VPC and Subnets
VPC and Subnets — The Shape of the Virtual Private Network
A VPC (Virtual Private Cloud) is the virtual network where compute, databases, and load balancers live in AWS. If the shape of the VPC is not defined first, every decision inside it stays unstable.
1. About VPC
VPC is a virtual private network service AWS introduced in 2009. Multiple VPCs can exist in one AWS account, and each VPC consists of an IP address range (CIDR), subnets, route tables, gateways, and security groups.
A default VPC is created automatically with the account. For production, a separate VPC is usually defined explicitly.
2. CIDR notation
CIDR (Classless Inter-Domain Routing) is the IP address range notation standardized by RFC 4632 (1993, revised 2006).
| Notation | Host count (theoretical) |
|---|---|
10.0.0.0/8 |
About 16.77 million |
10.0.0.0/16 |
65,536 |
10.0.0.0/24 |
256 |
10.0.0.0/28 |
16 |
The larger N in /N, the smaller the range. The IPv4 CIDR for an AWS VPC is recommended in the private ranges of RFC 1918 (10.0.0.0/8 · 172.16.0.0/12 · 192.168.0.0/16), with size between /16 (max) and /28 (min).
Within each subnet, the first 4 IPs and the last IP are reserved by AWS. A /24 subnet has 251 usable IPs in practice.
3. Subnet classification
Subnets are bound to a single Availability Zone (AZ). Classification depends on how external reachability is set up.
| Classification | Description |
|---|---|
| Public subnet | Route table points to an IGW (Internet Gateway). External access possible. |
| Private subnet | No route to the IGW. Outbound goes through NAT. |
| Isolated subnet | No NAT either. No external communication. |
AWS itself does not label subnets "public" or "private" — that is decided by the shape of the route table.
4. AZ distribution
Production workloads usually place subnets of the same kind across two or more AZs.
ap-northeast-2 (Seoul)
├── 2a: public-a (10.0.0.0/24), private-a (10.0.10.0/24)
├── 2b: public-b (10.0.1.0/24), private-b (10.0.11.0/24)
└── 2c: public-c (10.0.2.0/24), private-c (10.0.12.0/24)
ELB takes subnets from multiple AZs at once and balances across them. RDS Multi-AZ also operates on top of the same picture.
5. IPv6
A VPC can be configured as IPv4 / IPv6 dual-stack. We use either the /56 IPv6 CIDR provided by AWS or a user-owned range. IPv6 needs no NAT (public IPv6 is plentiful), so the public/private split differs from IPv4.
To allow only outbound and block inbound, we use an Egress-only Internet Gateway.
6. VPC interconnection
| Method | Notes |
|---|---|
| VPC Peering | Direct connection between two VPCs. Routing and security groups are explicit. CIDRs cannot overlap. |
| Transit Gateway | Hub-and-spoke for many VPCs and on-premises. Simplifies operations. |
| AWS PrivateLink | Expose a service in another VPC/account through endpoints. |
| Site-to-Site VPN · Direct Connect | Connection to on-premises. |
7. Counterparts in other clouds
| Provider | Name |
|---|---|
| GCP | VPC (a global resource — one VPC contains subnets across regions) |
| Azure | Virtual Network (VNet) |
| Hetzner | Networks |
GCP's VPC being global is a notable difference from AWS and Azure. The same vocabulary can hide a different model — something to watch when migrating.
8. Small production environment example
VPC: 10.0.0.0/16
├── public-2a: 10.0.0.0/24
├── public-2b: 10.0.1.0/24
├── private-2a: 10.0.10.0/24
├── private-2b: 10.0.11.0/24
├── db-2a: 10.0.20.0/24 # isolated
└── db-2b: 10.0.21.0/24 # isolated
ALB lives in public, EC2/ECS in private, RDS in db subnets.
Once a VPC is created in the console, recreating it identically is hard. Production VPCs are typically defined as code (Terraform · CloudFormation · CDK).
9. Common pitfalls
CIDR collisions — Plan the larger picture so future Peering or Transit Gateway connections do not overlap with other VPCs or on-premises ranges.
Subnets in only one AZ — A single-AZ failure takes down the whole service. Spread across 2 AZs from the start.
Auto-assigned public IPs — If "Auto-assign public IPv4" is on at the subnet level, public IPs get attached unintentionally.
DNS hostname option — When enableDnsHostnames is off, EC2's private DNS does not function and debugging gets harder.
Subnet IP exhaustion — A /28 has 16 minus 5 reserved, leaving 11. ECS or VPC Lambda workloads that consume many ENIs fill this up quickly.
Closing thoughts
Once a VPC is created, the IP range is hard to change, so the first picture matters. Choosing non-overlapping private CIDRs leaves Peering and Transit Gateway free in the future. Small workloads can start in the default VPC, but in production a separately defined VPC managed by IaC is the standard.
Next
- internet-gateway-route-table
- security-group
AWS VPC docs · VPC CIDR guide · RFC 4632 CIDR · RFC 1918 private IPs · Transit Gateway · GCP VPC for reference.