VPC knowledge base
Cheat-sheet style reference for AWS VPC building blocks. For the narrative deep-dive see AWS VPC Fundamentals. This page is optimised for fast lookup: tables, defaults, limits, cost gotchas.
Object cheat-sheet
| Object | What it is | Scope | Key fact |
|---|---|---|---|
| VPC | Virtual L3 network / address space | Region | /16 max, /28 min; up to 5 CIDRs per VPC |
| Subnet | Slice of VPC CIDR | Single AZ | 5 IPs reserved per subnet (network, router, DNS, future, broadcast) |
| Route table | Per-subnet forwarding policy | VPC | One table per subnet; many subnets can share one table |
| IGW | Internet gateway (1:1 NAT for public IPs) | VPC | Free; one per VPC; horizontally scaled by AWS |
| NAT Gateway | Outbound-only NAT for private subnets | AZ | Expensive: hourly + per-GB processed |
| NAT Instance | Self-managed EC2 doing NAT | ENI | Cheap but you run it |
| VGW / TGW | On-prem gateway / hub router | VPC / Region | TGW replaces VGW+peering mesh at scale |
| VPC Endpoint (Gateway) | Private route to S3 / DynamoDB | VPC | Free — always enable for S3 |
| VPC Endpoint (Interface) | ENI in your VPC → AWS service via PrivateLink | Subnet | Hourly + data; needed for most services |
| Peering | 1:1 VPC-to-VPC | Region or cross-region | Non-transitive |
| Security Group | Stateful per-ENI firewall | VPC | Allow only; implicit deny; refs other SGs |
| NACL | Stateless per-subnet ACL | Subnet | Allow + deny; ordered rules; both directions |
| Flow Logs | Flow metadata capture | VPC / subnet / ENI | 5-tuple + action; no payload |
| Traffic Mirroring | Full packet copy to target ENI | ENI | For IDS/forensics; Nitro only |
Reserved IPs per subnet
For a 10.0.0.0/24 subnet:
| IP | Purpose |
|---|---|
10.0.0.0 | Network address |
10.0.0.1 | VPC router (first hop) |
10.0.0.2 | DNS resolver (.2 in every subnet) |
10.0.0.3 | Reserved for future use |
10.0.0.255 | ”Broadcast” — reserved even though broadcast doesn’t exist |
Usable: .4 through .254 → 251 hosts on a /24.
Default limits (common ones)
| Item | Default | Notes |
|---|---|---|
| VPCs per region | 5 | Soft limit |
| Subnets per VPC | 200 | Soft |
| Route tables per VPC | 200 | Soft |
| Route entries per table | 50 | Soft up to 1000 |
| Security Groups per VPC | 2,500 | Soft |
| Rules per SG | 60 inbound + 60 outbound | Soft |
| SGs per ENI | 5 | Hard (soft up to 16) |
| NAT Gateways per AZ | 5 | Soft |
| Elastic IPs per region | 5 | Soft |
If you’re hitting these, request quota increases in Service Quotas.
Route table target cheat-sheet
local VPC CIDR (automatic, immutable)
igw-xxxx 0.0.0.0/0 public subnet
nat-xxxx 0.0.0.0/0 private subnet (outbound)
pcx-xxxx peer VPC CIDR peering
tgw-xxxx multi transit gateway attachment
vgw-xxxx on-prem CIDR site-to-site VPN / DX
vpce-xxxx S3 / DDB prefix gateway endpoint
eni-xxxx any traffic steering to NVA (firewall)
Longest-prefix-match wins. local is special and always most specific for the VPC CIDR.
