AWS Default VPC | Overview & Hands-On.

AWS Default VPC - Overview & Hands-On.

Scpe:

• The Concept: Default VPC,
• Key Components,
• Usage & Management,
• Default VPC Overview (Deep Dive),
• Default VPC Attributes & Description,
• Default VPC Architecture,
• Default VPC Components Explained,
• Default VPC Behavior vs Custom VPC Behavior,
• Security Implications,
• Best Practices,
• Sample AWS Default VPC Flow,
• Visual Summary,
• Key Takeaways,
• Project: Hands-On.

Intro:

• An AWS default VPC is a pre-configured virtual network that is automatically created for the account in every AWS Region. 
• AWS default VPC allows twtech to quickly launch resources such as:
•  Amazon EC2 instances, without having to manually configure networking components first. 

Key Components

• A default VPC comes with several pre-provisioned resources: 
• CIDR Block: It is assigned a default IPv4 CIDR block of 172.31.0.0/16.
• Subnets: A default public subnet (size /20) is created in every Availability Zone within the region.
• Internet Gateway: An internet gateway is created and attached to the VPC to allow communication with the internet.
• Route Table: A main route table is configured with a default route (0.0.0.0/0) pointing to the internet gateway.
• Security: It includes a default security group and a default network access control list (NACL). 

Usage & Management

• Quick Start: When twtech launches an instance without specifying a subnet, AWS automatically chooses a default subnet in the default VPC.
• Deletion and Recovery: twtech can delete a default VPC, but doing so may cause issues with some AWS services that expect it to be present. 
• If default VPC is deleted, twtech can recreate it via the VPC console or the AWS CLI.
• Security Best Practices: While useful for testing, default VPCs are often deleted in production environments to enforce stricter security controls and custom network topologies.

1. The Concept of Default VPC (Deep Dive)

•  When twtech creates an AWS account, AWS automatically provisions a default Virtual Private Cloud (VPC) in each region.
•   The Default VPC is designed to give users a ready-to-use networking environment so twtech can launch EC2 instances immediately.
• Therefore, twtech doesn’t need custom network setup in the  Default VPC.

 2. Default VPC Attributes & Description

Attribute	Description
Created Automatically	One per AWS Region
CIDR Block	172.31.0.0/16 (by default)
Subnets	One subnet in each Availability Zone (AZ)
Internet Connectivity	Public by default (Internet Gateway attached)
DNS Resolution	Enabled
Route Tables	Default route table includes route to Internet Gateway
Security Groups & NACLs	Pre-created with open rules (allow outbound, restricted inbound)
DHCP Options Set	Configured for AmazonProvidedDNS
Tenancy	Default tenancy (shared hardware)

 3. Default VPC Architecture

4. Default VPC Components Explained

a. CIDR Block

• Uses 172.31.0.0/16 by default.
• Provides ~65,536 private IP addresses.

b. Subnets

• Each Availability Zone (AZ) in a region gets one public subnet.
• AWS automatically assigns /20 subnets (4096 IPs each).

c. Route Tables

• Default route table includes:
• 172.31.0.0/16 → local
• 0.0.0.0/0 → igw-xxxxxxxx  (Internet Gateway).
• 0.0.0.0/0 Means the subnets is public and have outbound internet access.

d. Internet Gateway (IGW)

• Attached by default → enables public internet access.

e. Security Groups

• Default SG allows:
• Inbound: from itself (intra-group communication)
• Outbound: all traffic (0.0.0.0/0)

f. Network ACLs

• Default NACL allows all inbound and outbound traffic.

g. DHCP Options Set

• Configured to provide:
• AmazonProvidedDNS
• Default domain name (e.g., ec2.internal or region.compute.internal)

 5. Default VPC Behavior vs Custom VPC Behavior

Feature	Default VPC	Custom VPC
Internet Gateway.	Attached automatically	Must be attached manually
Public Subnets.	One per AZ	Must be created manually
Default Routes.	Pre-configured to IGW	Must be defined
DNS.	Enabled	Optional
EC2 Auto-Assign Public IP.	Enabled by default	Disabled unless configured
NAT Gateway.	❌ Not included	Must be added manually
Security.	Open outbound, restrictive inbound	Customizable

6. Security Implications

• Pros: Quick testing, public access enabled.
• Cons: Everything is public — not ideal for production.
• For secure environments, twtech needs to:
• Create custom VPCs.
• Use private subnets for backend systems.
• Add NAT Gateways or PrivateLink for outbound access.

 7. Best Practices

Use Default VPC for:

• Quick demos, testing, learning environments.

 Avoid Default VPC for:

• Production  workloads, sensitive data, compliance-required workloads.

 For production Environment, Build custom VPCs with:

• Public and private subnets
• NAT Gateway
• Bastion host or SSM Session Manager
• Custom route tables and tighter SG/NACL rules

 8. Sample AWS Default VPC Flow

1. Launch EC2 in default VPC → gets private IP (172.31.x.x) & public IP (auto-assigned).
2. EC2’s traffic → Route Table → Internet Gateway → Internet.
3. Return traffic routed back to EC2 via IGW.

1.     Visual Summary

Key Takeaways

• Each AWS region comes with one default VPC.
• The default VPC provides immediate internet-ready networking.
• All subnets are public by default.
• Great for development/testing, not for production.
• In Prod, twtech must Replace default VPC with custom VPCs for secure and scalable production architectures.

Project: Hands-On

How twtech uses the Default VPC (created by aws in all the regions when its account was created ) to Provision resources within its test Environment.

• Search for aws service: VPC

VPC Dashboard:

Your VPCs

Details of Default VPC:

VPC Subnets: Available IPv4 address per AZ

VPC  Route Table

VPC Security: Network Access Control Lists (NACLs)

All traffic is allowed for in the subnet for connectivity: inbound and outbound

 VPC Internet Gateway: Provides internet access the EC2 instances