ayush's blog.

AWS Cloud Quest Task 5: VPCs

Jan 16, 2026 · 9 min

AWS Network VPC Subnets

Yo! Welcome back folks :)

btw this is part 5 of my AWS Cloud Quest series where i’m learning AWS and writing about it in sort of informal way, but i promise there are learnings in the blogs. if you missed previous tasks, you can check that out on the archives section of website.

The Problem

This time, we are approached by a bank. They recently shifted to cloud, but they are facing problems with their EC2 instances and databases. The EC2 cannot connect to the internet, and their databases are unable to communicate with the instances.

We then ask them if they checked their VPC, ie Virtual Private Cloud, has Internet Gateway connected? If so, does it allow outside traffic?

The bank manager had no idea, but she asked a very valid question.. “Is this complicated? Will it take time?”

The answer to that is.. you guessed it.. “Nope. Its AWS, everything here can be setup in minutes” and that is the beauty of cloud innit. Jokes aside, I am really enjoying learning cloud this way. I always found it daunting back in bachelors, but now it seems fun. AWS and cloud is genuinely so convenient, except maybe the pricing, which I cant afford but I guess companies can.

So why did they encounter this problem?

By default, the VPC are not configured with Internet access. We need to enable it while configuring it for all, or part of the VPC. This way we can customise the configuration the way we wants and needs.

Overview

Screenshot 2026-01-16 at 5.19.02 PM.png

What is VPC?

VPC, or Virtual Private Cloud, as the name suggests is like your own private cloud network, inside the AWS Cloud infrastructure. It provides with a logically isolated section of AWS, which allows us to launch and utilise AWS resources in a virtual network, dedicated to your amazon account.

One thing to note is, Each AWS account comes with a default VPC in each region so that we can launch AWS resources right away.

VPC allows us to have a custom virtual network environment which enables us to have custom IP address range, multiple subnets, Route tables, network gateways, etc.

To get started, we must assign a range of private IPs to the VPC. VPC Supports IPv4 and IPv6. By default its IPv4. You may also bring custom IP Prefixes.

VPC spans to each of the Availablity Zones (AZs) in the region. Once creating a VPC we can add one or more subnets in each AZ. (More on what is a subnet later)

Each AWS Account can create upto 5 VPCs per region.

What is Subnet?

A Subnet is a partition of a VPC’s IP Address range.

Ex: Say your VPC has 1024 IP Addresses and you create 4 subnets, then each subnet can have 251 IP Addresses.

Each subnet should reside entirely in one AZ.

You can then launch multiple instances inside each subnet. This improves fault tolerance.

Benefits of VPC

  • Quickly and easily created.
  • Customisable. Ex: Have Public facing subnet (say with internet access), and private facing subnet (without internet access for Backend).
  • Connect VPC to your existing data centre, and let VPC act as an extension. You can also connect one VPC to other VPCs.
  • Secure. Ex: Network Access Control list at subnet and instance level, storing data in S3 and allow it to be accessed only from instance inside a particular VPC.

VPC Concepts

IP Addresses & CIDR

When setting up an VPC, one should define the range of IP Addresses using Classless Inter-Domain Routing or CIDR block.

Allowed CIDR Block Sizes are /16 & /24.

For Example: Consider the IPv4 CIDR Block : 10 . 0 . 0 . 0 / 16 When converted in binary we get : 0000 1010 0000 0000 0000 0000 0000 0000 The /16 implies the first 16 bits ie, [[ 0000 1010 0000 0000 ]] 0000 0000 0000 0000 are fixed and you can vary the last 16 bits, implying we can have 2^16 IP (= 65,536 IP Addresses HOLY SH**) Address ranges.

An IP Block of 0.0.0.0/0 it will allow any IP Address.

You can also assign a secondary CIDR block to expand your VPC.

Private IP Addresses : They are local IP addresses inside your VPC. They cannot access the internet and are only used to communicate locally inside your VPC.

Public IP Address: To connect Instance to Internet, you have to assign a globally unique public IPv4 Address. IPv6 addresses are public and reachable to internet.

When creating a VPC with CIDR Block, say 10 . 0 . 0 . 0 / 16 , you can have 65,536 IP Addresses but not all of them are accessible. AWS reserves 5 IP addresses for internal use.

To create more than one Subnet in VPC, make sure the CIDR Blocks do not overlap, that is why we use different CIDR block for each subnet. Ex: 10.0.10.0 / 24 for Subnet 1 & 10.0.20.0 / 24 for Subnet 2

24 → First 24 bits are fixed, last 8 bits vary, allowing us to have 251 IP Addresses.

Route Table

When you create VPC, it has a Main Route Table by default. You can create custom route tables.

A route table contains rules, called routes which is used to determine where network traffic is directed. Each route in table specifies a Destination and Target.

Main Route table, shows a local route that enables communication for all resources within the VPC.

Each subnet in the VPC must be associated with a route table. You should use a public subnet for resources which need internet access and private subnet for resources which do not need internet.

You can make a public subnet by adding a route in the subnet Route Table that targets the internet gateway to support inbound and outbound gateways.

