AWS VPC Cheat Sheet: Key Concepts for AWS Solutions Architect Associate Exam

Amazon Virtual Private Cloud (VPC) is the foundation of networking in AWS. It allows you to define a logically isolated virtual network within AWS. Understanding VPC is crucial for the AWS Solutions Architect Associate exam.

📌 1. VPC Basics

• VPC (Virtual Private Cloud) → Your private network in AWS.

• Subnets → Logical division of a VPC into public & private subnets.

• Route Tables → Define how traffic is routed between subnets and external networks.

• Internet Gateway (IGW) → Allows public access to the internet.

• NAT Gateway / NAT Instance → Allows private subnets to access the internet without being directly exposed.

• VPC Peering → Connects two VPCs privately (no transitive peering).

• Transit Gateway → A central hub to connect multiple VPCs & on-prem networks.

📌 2. IP Addressing & Subnetting

• CIDR (Classless Inter-Domain Routing) → Defines the IP address range for a VPC (e.g., 10.0.0.0/16).

• AWS reserves 5 IPs per subnet (first 4 and last 1 IP address .0, .1, .2, .3, .255).

  • .0: Network address

  • .1: Reserved by AWS for the VPC router

  • .2: Reserved by AWS for mapping to Amazon-provided DNS

  • .3: Reserved by AWS for future use

  • .255: Network broadcast address.

• Public Subnet → Has a route to the Internet Gateway (IGW).

• Private Subnet → No direct internet access, uses NAT Gateway/Instance.

• Private IP → assigned from the subnet range

• Public IP → assigned from the Amazon’s pool of Public IPs

• Elastic IP (EIP) → Static public IP address for NAT Gateway or EC2.

📌 3. Security & Access Control

• Security Groups (SGs) → Stateful firewall controlling inbound/outbound traffic at the instance level.

• Network ACLs (NACLs) → Stateless firewall controlling traffic at the subnet level.

• VPC Flow Logs → Captures IP traffic logs (useful for security monitoring).

• AWS PrivateLink → Securely connects VPC to AWS services without using the internet.

• VPC Endpoints:

  • Interface Endpoint → Uses AWS PrivateLink (for services like SQS, SNS, S3, DynamoDB).

  • Gateway Endpoint → Route-based for S3 and DynamoDB only (free).

📌 4. High Availability & Connectivity

• Multi-AZ Deployment → Distribute subnets across multiple Availability Zones (AZs) for redundancy.

• VPN (Virtual Private Network) → Connects on-premises data centers to AWS securely.

• Direct Connect (DX) → Dedicated private connection between on-premises and AWS (better performance than VPN).

• Transit Gateway → A central hub for many-to-many VPC & on-prem connections.

📌 5. Best Practices & Exam Tips

✅ Always place databases in private subnets to avoid direct internet exposure.

✅ Use NAT Gateway instead of NAT Instance (fully managed, highly available).

✅ Security Groups are stateful, while NACLs are stateless.

✅ VPC Peering does not support transitive routing (use Transit Gateway instead).

✅ S3 Gateway Endpoints are free, while Interface Endpoints incur charges.

✅ Flow Logs help with network monitoring & troubleshooting.

✅ Direct Connect is better than VPN for low latency & high bandwidth needs.

✅ Use PrivateLink to connect securely to AWS services inside VPC.

🚀 Final Thoughts

Understanding AWS VPC is critical for designing secure, scalable, and high-performance architectures. Mastering subnets, security, and connectivity options will help you ace the AWS Solutions Architect Associate exam and build real-world AWS solutions.