All Posts
2026-02-18

Introduction to AWS Virtual Private Cloud (VPC) - Part 2

AWSVPCNetworkingDevOpsCloud Security
I

In Part 1, we covered the basics of AWS VPC, including CIDR blocks, Subnets, and Route Tables. In this second part, we will explore advanced connectivity options and monitoring features that are crucial for building secure and scalable network architectures on AWS.

<div class="toc"> <ul> <li><a href="#nat-and-subnets">Network Address Translation (NAT) & Subnets</a></li> <li><a href="#nat-gateways">NAT Gateways</a></li> <li><a href="#nat-instances">NAT Instances</a></li> <li><a href="#creating-nat-gateway">Step-by-Step: Creating a NAT Gateway</a></li> <li><a href="#route-53-resolver">Route 53 Resolver</a></li> <li><a href="#vpc-flow-logs">VPC Flow Logs</a></li> <li><a href="#faq">Frequently Asked Questions</a></li> </ul> </div> <h2 id="nat-and-subnets">Network Address Translation (NAT) & Subnets</h2>

When designing a VPC, security best practices dictate that backend resources (like databases or application servers) should reside in Private Subnets. These subnets do not have a direct route to the Internet Gateway (IGW), meaning they cannot be reached from the internet.

However, these resources often need to access the internet for valid reasons, such as:

  • Downloading software updates (e.g., yum update or apt-get upgrade).
  • Fetching libraries from external repositories.
  • Connecting to third-party APIs.

This is where Network Address Translation (NAT) comes into play. NAT allows instances in a private subnet to initiate outbound traffic to the internet while preventing unsolicited inbound traffic from reaching them.

<h2 id="nat-gateways">NAT Gateways</h2>

An AWS NAT Gateway is a managed service that provides NAT functionality. It is designed to be highly available and scalable.

  • Managed Service: AWS handles the maintenance, patching, and scaling.
  • High Availability: It is created in a specific Availability Zone (AZ) and provides redundancy within that zone. For multi-AZ redundancy, you should create a NAT Gateway in each AZ.
  • Performance: It can scale up to 45 Gbps of bandwidth automatically.

To use a NAT Gateway, it must be deployed in a Public Subnet and associated with an Elastic IP (EIP) address. The private subnet's route table is then updated to point internet-bound traffic (0.0.0.0/0) to the NAT Gateway.

<h2 id="nat-instances">NAT Instances</h2>

Before NAT Gateways existed, the standard way to achieve this was using a NAT Instance. This is simply an EC2 instance configured to forward traffic.

  • Self-Managed: You are responsible for OS patches, software updates, and scaling.
  • Cost: Can be cheaper for low-traffic workloads since you pay for the instance type, whereas NAT Gateways have an hourly charge plus data processing fees.
  • Configuration: You must disable Source/Destination Checks on the EC2 instance network interface for it to function as a NAT.

While NAT Instances are still available, NAT Gateways are recommended for most production workloads due to their ease of management and high availability.

<h2 id="creating-nat-gateway">Step-by-Step: Creating a NAT Gateway</h2>

Here is how you can set up a NAT Gateway in the AWS Console:

  1. Navigate to VPC Dashboard: Open the AWS Management Console and go to the VPC service.
  2. Select NAT Gateways: In the left sidebar, click on NAT Gateways and then Create NAT gateway.
  3. Configure Settings:
    • Name: Give it a meaningful name (e.g., my-vpc-nat-gw).
    • Subnet: Select a Public Subnet where the NAT Gateway will reside.
    • Elastic IP Allocation: Click Allocate Elastic IP to assign a static public IP to the gateway.
  4. Create: Click Create NAT gateway.
  5. Update Route Tables:
    • Go to Route Tables.
    • Select the Route Table associated with your Private Subnet.
    • Add a route: Destination 0.0.0.0/0, Target nat-xxxxxxxxx (the ID of your new NAT Gateway).
<h2 id="route-53-resolver">Route 53 Resolver</h2>

Have you ever wondered how your EC2 instances resolve DNS names like google.com or internal names like db.local? This is handled by the Route 53 Resolver (formerly known as the .2 resolver).

In every VPC subnet, the IP address ending in .2 (e.g., 10.0.0.2 for a 10.0.0.0/24 subnet) is reserved for the AWS DNS resolver.

  • Magic Service: It is highly available and requires no management.
  • Hybrid DNS: With Route 53 Resolver Endpoints (Inbound/Outbound), you can resolve on-premises DNS names from your VPC and vice versa, enabling seamless hybrid cloud connectivity.
<h2 id="vpc-flow-logs">VPC Flow Logs</h2>

VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. This data is critical for:

  • Security Monitoring: Detecting malicious scanning or unauthorized access attempts.
  • Troubleshooting: diagnosing connectivity issues (e.g., why is my instance not reachable?).

Flow log data can be published to:

  1. Amazon CloudWatch Logs
  2. Amazon S3

A flow log record includes details like the Source IP, Destination IP, Protocol, Port, and Action (ACCEPT/REJECT).

Example of a Flow Log record:

<pre><code>2 123456789012 eni-abc123de 172.31.16.139 172.31.16.21 20641 22 6 20 4249 1418530010 1418530070 ACCEPT OK</code></pre> <h2 id="faq">Frequently Asked Questions (FAQ)</h2> <h3>1. Can I use a NAT Gateway to expose my private instance to the internet?</h3> No. A NAT Gateway allows outbound traffic <em>from</em> private instances to the internet, but it does not allow inbound connections initiated from the internet. For inbound access, you would typically use a Load Balancer or place the instance in a public subnet. <h3>2. Does Route 53 Resolver cost money?</h3> The default DNS queries within a VPC (using the .2 address) are free. However, if you use Route 53 Resolver Endpoints for hybrid DNS or DNS Firewall, additional charges apply. <h3>3. Where should I store my VPC Flow Logs?</h3> If you need real-time analysis or alerts, send them to **CloudWatch Logs**. for long-term retention and cost optimization, or if you plan to query them with Amazon Athena, **Amazon S3** is the better choice.

For more information on securing your cloud infrastructure, check out our AWS Consultancy and Kubernetes Consultancy services.

Source: https://awsfundamentals.com/blog/introduction-to-the-aws-virtual-private-cloud-vpc-part-2