Cloud Networking Guide
VPC Design Principles
# CIDR planning โ avoid overlap with on-prem / other VPCs
VPC CIDR: 10.0.0.0/16 (65,536 IPs total)
# Subnet layout per AZ (for 3-AZ region)
Public subnets (internet-facing LB, NAT gateways):
10.0.1.0/24 us-east-1a (251 usable IPs)
10.0.2.0/24 us-east-1b
10.0.3.0/24 us-east-1c
Private subnets (app servers, EKS nodes):
10.0.11.0/24 us-east-1a
10.0.12.0/24 us-east-1b
10.0.13.0/24 us-east-1c
Database subnets (no internet route):
10.0.21.0/24 us-east-1a
10.0.22.0/24 us-east-1b
10.0.23.0/24 us-east-1c
# Rules:
# โข Public subnet: route 0.0.0.0/0 โ Internet Gateway
# โข Private subnet: route 0.0.0.0/0 โ NAT Gateway (per AZ)
# โข DB subnet: no route to internet; only from private subnet SG
# โข Reserve /18 or larger for EKS (many IPs per node)
Security Groups vs NACLs
| Feature | Security Groups | Network ACLs |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful (return traffic auto-allowed) | Stateless (must allow both directions) |
| Rules | Allow only (no deny) | Allow and Deny |
| Evaluation | All rules evaluated | Rules processed in order (number) |
| Use for | Primary access control (recommended) | Subnet-level blocklist, extra defense layer |
Connectivity Options
| Option | Use Case | Latency | Cost |
|---|---|---|---|
| VPC Peering | Connect 2 VPCs (same or cross-account) | Low | Data transfer only |
| AWS Transit Gateway | Hub-and-spoke for many VPCs | Low | Per attachment + data |
| AWS Direct Connect | Dedicated line from on-prem to AWS | Very low (predictable) | High (port + data) |
| Site-to-Site VPN | Encrypted tunnel over internet | Medium | Low |
| Client VPN | Remote developer/employee access | Medium | Per connection-hour |
| VPC Endpoints | Private access to AWS services (S3, DynamoDB) | Low | Gateway: free; Interface: per hour |
| PrivateLink | Expose service privately to other VPCs/accounts | Low | Per endpoint + data |