This article was originally published on AI Study Room. For the full version with working code examples and related articles, visit the original post.

AWS VPC Design: Subnets, NAT, Peering, Transit Gateway, and Security Groups

AWS VPC Design: Subnets, NAT, Peering, Transit Gateway, and Security Groups

AWS VPC Design: Subnets, NAT, Peering, Transit Gateway, and Security Groups

AWS VPC Design: Subnets, NAT, Peering, Transit Gateway, and Security Groups

AWS VPC Design: Subnets, NAT, Peering, Transit Gateway, and Security Groups

Introduction

Amazon Virtual Private Cloud (VPC) is the foundational networking layer for AWS infrastructure. Every AWS resource — EC2 instances, RDS databases, Lambda functions, ECS tasks — exists within a VPC. Proper VPC design directly impacts security, performance, scalability, and cost. A poorly designed VPC can cause connectivity issues, security vulnerabilities, and expensive data transfer bills.

This article covers subnet design, NAT strategies, VPC peering, Transit Gateway, security groups, and network ACLs.

VPC and Subnet Design

A VPC spans all Availability Zones (AZs) in a region. The CIDR block must be large enough to accommodate current and future workloads. The standard RFC 1918 ranges are used: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. A /16 CIDR (65,536 addresses) provides sufficient capacity for most organizations.

Subnets are associated with a single AZ and can be public or private. Public subnets have a route table entry pointing to an Internet Gateway. Private subnets route through a NAT Gateway or NAT Instance for outbound internet access. Best practice dictates at least two AZs for high availability, each with public and private subnets.

VPC: 10.0.0.0/16

us-east-1a:

Public: 10.0.1.0/24

Private: 10.0.11.0/24

Data: 10.0.21.0/24

us-east-1b:

Public: 10.0.2.0/24

Private: 10.0.12.0/24

Data: 10.0.22.0/24

NAT Gateways and Internet Connectivity

NAT Gateways enable private subnet resources to access the internet for updates, downloads, and external API calls while preventing unsolicited inbound connections. They are highly available within an AZ and managed by AWS, eliminating the maintenance burden of NAT Instances.

Each NAT Gateway costs approximately $0.045/hour plus data processing charges. For high availability, deploy a NAT Gateway in each AZ used for production workloads. This increases cost but provides resiliency against AZ failures. Alternatively, a single shared NAT Gateway can serve all private subnets via transit gateway attachments.

VPC Peering

VPC Peering connects two VPCs using AWS's internal network, providing low-latency, high-bandwidth connectivity with no bandwidth limits or single point of failure. Peered VPCs can be in the same or different accounts and regions.

Key limitations: transitive peering is not supported (A to B and B to C does not imply A to C), overlapping CIDR blocks cannot be peered, and route tables must be manually configured on both sides. For more than a few VPCs, Transit Gateway is a better solution.

AWS Transit Gateway

Transit Gateway (TGW) is a network transit hub connecting VPCs, VPN connections, and AWS Direct Connect. It supports transitive routing, eliminating the mesh complexity of VPC peering at scale.

Transit Gateway

├── VPC: Production (us-east-1)

├── VPC: Staging (us-east-1)

├── VPC: Shared Services (us-east-1)

├── VPC: Production (eu-west-1)

├── VPN: Branch Office

└── Direct Connect: Data Center

TGW supports route tables per attachment, enabling network segmentation. The default behavior is full mesh, but route table associations limit traffic flow between specific VPCs. TGW Peering connects transit gateways across regions, providing inter-region connectivity at premium data transfer rates.

Security Groups vs. Network ACLs

Security groups act as virtual stateful firewalls at the instance level. They support allow rules only (no explicit deny), evaluate all rules before returning a decision, and track connection state automatically. Security groups are the primary security mechanism for AWS resources.

Network ACLs (NACLs) are stateless firewalls at the subnet level. They support both allow and deny rules, evaluate rules in order (lowest number first), and require explicit rules for return t

---

Read the full article on AI Study Room for complete code examples, comparison tables, and related resources.

Found this useful? Check out more developer guides and tool comparisons on AI Study Room.