Aws Part 7 →Components of Vpc

7 min readApr 29, 2023



Router in VPC →

  1. It is the central routing function.
  2. It connects the different availability zone together and connect the VPC to the Internet gateway.
  3. You can have up to 200 round tables per VPC.
  4. You can have up to 50 route entries per route table.
  5. Each subnet must be associated with only one route table at any given time.
  6. If you do not specify A subnet to route table association, the 1 subnet will be associated with the default VPC route table.
  7. You can also edit the main route table if you need, but you cannot delete main route table.
  8. However, you can make custom route table manually become the main route table that you can delete the former main
  9. you can associate multiple subnet with the same route table.

Internet Gateway →

  1. An Internet gateway is a virtual router that connects a VPC to the Internet.
  2. Default VPC is already attached with the An Internet gateway.
  3. If you create a new VPC, then you must attach the Internet gateway to access Internet.
  4. It perform network address translation(NAT) between your private and public IPV4 address.
  5. It supports both IPV4 and IPV6.

NAT Gateways →

  1. Net gateway is in public subnet. If more than public subnet then you have to associate in which it is in.
  2. You can use a Network Address Translation Gateway to enable instance in a private subnet to connect to the Internet or other AWS services, but prevent the Internet from initiating a connection with those instances.
  3. When you want to update your database then you need to connect your private instance to the Internet. Then we update our route in routing table then it goes to NAT within a private IP with a port number. Then NAT send a request to public IP and sends the packet to private IP But a request from outside is not proceeds to, hence more secure.
  4. You are charged for creating and using a NAT Gateway in your account.
  5. To create an NAT gateway you are must specify the public subnet in which the NAT gateway should reside
  6. No need to Assign public IP address to your private instance.
  7. After you created a NAT gateway, you must update the route table associated with one or more of your private subnet to point Internet bound traffic to the NAT gateway. This enable instances in your private subnet to communicate with the Internet.
  8. Deleting a NAT gateway dissociate its Elastic IP address, but does not release the address from your account. you have to do it manually

Security Groups

  1. It is a virtual firewall. Works at ENI (Elastic Network Interface) level.
  2. Security group works in just above the instance. Anything or any request it just come through these groups. For example if you enable port #80 then only traffic with this port are able to come.
  3. Up to 5 security groups per EC2 instance interface can be applied.
  4. Can have permit rules, cannot have denial rule.
  5. It is stateful, if a connection is established between a client and a server, the Security Group will automatically allow return traffic from the server to the client. This is because the Security Group remembers the connection state, which allows it to distinguish between legitimate traffic and potential malicious traffic.

NACL (Ntework Access Control List) →

  1. It is a function performed on the implied router.
  2. NACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one and more subnets.
  3. Your VPC automatically comes with a modifiable network ACL. By default. It allows all inbound and outbound IPV4 traffic and if applicable, IPV 6 traffic.
  4. You can create a custom network ACL and associate it with a subnet. By default, each custom and initial denies all inbound and outbound traffic until you add rules.
  5. The highest number that you can use for a rule is 32,766. Recommended that you start by creating rules with rules number that a multiple of 100 so that you can add new rule that you can add. Late.
  6. It functions at the subnet level.
  7. NACL are stateless outbound traffic for an allowed inbound traffic must be explicitly allowed to.
  8. You can have permit and deny rules in a NACL

Security Groups VS NACL

In AWS, security groups and network access control lists (NACLs) are two different mechanisms used to control network traffic to and from your resources within a virtual private cloud (VPC). Here’s how they differ:


  • Security groups act as virtual firewalls at the instance level, controlling inbound and outbound traffic at the instance level. They regulate the traffic based on the security group rules defined by the administrator.
  • NACLs, on the other hand, act as a stateless packet filter for controlling inbound and outbound traffic at the subnet level. They regulate the traffic based on the rules defined in the NACLs.

2. Stateful vs Stateless:

  • Security groups are stateful, which means that they remember the inbound traffic allowed to enter a particular instance and automatically allow the response traffic back out to the source that initiated the request.
  • NACLs are stateless, which means that they do not remember the inbound traffic allowed to enter a particular subnet. You need to define separate rules for allowing the outbound traffic based on the inbound traffic allowed.

3. Rule Processing Order:

  • Security groups evaluate all the rules that allow traffic and then apply the most permissive rule to permit the traffic.
  • NACLs evaluate the rules in a sequential order from lowest to highest, and the first rule that matches the traffic is applied.

4. Scope:

  • Security groups operate at the instance level, meaning that they are applied to an instance in a VPC.
  • NACLs operate at the subnet level, meaning that they are applied to all the instances within the subnet in a VPC.

In summary, security groups and NACLs serve different purposes in controlling the network traffic within a VPC. Security groups are applied at the instance level and operate in a stateful manner, while NACLs are applied at the subnet level and operate in a stateless manner.

What is VPC Peering

It is a Networking connection between two VPC that enables you to route traffic in between them Using private IPV4 or IPV6 address.

  1. Instances is either VPC can communicate with each other as if they are between the same network.
  2. You can create a VPC peering connection between your own VPC or a VPC with another AWS account or in different region.

What is VPC Endpoint →

It is just like a NAT gateway or VPC Endpoint enables you to privately connect your VPC to support AWS services. Instance in your VPC do not require public IPv4 address to communicate with resources in the services.

You have to give bill of NAT gateway + bill of amount of data transfer. But in VPC endpoint is free and data bill is small.

VPN Connection in a VPC

To establish a VPN (Virtual Private Network) connection in a VPC (Virtual Private Cloud) in AWS, you can follow these steps:

  1. Choose a VPN solution: AWS offers two VPN solutions — AWS Site-to-Site VPN and AWS Client VPN. AWS Site-to-Site VPN enables you to create a secure and encrypted connection between your on-premises network and your VPC. AWS Client VPN enables you to securely access your VPC and resources from anywhere using OpenVPN-based clients.
  2. Configure the VPN connection: Depending on the VPN solution you choose, you will need to configure the appropriate settings. For AWS Site-to-Site VPN, you will need to configure the customer gateway, virtual private gateway, and VPN connection. For AWS Client VPN, you will need to configure the endpoint, authorization rules, and client connections.
  3. Create and configure the VPC: Before you can create the VPN connection, you need to create and configure the VPC. This includes setting up the subnets, security groups, network ACLs, and routing tables.
  4. Create and configure the VPN connection: Once the VPC is configured, you can create and configure the VPN connection. This includes specifying the connection type, routing options, and encryption settings.
  5. Test the VPN connection: After you have created and configured the VPN connection, you should test it to ensure that it is working as expected. You can do this by pinging resources in the VPC from your on-premises network (for AWS Site-to-Site VPN) or by connecting to the VPC using an OpenVPN-based client (for AWS Client VPN).

By following these steps, you can establish a secure VPN connection between your on-premises network and your VPC in AWS.




Cloud computing and DevOps Engineer and to be as a fresher I am learning and gaining experiance by doing some hands on projects on DevOps and in AWS OR GCP