Most Architectures define more IPs for private subnet, compared to public subnet.

Network Access Control Lists

Its the firewall of subnet boundary. Every VPC comes with a modifiable default NACL which allows all outbound and inbound traffic.

One can also create a custom NACL and assign it to a subnet. Each custom NACL denies all inbound and outbound traffic until allow rules are added.

Multiple Subnets can be associated with a NACL, but multiple NACL cannot be associated with a subnet at a time.

NACLs are stateless and require explicit rules for both, inbound and outbound traffic.

NACL contains Numbered List of rules, which are evaluated in order. Starting with lowest number rule, representing highest priority to determine whether traffic is allowed or not. Once the inbound traffic matches the rule, the evaluation ends and the inbound traffic is allowed.

Security Groups

These are virtual firewall at instance level, you guessed it, to control inbound and outbound traffic. By default, security group denies all inbound traffic, but allows all outbound traffic. When creating a new security group you can write allow rules to control traffic. There is no deny rule required as it denies all inbound traffic by default. Security groups are stateful, responses to inbound traffic are automatically allowed. All rules of the security groups are evaluated before deciding if traffic should be allowed or not.

Chained Security Groups Example:

Most organisations create security groups within bound rules of each functional tier. Screenshot 2026-01-16 at 7.25.13 PM.png

Internet Connectivity

Internet gateway is horizontally scaled & redundant, highly available by default. It allows your VPC to access internet and supports IPv4 and IPv6.

To connect a VPC to internet make sure you attach Internet Gateway and add a route keeping it in target (igw-id). Also make sure

  • you have a public IPv4, IPv6 or elastic IP Address (i.e. a static public IPv4 address, you can move this IPv4 address from instance to another).
  • NACLs and Security Groups allow relevant traffic to flow to and from your instance.

Network Address Translation (NAT) Gateway In a public subnet you need a NAT Gateway in a public subnet to enable instances in a private subnet to connect to internet and/or prevent internet from making a connection to instance.

NAT Gateway basically translates your private IPs to a Public IP and vice-versa for outbound and inbound respectively.

To attach a NAT Gateway you must specify the public subnet in which the NAT Gateway should reside & specify an elastic IP Address to associate with the NAT Gateway.

Once done, Setup a route in private subnet to point internet traffic to the NAT Gateway.

NAT Gateway does not support IPv6, for that you need Egress-Only Internet Gateway.

Screenshot 2026-01-16 at 7.39.27 PM.png

The Task

Man that was a lot of information. So in the practice section now, we have to A. Explore VPC and components. B. Configure a route table and give internet access to the subnet. C. Configure inbound rules.

And here is how we do it:

  1. Right of the start we are given 2 EC2 instances, Web Server and DB Server.
  2. First, We have to check if the pubic IP address of the Web Server instance outputs a page or not. Spoiler Alert! It doesn’t. The connection times out. And that is what we have to fix now. (Remember the issue bank manager was facing?)
  3. To fix this, we go to Network tab of the Web Server EC2 instance and click on the subnet ID.
  4. A new window appears which shows VPC Dashboard screen and this is where we see more details about the subnet.
  5. Here, we go to route tab, and we can see two routes there. One is 0.0.0.0/0, which is configured to send internet traffic via NAT Gateway and other is 10.10.0.0/24 which is local (target is set to local).
  6. Here we don’t need the NAT route, because we want to make Web Server public, so we click on “Edit Routes”, delete the NAT route and add another route associated with Internet Gateway and select igw-id (already created by tutorial) from the dropdown as target. Destination is 0.0.0.0/0 (remember 0.0.0.0/0 means all traffic)
  7. The subnet now can be accessed on internet. WOOHOOO!! but there is more..
  8. We need to setup inbound & outbound rules. For this, go back to EC2 instance page, click on the WebServer, go to Security Tab and click on the Security Group ID.
  9. In the Inbound Rule section, click on add rule, select “HTTP” in type and “Anywhere IPv4” in source. This now allows the incoming web traffic.
  10. Now if we go back to EC2 instance and copy the Public IP of the instance. Paste in the browser, we will be greeted with:

Screenshot 2026-01-16 at 8.56.38 PM.png

The web server can be accessed, but the server cannot access the database. This is the issue we have to solve in the DIY Section.

DIY Section

Allowing DB Server to be accessed by Web Server.

  1. Click on DB Server EC2 instance and go to Security.
  2. Click on Security Group ID, under inbound rules section, you can find there are no inbound rules present.
  3. Click “Edit inbound rules”.
  4. Click on “Add Rule”, make sure the Type is “MySQL/Aurora” as the requirement of this is that the connection should be made via port 3306. Under the Source section add the IP 10.10.0.0/24. This basically states, allow traffic from this IP Address range via Port 3306.

Screenshot 2026-01-16 at 9.07.39 PM.png

AND VOILA!! Now its connected.

We didnt receive anything cool from the bank tho :(..

Anyways, This was one long info filled task not gonna lie, but it was fun.. See you all in the next task :)