A Virtual Private Cloud (VPC) is your isolated network in AWS. You define IP ranges, subnets, route tables, and gateways so resources communicate securely.
VPC building blocks
- CIDR block — e.g.
10.0.0.0/16private IP space - Subnet — segment in one AZ (
10.0.1.0/24public,10.0.2.0/24private) - Internet Gateway (IGW) — public subnet internet access
- NAT Gateway — outbound internet for private subnets (costs money—tear down in sandbox)
- Route table — directs traffic (0.0.0.0/0 → IGW or NAT)
Default VPC
New accounts often have a default VPC with public subnets per AZ—fine for learning; production designs use explicit private subnets for app and database tiers.
Describe your VPCs
aws ec2 describe-vpcs \
--query 'Vpcs[].{Id:VpcId,Cidr:CidrBlock,IsDefault:IsDefault}' \
--output table
aws ec2 describe-subnets \
--query 'Subnets[].{Id:SubnetId,CIDR:CidrBlock,AZ:AvailabilityZone}' \
--output tablePractice: Create S3 buckets and VPC resources only in a sandbox account. Use unique bucket names globally; delete buckets and empty objects when finished.
Important interview questions and answers
- Q: Public vs private subnet?
A: Public routes to IGW for direct inbound internet; private uses NAT for outbound-only or internal traffic. - Q: Why place RDS in private subnet?
A: Database not directly reachable from internet—app tier connects internally.
Self-check
- What does a route table do?
- Why use private subnets for application backends?
Tip: Three-tier pattern: public subnets for ALB, private for apps, private for RDS.
Interview prep
- Private subnet?
No direct inbound internet route—often hosts app and database tiers.
- Route table?
Directs subnet traffic to IGW, NAT gateway, or internal targets.