Search the topic of your interest

Monday, 17 April 2017

What is VPC? Learn from scratch

VPC (Virtual Private Cloud) is an isolated area carved out on AWS for yourself. You control the size of this area and the Private IP used in this area. You also control the behavior of different sections of this VPC (which are called Subnets). 

If you don't have time to read, just watch this compiled video playlist.

A subnet could be Public or Private in nature. You can launch instances (EC2, RDS, Redshift etc.) by choosing a subnet and this decides the Private IP of the instance. In addition to this, the network-level behavior also gets decided based on subnet (in case of Public Subnet instance would be reachable from internet e.g. Web servers; in case of Private subnet, instance would not be reachable from internet e.g. DB servers). All the instances in a VPC can talk to each other using Private IP

With a new AWS account, you get a default VPC in every region. You should use this only for initial practice and quick instance launches. For any customer POC / implementation do not use Default VPC; rather create a new VPC based on customer (or project) requirements. Watch this video to learn VPC creation from scratch --

Based on the above video you can create a new VPC. While creating VPC and subnets, take care of their sizing as these cannot be modified once created (VPC / subnet needs to be deleted and re-created, there is no modification/extension). Talk to your customer and understand how many resources need to be placed in Public and Private subnets and size them accordingly.

The instances launched in Private subnet would not be reachable from Internet directly. In case, you need to change something on Private Instances, you will have to make use of Bastion Host (or Jumpbox). Bastion Host is just a small machine (Windows/Linux) which is launched in Public subnet (and given a public IP). We can first login (via RDP/SSH) to this machine and then connect to machines in Private Subnets via their Private IP. You can learn the same with a demo video here ---

A VPC exists at region level, a subnet exists at AZ level. Following entities exist with in a VPC:

  • Security Group (VPC level across subnets in that VPC) (learn SG here)
  • NACL (VPC level across subnets in that VPC)
  • ENI (at a subnet level) (learn ENI here)
At minimum, you should have your subnets in 2 different AZ to ensure high-availability. With in a VPC:- 
  1. A Security Group can be attached to multiple instances 
  2. An instance can have multiple Security Groups attached to it
  3. A subnet can have only one NACL attached to it
  4. An NACL can be attached to multiple subnets
Every VPC is an isolated network and 2 VPCs cannot talk to each other (except via Public network). If you want to enable communication between 2 VPCs over Amazon Private network, use option of VPC Peering ---

Happy Learning AWS. Please do share this post with your friends :) 


  1. Excellent tutorial ! Comprehensive coverage. Thanks a lot Knowledge India...

    1. Thanks Lucky. Please share this post with your friends.

  2. really very good videos on vpc and informative. I'm seeing the sysops playlist videos and they are really. Your blog recommend by one of my colleague.

    Recently I have encountered a question from my colleague even he don't know the solution. It will be really helpful if can guide me for the below scenario.

    Q: how can we make private-a and public-a subnets doesn't communicate to each other. considering both the subnets are in same vpc ?

    Is there a way can achieve the above scenario. Please help me if there is any.


    1. Thanks Ayub.
      That's possible with NACL. Use 2 different NACL with the 2 subnets. Add a DENY rule for the incoming traffic from other subnet range.

      Don't miss to join our LIVE sessions every weekend. Details on right side.

    2. Thanks a lot knowledgeIndia for the quick reply.


Note: only a member of this blog may post a comment.

Most Popular Posts