Amazon Custom VPC | Overview & Hands-On.

Amazon Custom VPC - Overview & Hands-On.

Scope:

• Intro,
• Key features & components of an Amazon VPC, 
• The concept of  Amazon VPC (Deep dive),
• Core VPC Components: CIDR Block, Subnets, Route Tables, Internet Gateway (IGW), NAT Gateway / NAT Instance, VPC Endpoints (PrivateLink), Elastic Network Interface (ENI),
• Security Controls, (Deep Dive)
• Security Groups (SGs),
• Network ACLs (NACLs),
• VPC Connectivity Options, Description & Use Cases,
• Security & Isolation Features,
• Common VPC Design Patterns,
• Public + Private Subnet Model,
• Three-Tier Architecture,
• Hub-and-Spoke with Transit Gateway,
• Shared VPC,
• Advanced Topics with Hybrid Networking, IPv6 Dual-Stacking, VPC Lattice, & DNS in VPC,
• perational Best Practices & Recommendations,
• Sample-Reference-Architecture,
• Project: Hands-On.

Intro:

• Amazon Virtual Private Cloud (Amazon VPC) is a service that allows twtech to define and provision a logically isolated section of the Amazon Web Services (AWS) cloud. 
• Within this virtual network, twtech has complete control over its environment, including:
•  The selection of twtech own IP address range, 
• Creation of subnets, 
• Configuration of route tables and network gateways. 

Key features & components of an Amazon VPC

• Subnets: Segments of a VPC's IP address range where twtech can place resources like EC2 instances. 
• They can be public (accessible from the internet) or private.
• Internet Gateway: A horizontally scaled, redundant, and highly available VPC component that allows communication between the VPC and the internet.
• NAT Gateway: Enables resources in a private subnet to connect to the internet or other AWS services while preventing the Public internet from initiating a connection with those resources.
• Security Groups and Network ACLs (NACLs): Act as virtual firewalls to control inbound and outbound traffic at the instance and subnet levels, respectively.
• Peering Connections: A networking connection between two VPCs that enables twtech to route traffic between them using private IPv4 or IPv6 addresses.
• Connectivity Options: twtech can connect its VPC to its own corporate data center using a Site-to-Site VPN or AWS Direct Connect (DX). 

NB:

• Every AWS account comes with a default VPC in each region,
• Default VPC in each region, is pre-configured with a public subnet in each Availability Zone and an attached internet gateway to help twtech get started quickly.

 The concept of  Amazon VPC (deep dive)

•  Amazon Virtual Private Cloud (VPC) is an isolated, logically separated network within the AWS Cloud.
•   Amazon Virtual Private Cloud (VPC) allows twtech to define and control networking.
•        Amazon Virtual Private Cloud (VPC) therefore, controls:
•    IP addressing,
•    Subnets,
•    Route tables,
•    Gateways,
•    Security.

NB:

•  This control by Amazon Virtual Private Cloud (VPC) is just as the control in a traditional on-premises data center.
• But the control comes with AWS scalability and elasticity.

 Core VPC Components

1. CIDR Block

•  Defines the IP address range for the VPC using Classless Inter-Domain Routing (CIDR) notation.
• Example: 10.0.0.0/16 provides 65,536 IP addresses.
• twtech may later decide to add secondary CIDR blocks (IPv4 and IPv6) for IP expansion.

2. Subnets

• Subdivide twtech VPC CIDR into smaller ranges.
• Subnets are tied to a single Availability Zone (AZ).
• Two main types:
•    Public Subnet: Has a route to the Internet Gateway (IGW).
•    Private Subnet: Has no direct route to the internet; 
•  Private Subnet can use NAT Gateway for outbound internet.

3. Route Tables

• Control network traffic routing.
• Each subnet must be associated with exactly one route table.
• Routes can target:
•    Local VPC traffic
•    Internet Gateway
•    NAT Gateway
•    Transit Gateway
•    VPC Peering Connection
•    VPN Connection
•    AWS PrivateLink / VPC Endpoint

4. Internet Gateway (IGW)

• Horizontally scaled, redundant gateway that allows internet access for public subnets.

5. NAT Gateway / NAT Instance

• Provides outbound internet access for private subnets without exposing them inbound.
• NAT Gateway is fully managed, supports multi-AZ high availability, and scales automatically.

