A Step-by-Step Guide to AWS VPC Architecture

What We're Building Today

Imagine being able to build your own digital neighborhood, complete with public areas, private spaces, and secure entrances - all perfectly organized for safety, efficiency, and growth. That's exactly what we'll be doing in AWS today!

By the end of this tutorial, you will have created:

• A secure, isolated cloud network (VPC)

• Public and private areas (subnets) in different locations (availability zones)

• Safe entrances and exits to the internet (gateways)

• Traffic rules to keep everything running smoothly (route tables)

Whether you're just starting your cloud journey or looking to strengthen your AWS fundamentals, this guide will walk you through creating a production-ready network architecture using simple, everyday analogies.

Why Do We Need This?

Before we start building, let's understand why this matters:

1. Security: Just like you wouldn't want strangers wandering through your bedroom, some parts of your application (like databases) should be kept private.

2. Reliability: If one neighborhood (availability zone) experiences a power outage, your application can still run in another neighborhood.

3. Organization: Good fences make good neighbors! Properly separating your resources makes them easier to manage.

4. Scalability: A well-planned network gives your applications room to grow.

Now, let's start building our cloud neighborhood!

Step 1: Creating Your VPC (Your Digital Property)

Think of a VPC as buying a large plot of land where you'll build your digital home. You need to decide how big it should be and establish the boundaries.

Here's what to do:

1. Sign in to the AWS Management Console

2. Navigate to "VPC" under Services

3. Click "Create VPC"

4. Fill in these details:

   • Name: MyDigitalNeighborhood

   • IPv4 CIDR block: 10.0.0.0/16

   • Leave other settings as default

5. Click "Create VPC"

Understanding CIDR: The Magic Behind IP Addressing

Imagine the internet as a giant city with billions of houses (computers), and each house needs a unique address (IP address). CIDR (Classless Inter-Domain Routing) is the clever system we use to organize these addresses.

What the Numbers Mean

The CIDR notation like 10.0.0.0/16 has two important parts:

• The first part (10.0.0.0) is the starting address of your neighborhood

• The second part (/16) tells us how many addresses belong to you

The number after the slash (/16) represents how many bits in the IP address are fixed for your network. An IP address has 32 bits total, so:

• /16 means 16 bits are fixed, leaving 16 bits for your addresses (2^16 = 65,536 addresses)

• /24 means 24 bits are fixed, leaving only 8 bits for your addresses (2^8 = 256 addresses)

• /28 means 28 bits are fixed, leaving just 4 bits for your addresses (2^4 = 16 addresses)

How to Calculate Available Addresses

Here's a simple way to calculate how many addresses you get:

1. Take the number after the slash (let's call it N)

2. Subtract it from 32 (32 - N)

3. Raise 2 to that power: 2^(32-N)

Examples:

• For /16: 2^(32-16) = 2^16 = 65,536 addresses

• For /24: 2^(32-24) = 2^8 = 256 addresses

• For /28: 2^(32-28) = 2^4 = 16 addresses

Address Range Calculation

To find the range of addresses in a CIDR block:

• Starting address: The address you specified (e.g., 10.0.0.0)

• Ending address: Add your total number of addresses to the starting address, then subtract 1

For 10.0.0.0/16:

• Starting: 10.0.0.0

• Ending: 10.0.0.0 + 65,536 - 1 = 10.0.255.255

For 10.0.1.0/24:

• Starting: 10.0.1.0

• Ending: 10.0.1.0 + 256 - 1 = 10.0.1.255

Practical Tips for CIDR Planning

1. Start Bigger Than You Need: It's easier to subnet a large network than to expand a small one. Begin with a /16 for your VPC if possible.

2. Use Powers of 2: Always create subnets with sizes that are powers of 2 (256, 512, 1024, etc.). This keeps your CIDR math clean.

3. Mind Your Zeros: When creating a subnet, make sure the network address ends with the right number of zeros. For example, a /24 network must end with one zero (like 10.0.1.0).

