Think - with -Tech: AWS Default VPC | Deep Dive & Hands-On.

Saturday, November 1, 2025

AWS Default VPC | Deep Dive & Hands-On.

A deep dive into AWS Default VPC.

Focus:

Default VPC architecture,
Default VPC behavior,
Default VPC compared to custom VPCs — especially from a DevOps / Cloud Engineering perspective.

Breakdown:

The Concept: Default VPC,
Default VPC Overview,
Default VPC Architecture,
Default VPC Components Explained,
Default VPC Behavior,
Security Implications,
Best Practices,
Sample AWS Default VPC Flow,
Visual Summary,
Key Takeaways.

1. The Concept: Default VPC

When twtech creates an AWS account, AWS automatically provisions a default Virtual Private Cloud (VPC) in each region.
Default VPC is designed to give users a ready-to-use networking environment so twtech can launch EC2 instances immediately.

· Therefore, twtech doesn’t need custom network setup in the Default VPC.

2. Default VPC Overview

Attribute	Description
Created Automatically	One per AWS Region
CIDR Block	172.31.0.0/16 (by default)
Subnets	One subnet in each Availability Zone (AZ)
Internet Connectivity	Public by default (Internet Gateway attached)
DNS Resolution	Enabled
Route Tables	Default route table includes route to Internet Gateway
Security Groups & NACLs	Pre-created with open rules (allow outbound, restricted inbound)
DHCP Options Set	Configured for AmazonProvidedDNS
Tenancy	Default tenancy (shared hardware)

3. Default VPC Architecture

4. Default VPC Components Explained

a. CIDR Block

Uses 172.31.0.0/16 by default.
Provides ~65,536 private IP addresses.

b. Subnets

Each Availability Zone (AZ) in a region gets one public subnet.
AWS automatically assigns /20 subnets (4096 IPs each).

c. Route Tables

Default route table includes:

172.31.0.0/16 → local
0.0.0.0/0 → igw-xxxxxxxx (Internet Gateway)

Means all subnets are public and have outbound internet access.

d. Internet Gateway (IGW)

Attached by default → enables public internet access.

e. Security Groups

Default SG allows:

Inbound: from itself (intra-group communication)
Outbound: all traffic (0.0.0.0/0)

f. Network ACLs

Default NACL allows all inbound and outbound traffic.

g. DHCP Options Set

Configured to provide:

AmazonProvidedDNS
Default domain name (e.g., ec2.internal or region.compute.internal)

5. Default VPC Behavior

Feature	Default VPC	Custom VPC
Internet Gateway.	Attached automatically	Must be attached manually
Public Subnets.	One per AZ	Must be created manually
Default Routes.	Pre-configured to IGW	Must be defined
DNS.	Enabled	Optional
EC2 Auto-Assign Public IP.	Enabled by default	Disabled unless configured
NAT Gateway.	❌ Not included	Must be added manually
Security.	Open outbound, restrictive inbound	Customizable

6. Security Implications

Pros: Quick testing, public access enabled.
Cons: Everything is public — not ideal for production.
For secure environments, twtech needs to:

Create custom VPCs.
Use private subnets for backend systems.
Add NAT Gateways or PrivateLink for outbound access.

7. Best Practices

Use Default VPC for:

Quick demos, testing, learning environments.

Avoid Default VPC for:

Production workloads, sensitive data, compliance-required workloads.

For production:

Build custom VPCs with:

Public and private subnets
NAT Gateway
Bastion host or SSM Session Manager
Custom route tables and tighter SG/NACL rules

8. Sample AWS Default VPC Flow

Launch EC2 in default VPC → gets private IP (172.31.x.x) & public IP (auto-assigned).
EC2’s traffic → Route Table → Internet Gateway → Internet.
Return traffic routed back to EC2 via IGW.

1. Visual Summary

Key Takeaways

Each AWS region comes with one default VPC.
The default VPC provides immediate internet-ready networking.
All subnets are public by default.
Great for development/testing, not production.
Replace default VPC with custom VPCs for secure and scalable production architectures.