AWS Networking 101: VPCs, Subnets & Route Tables. Building Your First Cloud Network
Learn how to design, secure, and automate your first AWS network like a DevOps pro.
🎯 Target Audience: Beginners in DevOps & DevSecOps
🧠 Key Concepts: VPC, Subnet, Route Table, Internet Gateway, Security Groups
⏱ Estimated Read Time: ~10 minutes
📚 Series: Part of “AWS & Cloud Computing for DevOps Beginners”
🌍 Real-World Focus: Building and securing your first AWS network like a DevOps pro
Why This Matters in DevOps
Let’s be real, nothing in AWS works without networking.
If EC2 is your “server” and S3 is your “storage,” then VPC (Virtual Private Cloud) is your entire data center 🏗️.
It’s where your apps live, talk to each other, and connect securely to the internet (or not).
As a DevOps engineer, understanding VPCs, subnets, and route tables isn’t just theory; it’s how you design secure, scalable cloud environments.
1️⃣ What is a VPC (Virtual Private Cloud)?
A VPC is your own private section of the AWS cloud, isolated from everyone else.
You control the IP range, subnets, routing, and security.
💡 Think of it as your company’s private network inside AWS.
🧩 VPC Basics:
You define a CIDR block (e.g.,
10.0.0.0/16).Inside it, you create subnets (like separate floors in a building).
You attach route tables to control how traffic flows.
Optionally connect to the internet via Internet Gateway (IGW).
📍 Analogy:
If AWS is the city → your VPC is your office building.
Subnets are the departments inside, and route tables are the hallways connecting them.
2️⃣ Subnets: Dividing Your Cloud
Subnets are smaller network segments inside your VPC.
You can have:
Public subnets → Accessible from the internet (e.g., web servers).
Private subnets → Internal-only (e.g., databases, app servers).
🧠 Example:
Let’s create a basic layout:
VPC CIDR: 10.0.0.0/16
Public Subnet: 10.0.1.0/24
Private Subnet: 10.0.2.0/24
💡 In a real-world setup:
Web app → public subnet
Database → private subnet
Bastion host (SSH access) → public subnet
3️⃣ Route Tables: Controlling the Traffic Flow
A route table defines where traffic goes when it leaves a subnet.
🧭 Example:
| Destination | Target |
| 10.0.0.0/16 | local (default) |
| 0.0.0.0/0 | igw-12345 (Internet) |
Translation:
All internal traffic (10.0.0.0/16) stays inside.
All external traffic (0.0.0.0/0) goes to the Internet Gateway.
💡 Without a route to the IGW, even your public subnet can’t access the internet.
4️⃣ Internet Gateway: Your Door to the Internet
An Internet Gateway (IGW) is how AWS connects your VPC to the outside world.
Setup Example (CLI):
# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16
# Create subnets
aws ec2 create-subnet --vpc-id vpc-12345 --cidr-block 10.0.1.0/24
aws ec2 create-subnet --vpc-id vpc-12345 --cidr-block 10.0.2.0/24
# Create IGW and attach to VPC
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-12345 --vpc-id vpc-12345
# Create route table and add route
aws ec2 create-route-table --vpc-id vpc-12345
aws ec2 create-route --route-table-id rtb-67890 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-12345
Now your VPC has both internal and external communication configured 🔥.
5️⃣ Security Groups vs. NACLs (Bonus Tip)
Security in AWS networking works in layers:
| Type | Works At | State | Example |
| Security Group | Instance level | Stateful | Allows return traffic automatically |
| NACL (Network ACL) | Subnet level | Stateless | Must define both inbound/outbound |
💡 Rule of thumb:
Use Security Groups for application-level rules (e.g., allow HTTP on port 80).
Use NACLs for subnet-level restrictions (e.g., block an IP range).
6️⃣ Real-World DevOps Example: Two-Tier Architecture
Let’s say you’re deploying a web app:
Frontend → runs in a public subnet.
Backend DB → runs in a private subnet.
Architecture:
Internet
│
[ Internet Gateway ]
│
[ Public Subnet ]
│
[ Private Subnet ]
Routing Logic:
Web server → accessible from the internet.
DB → accessible only from the web server.
This setup = secure + production-grade 🛡️.
🧰 Tools & Hands-On
You can build this using:
AWS Console (UI) → great for visual learning.
AWS CLI / Terraform → great for automation.
Here’s a simple Terraform snippet to build a VPC:
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
}
Common Mistakes to Avoid
⚠️ Forgetting to associate subnets with the right route table.
⚠️ Missing Internet Gateway route: no internet access!
⚠️ Mixing public/private resources in one subnet.
⚠️ Forgetting NACL rules: they can silently block traffic.
Quick Recap
✅ VPC → your private cloud network in AWS.
✅ Subnets → divide your network (public/private).
✅ Route Tables → direct traffic.
✅ Internet Gateway → connect to the world.
✅ Security Groups/NACLs → protect your infrastructure.
Every great DevOps engineer starts by mastering the network layer.
So before deploying your first app, build your own AWS VPC from scratch; it’ll teach you more than a dozen tutorials.
👨💻 Written by: Abdulrahman A. Muhamad
🌐 LinkedIn | GitHub | Portfolio