4. Leave Room for Growth: Don't make your subnets too small. If you think you need 100 addresses, use a /24 (256 addresses) rather than a /25 (128 addresses).

5. CIDR Cheat Sheet:

   • /16 = 65,536 addresses (large VPC)

   • /20 = 4,096 addresses (medium subnet)

   • /24 = 256 addresses (standard subnet)

   • /28 = 16 addresses (small subnet)

   • /32 = 1 address (single IP)

Think of CIDR like buying land: the smaller the number after the slash, the larger your property! A /16 is like owning a whole county, while a /24 is more like owning a city block.

Step 2: Creating Subnets (Neighborhoods within Your Property)

Now that we have our land, let's divide it into different areas - some public (like front yards) and some private (like backyards). And we'll create these areas in different locations (availability zones) for safety.

Here's what to do:

Public Subnet in First Location (AZ-1)

1. In the VPC Dashboard, click "Subnets"

2. Click "Create subnet"

3. Configure:

   • VPC: Select your MyDigitalNeighborhood

   • Name: FrontYard-East

   • Availability Zone: Select the first AZ (e.g., us-east-1a)

   • CIDR block: 10.0.1.0/24

4. Click "Create"

Private Subnet in First Location (AZ-1)

1. Click "Create subnet" again

2. Configure:

   • VPC: Same VPC

   • Name: BackYard-East

   • Availability Zone: Same as above (e.g., us-east-1a)

   • CIDR block: 10.0.2.0/24

3. Click "Create"

Public Subnet in Second Location (AZ-2)

1. Click "Create subnet" again

2. Configure:

   • VPC: Same VPC

   • Name: FrontYard-West

   • Availability Zone: Select a different AZ (e.g., us-east-1b)

   • CIDR block: 10.0.3.0/24

3. Click "Create"

Private Subnet in Second Location (AZ-2)

1. Click "Create subnet" again

2. Configure:

   • VPC: Same VPC

   • Name: BackYard-West

   • Availability Zone: Same as above (e.g., us-east-1b)

   • CIDR block: 10.0.4.0/24

3. Click "Create"

Why We Did It This Way:

Think of this like building a house with front yards (public subnets) and backyards (private subnets) in two different neighborhoods (availability zones).

• Front yards (public subnets) are visible from the street and accessible to visitors

• Backyards (private subnets) are more secure and not directly accessible from the street

• Building in two neighborhoods (AZs) means if one has a problem (like a power outage), you can still use the other

Step 3: Creating an Internet Gateway (Your Main Entrance)

Now we need a way for people to enter and exit our property from the main road (internet). This is our Internet Gateway.

Here's what to do:

1. In the VPC Dashboard, click "Internet Gateways"

2. Click "Create internet gateway"

3. Name it MainEntrance

4. Click "Create"

5. Select your new gateway and click "Actions" > "Attach to VPC"

6. Select your VPC and click "Attach"

Why We Need This:

Just like your house needs a front door to let people in and out, your VPC needs an Internet Gateway to allow traffic between your resources and the internet. Without it, your public resources would be isolated from the outside world!

Step 4: Creating a NAT Gateway (Your Service Entrance)

Now, things in our backyard (private subnets) need a way to access the internet for updates and downloads, but we don't want strangers coming in through this door. That's what a NAT Gateway is for.

Here's what to do:

1. In the VPC Dashboard, click "NAT Gateways"

2. Click "Create NAT gateway"

3. Configure:

   • Name: ServiceEntrance

   • Subnet: Select one of your public subnets (e.g., FrontYard-East)

   • Connectivity: Public

   • Elastic IP: Click "Allocate Elastic IP"

4. Click "Create NAT gateway"

Why We Need This:

Imagine your private backyard has plants that need water (updates from the internet). The NAT Gateway is like a gardener who can go out to get water and bring it back, but strangers can't use this entrance to come in uninvited. This way, your private resources can access the internet without being exposed to it.

