Simplifying VPC, Subnets, NAT Gateway, Internet Gateway & Route Tables

Chetan Mohanrao MohodChetan Mohanrao Mohod
6 min read

VPC is an AWS Service that allows you to create a Virtual Private Cloud.

Imagine you are throwing a party. You don’t want random strangers walking in, so you book a private venue with a security guard at the entrance. Only invited guests can enter, and inside, you have different sections one for food, one for music, and another for games.

A VPC (Virtual Private Cloud) works the same way but for cloud networks. It’s your own private space inside a cloud provider (like AWS or Azure) where you can run your applications securely. Only authorized users and services can access it, just like your invited guests at the party.

In the AWS environment (as illustrated in the image below), there are Regions, and within these Regions, various applications are running.

There is a concept known as an IP Address. Our phones and laptops each have their own IP addresses, and similarly, each device has an IP address. When we create multiple EC2 instances, many IP addresses are utilized. If you search for "How many IP addresses are there in IPv4," you will find that the number is limited.

This means that if you create multiple applications in one region, you might run out of IP addresses. Additionally, there's a risk that someone could ping or attack your application. To address these concerns, AWS recommends creating a Virtual Private Cloud (VPC).

Your application is kept separate from neighboring applications.

How does this help?

The IP addresses are allocated within VPC 1 and VPC 2 inside a Region because each has its own private network. This setup provides isolation, which enhances security. Within your VPC, you have the freedom to operate as you wish.

What is Subnet?

A VPC, or Virtual Private Cloud, functions as a network. Let's consider it as a separate environment where IP addresses are managed independently.

Within a large network, you may want to operate both public and private resources. To manage this, the network is divided into Subnets. For public resources, you can use a public subnet, and for private resources, a private subnet is appropriate. By granting users access only to the public subnet, you enhance security.

Let's consider you have a database. By placing your database in a Private Subnet, it is protected from attacks because it cannot be accessed from the outside. This is the concept of a Subnet. If you have a large network, you can divide it into smaller networks: a private subnet, which does not have internet or public access, and a public subnet, which is accessible publicly.

You might wonder how the public and private subnets interact. This interaction is achieved through a concept called VPC Peering, which I will cover in another blog.

In a VPC, you may be curious about the concept of Availability Zones. Indeed, Availability Zones are an important part of VPC architecture.

Internet Gateway & Route Table

You have a secure application in a subnet and need Internet access. An Internet Gateway allows resources in your public subnet to connect with the outside world. By attaching it to your VPC and updating the route table, you enable outbound and inbound Internet traffic. This ensures your application can access external resources and communicate securely. The Internet Gateway acts as a bridge between your VPC and the public Internet.

To determine whether a service request comes from the Internet and where it should be directed either to a public or private subnet, AWS uses Route Tables. A Route Table helps manage and direct network traffic within your VPC, ensuring that requests are routed appropriately based on defined rules.

Nat Gateway

For a public subnet, we use an Internet Gateway, and similarly, for a private subnet, we use a NAT Gateway.

NAT GATEWAY: Network Address Translation Gateway.

This is known as a Network Diagram. During an interview, you may be asked to create a Network Diagram.

Interview Questions You May Encounter on This Topic

Below are some common interview questions related to the topic discussed above. You can follow the steps below to effectively present your answers during an interview.

Insight: It is recommended to present your answer using the STAR format.

  1. What is VPC?

  • Situation:
    In a recent project, we had to deploy services on AWS with strict security and traffic control.

  • Task:
    I was responsible for setting up a secure and isolated network.

  • Action:
    I used a VPC, which is like your own private network in AWS. It lets you control how your resources connect to each other and the internet. I created public and private subnets, set up route tables, a NAT Gateway, and added Security Groups to manage access.

  • Result:
    The infrastructure was secure, passed all audits, and allowed safe communication between services with minimal public exposure.

  1. What is Subnet?

  • Situation:
    While designing a network on AWS, we needed to organize our resources and control their exposure to the internet.

  • Task:
    I had to split the VPC into smaller parts so some services could be internet-facing, while others stayed private and secure.

  • Action:
    I used subnets, which are smaller segments inside a VPC. I created:

    • Public subnets for services like load balancers that need internet access.

    • Private subnets for things like databases that should stay internal.

I connected the public subnet to an Internet Gateway, and used a NAT Gateway for the private subnet so it could reach the internet without being exposed.

  • Result:
    This setup kept sensitive resources safe, while allowing external access only where needed. It also made scaling and traffic control much easier.
  1. What is NAT Gateway?

  • Situation:
    In one project, we had backend services in private subnets that needed internet access for updates.

  • Task:
    My job was to allow outbound internet access without exposing those resources to incoming traffic.

  • Action:
    I set up a NAT Gateway in a public subnet. It allowed the private instances to access the internet securely like downloading patches without letting anyone from the internet reach them directly.

  • Result:
    The setup kept our internal servers safe while ensuring they stayed updated and functional.

  1. What is Internet Gateway?

  • Situation:
    We had services in AWS that needed to be accessible over the internet, like a web app hosted on EC2.

  • Task:
    I needed to provide internet access to those services in a secure and managed way.

  • Action:
    I attached an Internet Gateway to the VPC and connected it to a public subnet using a route table. This allowed resources like EC2 and Load Balancers to send and receive traffic from the internet.

  • Result:
    The services were reachable globally, and traffic flow was fully under control through security groups and route tables.

  1. What is Route Tables?

  • Situation:
    While setting up the network, different subnets needed to communicate internally and some needed internet access.

  • Task:
    I had to define how traffic should flow within the VPC and to the outside world.

  • Action:
    I created separate route tables for public and private subnets. For public, I added a route to the Internet Gateway, and for private, I added a route to the NAT Gateway. This helped control who goes where.

  • Result:
    Traffic was routed correctly and securely. Every resource had the right access without any overlap or confusion.

Happy & Fun Learning :)

3
Subscribe to my newsletter

Read articles from Chetan Mohanrao Mohod directly inside your inbox. Subscribe to the newsletter, and don't miss out.

AWSvpcec2regionavailability zonesubnetSecuritysubnettinginternetgatewayNAT Gateway

Written by

Chetan Mohanrao Mohod
Chetan Mohanrao Mohod

DevOps Engineer focused on automating workflows, optimizing infrastructure, and building scalable efficient solutions.