Introduction to the Private Data Center
In this module of the "AWS Cloud Engineering" series, we move beyond individual service consumption and begin building a "Private Data Center" in the cloud. While Module 3 focused on the "Who" (Identity and Access Management), Module 4 focuses on the "Where" the foundational networking layer that defines your infrastructure's security posture and connectivity.
This guide serves as both a technical deep dive and a step-by-step tutorial. To get the most out of this module, ensure you have completed the prerequisite setup in Module 9: Setting Up AWS CLI and SDKs, as we will be utilizing Infrastructure as Code (IaC) to deploy our network. This guide bridges the gap between basic identity management and the scaling challenges we will tackle in Module 5: Advanced AWS Networking.
Core Concept: The Virtual Private Cloud (VPC)
An AWS Virtual Private Cloud (VPC) is a logically isolated virtual network that serves as your primary security boundary. As an architect, you should view the VPC as the perimeter of your blast radius; it ensures that your resources are walled off from other tenants and the public internet unless you explicitly grant access.
Within your VPC, you maintain absolute control over:
IP Address Selection: Defining the size and scope of your network.
Subnet Partitioning: Segmenting your network for security and high availability.
Routing Logic: Managing the flow of traffic via route tables and gateways.
Demystifying CIDR Notation
Classless Inter-Domain Routing (CIDR) is the method used to allocate IP addresses within your VPC. A CIDR block is expressed as a starting IP followed by a mask (e.g., 10.0.0.0/16).
The Architect's Perspective on Sizing
Selecting a CIDR block is a critical design decision. The primary CIDR block of a VPC cannot be changed after creation. If you choose a block that is too small (like a /28), you will lack the room to scale your infrastructure later. Conversely, choosing an overly broad range can lead to overlapping IP issues if you ever need to connect two VPCs via peering.
CIDR Mask | Total IP Addresses | Use Case |
/16 | 65,536 | Standard Production VPC |
/24 | 256 | Standard Subnet Size |
/28 | 16 | Smallest permissible AWS subnet |
The Five Reserved IPs
It is a common technical misconception that all IPs in a block are usable. AWS reserves five IP addresses in every subnet for internal management:
{base}.0: Network Address.
{base}.1: VPC Router.
{base}.2: Amazon Provided DNS (Route 53 Resolver).
{base}.3: Reserved by AWS for future use.
{base}.255: Network Broadcast Address (AWS does not support broadcast, but the address remains reserved).
In a /24 subnet, you have 251 usable IP addresses.
Network Segmentation: Subnets
A subnet is a range of IP addresses within a VPC. To ensure High Availability (HA), subnets should always be mapped to specific Availability Zones (AZs). By spreading subnets across multiple AZs, you ensure that a single data center failure does not take down your entire application.
Public Subnet: Includes a direct route to an Internet Gateway (IGW). This is where you place external-facing resources like Application Load Balancers (ALBs).
Private Subnet: Does not have a direct route from the internet. These house your application servers and utilize private IP addresses for internal communication.
Isolated Subnet: These have no outbound routes to the internet or NAT gateways. These are used for highly sensitive databases. Connectivity to AWS services (like S3 or DynamoDB) from an isolated subnet is typically managed via VPC Endpoints (Interface or Gateway types) to keep traffic entirely on the AWS backbone.
Connectivity Gateways: Ingress and Egress
Traffic flow is categorized into Ingress (incoming) and Egress (outgoing).
Internet Gateway (IGW)
The IGW is a horizontally scaled, redundant, and highly available VPC component. It performs 1:1 Network Address Translation (NAT) for instances that have public IP addresses, allowing them to communicate with the internet.
NAT Gateway
While detailed extensively in Module 5, it is important to understand the NAT Gateway's role in Module 4's private subnets. A NAT Gateway allows private instances to initiate outbound requests (for patches/updates) while preventing the internet from initiating a connection to them.
Requirement: A NAT Gateway must reside in a Public Subnet and requires an Elastic IP (EIP) to communicate with the IGW.
Flow:
Private Instance -> NAT Gateway (Egress Only) -> IGW -> Internet.
The Routing Table: The Network's Brain
The Route Table is a set of rules (routes) that determine where network traffic is directed.
Explicit Subnet Association
By default, every subnet is associated with the "Main Route Table." As a security best practice, architects should avoid using the Main Route Table for custom traffic. Instead, create custom route tables and use Explicit Subnet Association to link them to specific subnets. This prevents a new subnet from accidentally inheriting permissive routing rules.
Local Route: Automatically created for the VPC CIDR (e.g.,
10.0.0.0/16->local). This allows internal VPC communication and cannot be deleted.Public Route: Maps
0.0.0.0/0(all traffic) to anigw-id(Internet Gateway).Private Route: Maps
0.0.0.0/0to anat-id(NAT Gateway).
Infrastructure as Code (IaC) with Terraform
Building a network manually leads to "ClickOps" errors and Configuration Drift, where the live environment no longer matches your documentation. We use Terraform to ensure our network is repeatable and version-controlled.
Github repository with terraform scripts here fork and start the repo!
main.tf: Declares the VPC and Subnets, implementing our Multi-AZ strategy.variables.tf: Allows us to dynamically set CIDR ranges, ensuring our code is reusable across different environments (Dev, Staging, Prod).
Summary and Execution Checklist
Verify your implementation against this architectural checklist:
[ ] VPC Scope: VPC CIDR matches the range defined in
variables.tf.[ ] High Availability: Subnets are segmented across at least two different Availability Zones.
[ ] Subnet Logic: Public subnets are associated with a Route Table pointing to the IGW.
[ ] Egress Security: Private subnets are associated with a Route Table pointing to the NAT Gateway.
[ ] Isolation: Isolated subnets have no default route (0.0.0.0/0) assigned.
[ ] IP Management: Accounted for the 5 reserved AWS IP addresses per subnet.
Roadmap: What’s Next?
Now that you have mastered the basics of VPC construction, Subnets, and Route Tables, you are ready to scale. In Module 5: Advanced AWS Networking, we will dive deep into connecting distributed environments using VPC Peering and AWS Transit Gateways, and look closer at the operational costs and management of NAT Gateways.