6. VPC Endpoints (PrivateLink)

• Enables private connectivity to AWS services (like S3, DynamoDB, etc.) without using IGW/NAT/VPN.
•  Two types of VPC Endpoints:
•    Interface Endpoint (ENI-based, PrivateLink)
•    Gateway Endpoint (for S3, DynamoDB)

7. Elastic Network Interface (ENI)

• A virtual network card that can be attached to EC2 instances.
• Useful for:
•    Network separation
•    Failover: e.g., moving Elastic Network Interface (ENI) between instances.
•    Multi-homed configurations

8. Security Controls

a. Security Groups (SGs)

• Stateful firewalls at the instance level.
• Allow inbound/outbound rules; return traffic is automatically allowed.

b. Network ACLs (NACLs)

• Stateless firewalls at the subnet level.
• Evaluate inbound and outbound rules separately.
• Order-based rules (evaluated from lowest to highest).

 VPC Connectivity Options, Description & Use Cases

Connectivity Type	Description	Use Case
Internet Gateway	Public internet access	Public-facing apps
NAT Gateway	Private → Public outbound	Private workloads needing updates
VPC Peering	Connects two VPCs privately	Same or different accounts/regions
Transit Gateway	Hub-and-spoke multi-VPC routing	Enterprise-scale multi-VPC networks
PrivateLink	Private access to services over AWS backbone	SaaS/private API access
VPN Connection	IPsec tunnels between on-prem and VPC	Hybrid connectivity
Direct Connect (DX)	Dedicated private fiber connection	Low-latency hybrid workloads

Security & Isolation Features

• Flow Logs: Capture metadata about network traffic.
• Captured metadata can be sent to CloudWatch or S3 for Monitoring & observability.
• VPC Traffic Mirroring: Copy traffic from ENIs for inspection.
•  Prefix Lists: Centralize and simplify routing and security rule management.
•  Network Firewall / Gateway Load Balancer (GWLB): For deep packet inspection, intrusion detection, etc.
•  Egress-Only Internet Gateway (for IPv6): Allows outbound IPv6 but no inbound.

Common VPC Design Patterns

1. Public + Private Subnet Model

•   Public Subnet: Load balancers, bastion hosts
•   Private Subnet: App servers, databases
•   NAT Gateway in public subnet for outbound traffic from private subnets

2. Three-Tier Architecture

• Web Tier (Public)
• App Tier (Private)
• DB Tier (Private, no internet)

3. Hub-and-Spoke with Transit Gateway

•  Centralized connectivity model where multiple VPCs connect through a Transit Gateway (TGW).

4. Shared VPC

• Multiple AWS accounts share subnets within a centrally managed VPC.
• Useful for multi-account organizations using AWS Organizations and Service Control Policies (SCPs).

Advanced Topics with Hybrid Networking

• Combine VPC + On-Prem using:
• AWS Direct Connect (DX)
• Site-to-Site VPN
• Transit Gateway for central management

Advanced Topics with IPv6 Dual-Stacking

• Assign both IPv4 and IPv6 CIDRs.
• IPv6 routing uses Egress-Only Internet Gateway for outbound-only internet access.

Advanced Topics with VPC Lattice

• Application-level networking across VPCs and accounts.
• Offers service discovery, auth, traffic policies, and monitoring at the app layer.

Advanced Topics with DNS in VPC

• AmazonProvidedDNS for name resolution.
• Route 53 Resolver for custom DNS forwarding between on-prem and AWS.

 Operational Best Practices & Recommendations

Area	Recommendation
IP Planning	Reserve address space for growth; avoid overlap with on-prem
High Availability	Distribute subnets across multiple AZs
Security	Use least-privilege SGs and NACLs; enable Flow Logs
Monitoring	Integrate with CloudWatch, GuardDuty, and AWS Config
Automation	Use IaC (Terraform / CloudFormation / CDK) for VPC setup
Cost Optimization	Reuse NAT Gateways; minimize cross-AZ traffic

Sample-Reference-Architectures

Project: Hands-On
How twtech creates a Custom VPC within its Environment.
Search for aws service: VPC
Create VPC:
Create VPC

A VPC is an isolated portion of the AWS Cloud populated by AWS objects,

 such as Amazon EC2 instances. 

How twtech calculates the number of addresses for a CIDR block from website:
https://www.ipaddressguide.com/cidr
Create VPC:
How twtech adds CIDR blocks to a Custom VPC: Select the custom VPC and click Open to edit CIDRs
Add new IPv4 CIDR: 10.0.0.1/24