Gateway endpoint vs interface endpoint
| Gateway endpoint | Interface endpoint (PrivateLink) | |
|---|---|---|
| Services | S3, DynamoDB | 100+ (EC2 API, KMS, SSM, Secrets Manager, ECR, …) |
| Mechanism | Route table entry to prefix list | ENI with private IP in your subnet |
| DNS | No DNS change needed | Private DNS override recommended |
| Cost | Free | Hourly per endpoint + per-GB |
| When to use | S3/DDB traffic from VPC — always | Anything else you want to keep off the internet |
Connectivity decision tree
Need: VPC ↔ other VPC (same or cross-account)
└─ few VPCs, point-to-point ─────────→ VPC Peering
└─ many VPCs, transitive ───────────→ Transit Gateway
└─ cross-region, at scale ──────────→ TGW Peering or Cloud WAN
└─ private publish a service to consumers → PrivateLink
Need: VPC ↔ on-prem
└─ over internet, encrypted ─────────→ Site-to-Site VPN (IKEv2)
└─ dedicated circuit, low latency ───→ Direct Connect (+ optional VPN backup)
└─ hub integrating many sites/VPCs ─→ TGW + DX Gateway
Need: VPC ↔ AWS service (S3, DDB, STS, KMS…)
└─ S3 / DynamoDB ───────────────────→ Gateway Endpoint (free)
└─ anything else ───────────────────→ Interface Endpoint (PrivateLink)
Need: outbound internet from private subnet
└─ regular traffic ─────────────────→ NAT Gateway (managed, expensive)
└─ cost-sensitive / low volume ────→ NAT Instance (self-managed)
└─ IPv6-only outbound ─────────────→ Egress-only Internet Gateway
Cost traps
- NAT Gateway processing charges —
$0.045/GBprocessed (plus hourly). Backups / container pulls / apt updates via NAT get expensive fast.- Mitigation: S3 Gateway Endpoint (free); ECR Interface Endpoint for container pulls; package mirrors in-VPC.
- Cross-AZ data transfer —
$0.01/GBeach way inside a VPC. DB primary in AZ-a, app in AZ-b → every query crosses a charge boundary. - Inter-region data transfer — much higher. Don’t accidentally put a replica in us-west-2 when the primary is in us-east-1.
- Elastic IPs — free while attached to a running instance; charged
$0.005/hwhen idle. Release unused EIPs. - Flow Logs to CloudWatch Logs — ingest charge per GB. Use S3 destination for long retention.
Default VPC facts
- One per region, CIDR
172.31.0.0/16 - A
/20default subnet per AZ (4091 usable IPs each) - Default route to the IGW attached at create time
- Auto-assign public IP is enabled on default subnets
- Safe to leave for labs; don’t deploy real workloads into it
SG vs NACL at a glance
| Security Group | NACL | |
|---|---|---|
| Attached to | ENI | Subnet |
| State | Stateful | Stateless |
| Action | Allow only | Allow + deny |
| Evaluation | Union of all rules | First match by rule number |
| References | Can reference other SGs, prefix lists, IPs | IPs / CIDRs only |
| Ephemeral ports | Not needed (stateful) | Must allow manually for return traffic |
| Default | Deny all (new SG: no inbound, outbound any) | Default NACL: allow all; custom NACL: deny all |
See AWS Security Groups vs NACLs for full comparison.
Troubleshooting checklist — “why can’t A reach B?”
- Route table — is there a route from A’s subnet to B’s CIDR?
- Route table (return) — is there a route from B’s subnet back to A?
- Security Group (A outbound) — permits the destination?
- Security Group (B inbound) — permits the source (IP, CIDR, or SG id)?
- NACL (A subnet, egress + ingress) — allows both the forward packet and the return?
- NACL (B subnet) — same check, both directions?
- Public IP / NAT — if crossing the internet, does A have a path out (IGW or NAT)?
- DNS — is A resolving B’s hostname to the expected IP (private vs public DNS)?
- Flow Logs —
action=ACCEPTorREJECT? REJECT tells you which layer (SG vs NACL) blocked. - MTU / path MTU — 1500 default; VPN/overlays lower. Test with DF-bit.
Diagram slot
Add VPC topology diagrams to Assets/VPC/ and embed here:
![[Assets/VPC/<diagram>.png]]