Step 5: Setting Up Route Tables (Traffic Rules)

Now we need to create rules about how traffic should flow in our neighborhoods.

Public Route Table (Rules for Front Yards)

1. Go to "Route Tables" in the VPC Dashboard

2. Click "Create route table"

3. Configure:

   • Name: FrontYard-Rules

   • VPC: Your VPC

4. Click "Create"

5. Select the new route table

6. Go to "Routes" tab and click "Edit routes"

7. Click "Add route"

   • Destination: 0.0.0.0/0 (everywhere on the internet)

   • Target: Select your Internet Gateway

8. Click "Save changes"

9. Go to "Subnet associations" tab

10. Click "Edit subnet associations"

11. Select both your public subnets (FrontYard-East and FrontYard-West)

12. Click "Save associations"

Private Route Table (Rules for Back Yards)

1. Click "Create route table" again

2. Configure:

   • Name: BackYard-Rules

   • VPC: Your VPC

3. Click "Create"

4. Select this new route table

5. Go to "Routes" tab and click "Edit routes"

6. Click "Add route"

   • Destination: 0.0.0.0/0 (everywhere on the internet)

   • Target: Select your NAT Gateway

7. Click "Save changes"

8. Go to "Subnet associations" tab

9. Click "Edit subnet associations"

10. Select both your private subnets (BackYard-East and BackYard-West)

11. Click "Save associations"

Why We Did It This Way:

Think of route tables like giving directions to visitors:

• The public route table says: "To get to the internet, use the main entrance (Internet Gateway)"

• The private route table says: "To get to the internet, use the service entrance (NAT Gateway)"

This ensures traffic flows exactly how we want it to: public resources can communicate directly with the internet, while private resources can only send requests out through the NAT Gateway.

Step 6: Enabling Auto-assign Public IP for Public Subnets

Our front yards need addresses that are visible from the street.

Here's what to do:

1. Go to "Subnets" in the VPC Dashboard

2. Select your first public subnet (FrontYard-East)

3. Click "Actions" > "Edit subnet settings"

4. Check "Enable auto-assign public IPv4 address"

5. Click "Save"

6. Repeat for your second public subnet (FrontYard-West)

Why We Need This:

This is like putting a house number on your mailbox so people can find you. Without a public IP address, resources in your public subnets wouldn't be reachable from the internet.

What We've Built: The Big Picture

Congratulations! You've now built a complete cloud network architecture. Let's review what we have:

1. A VPC (10.0.0.0/16): Your digital property with 65,536 possible addresses

2. Four Subnets:

   • Two public "front yards" (10.0.1.0/24 and 10.0.3.0/24)

   • Two private "back yards" (10.0.2.0/24 and 10.0.4.0/24)

   • Located in two different neighborhoods (availability zones)

3. Gateways:

   • An Internet Gateway (main entrance)

   • A NAT Gateway (service entrance)

4. Route Tables:

   • Public routes for front yards

   • Private routes for back yards

Real-World Application

Now that our cloud neighborhood is built, here's how you might use it:

• Public Subnets (Front Yards): Place web servers, load balancers, and public-facing applications here

• Private Subnets (Back Yards): Place databases, application servers, and other sensitive resources here

• Multiple AZs (Different Neighborhoods): Ensures your application stays running even if one area has problems

Conclusion

Building a VPC architecture might seem complicated at first, but when you break it down into simple concepts like yards, entrances, and traffic rules, it becomes much clearer.

This architecture follows AWS best practices and gives you a solid foundation for hosting applications securely in the cloud. As your needs grow, you can expand this architecture by adding more subnets or connecting to other VPCs.

Remember: in the cloud, good fences (network boundaries) really do make good neighbors (secure applications)!

Now go ahead and start placing your resources in your new cloud home. Your web servers will enjoy the view from the front yard, while your databases can relax securely in the backyard!