Test internet access:


ping 8.8.8.8  # Should work (NAT Gateway)
curl ifconfig.me  # Should return your NAT Gateway's public IP


4. ? Production-Ready Best Practices


Security

  • Least Privilege: Restrict security groups to only necessary ports (e.g., 443 for HTTPS, 22 only for bastion hosts).
  • NACLs: Use NACLs to block known malicious IPs (e.g., 0.0.0.0/0 deny for port 22 in public subnets).
  • VPC Flow Logs: Enable for all VPCs to audit traffic (CloudWatch or S3).

Cost Optimization

  • NAT Gateway vs. Instance: Use NAT Instances for low-traffic environments (cheaper but manual scaling).
  • Subnet Sizing: Use /24 subnets (256 IPs) to avoid IP exhaustion without over-provisioning.
  • Reserved Instances: For long-running NAT Instances, buy RIs to save costs.

Reliability & Maintainability

  • Multi-AZ: Deploy subnets across 2+ AZs for high availability (e.g., us-east-1a and us-east-1b).
  • Tagging: Tag all resources (e.g., Environment=Prod, Owner=TeamX).
  • Naming Conventions: Use vpc-prod-app, subnet-public-1a, rt-private-db.

Observability

  • CloudWatch Alarms: Monitor NAT Gateway data processing (BytesOutToDestination).
  • VPC Reachability Analyzer: Debug connectivity issues (e.g., "Why can’t my Lambda reach RDS?").
  • AWS Config: Track VPC changes (e.g., "Who modified the route table?").


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Public subnet without IGW route Instances can’t reach the internet. Add 0.0.0.0/0 route to IGW in the subnet’s route table.
Private subnet with IGW route Database exposed to the internet. Remove IGW route from private subnet’s route table.
NAT Gateway in private subnet Private instances can’t reach internet. NAT Gateway must be in a public subnet.
Overlapping CIDR blocks VPC peering/VPN fails. Use non-overlapping ranges (e.g., 10.0.0.0/16 and 10.1.0.0/16).
Missing route table association Subnet traffic goes to default RT. Explicitly associate subnets with custom route tables.


6. ? Exam/Certification Focus


Typical Question Patterns

  1. "Which component allows private instances to access the internet?"
  2. NAT Gateway (or NAT Instance).
  3. ❌ Internet Gateway (only for public subnets).

  4. "How do you block a specific IP from accessing a subnet?"

  5. Network ACL (stateless, subnet-level).
  6. ❌ Security Group (stateful, instance-level).

  7. "You need a highly available NAT solution. What do you use?"

  8. NAT Gateway in multiple AZs (AWS-managed, HA).
  9. ❌ NAT Instance (single point of failure).

Key ⚠️ Trap Distinctions

Concept Security Group Network ACL
Stateful? ✅ Yes (return traffic allowed) ❌ No (explicit inbound/outbound rules)
Scope Instance-level Subnet-level
Default Action Deny all (unless allowed) Allow all (unless denied)

Scenario-Based Question

"You need to allow a Lambda function in a private subnet to access an RDS database in the same VPC. What’s the most secure way?"
- ✅ VPC Endpoint for RDS (private connectivity, no NAT needed).
- ❌ NAT Gateway (unnecessary cost/complexity).


7. ? Hands-On Challenge

Challenge:
You deployed a VPC with a public subnet and an EC2 instance. The instance can’t reach the internet. Debug and fix it.

Solution:
1. Check the route table for the subnet:
bash
aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=subnet-1234567890abcdef0"
2. If 0.0.0.0/0 is missing, add it:
bash
aws ec2 create-route --route-table-id rtb-1234567890abcdef0 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-1234567890abcdef0
3. Verify the instance’s security group allows outbound traffic (default: yes).

Why it works: The route table must explicitly direct internet-bound traffic (0.0.0.0/0) to the IGW.


8. ? Rapid-Reference Crib Sheet

Command/Concept Key Details
aws ec2 create-vpc --cidr-block Always use /16 (e.g., 10.0.0.0/16) for flexibility.
Subnet CIDR /24 (256 IPs) is ideal for most use cases.
Internet Gateway 1 per VPC. Free.
NAT Gateway ~$0.045/hour + data processing fees. Must be in a public subnet.
Route Table Every subnet must have one. Default RT is dangerous.
Security Group Stateful. Default: allow all outbound.
Network ACL Stateless. Default: allow all.
VPC Peering CIDR blocks must not overlap.
⚠️ Default VPC AWS creates one with 172.31.0.0/16. Delete it in production.
⚠️ NAT Instance Cheaper but requires manual scaling (use t3.nano for low traffic).
⚠️ VPC Endpoints Private connectivity to AWS services (e.g., S3, DynamoDB) without NAT.


9. ? Where to Go Next

  1. AWS VPC Documentation – Official guide.
  2. VPC Reachability Analyzer – Debug connectivity issues.
  3. AWS Well-Architected Framework – Networking – Best practices.
  4. AWS Free Tier VPC Lab – Hands-on tutorial.

Final Tip: Draw your VPC on paper before deploying. Label subnets, route tables, and gateways. It’ll save you hours of debugging. ?



ADVERTISEMENT