VPC Basics for AWS Solutions Architect Associate Exam

One of the harder subjects.

Published in

AWS in Plain English

4 min readMay 18, 2021

The VPC (Virtual Private Cloud) is how networking is done in AWS. The VPC is like having your own data center inside AWS. The VPC separates resources from different customers and different projects.

VPCs are specific to a region, and a single VPC will span all the availability zones in a region. You can make subnets of a VPC, subnets are specific to availability zones.

VPC spans multiple AZ. Subnets (not shown) cannot.

CIDR Blocks

When you create a VPC, you must associate an IPv4 CIDR block for it. The CIDR block must contain between 16 and 65,536 IP addresses (netmasks of /28 and /16 respectively). If you see a question asking about CIDR block sizes know that it is between /28 and /16. You can read my article on IP addressing if you need a refresher on CIDR blocks.

Your CIDR block must be in the private IP ranges:

10.0.0.0–10.255.255.255, which is CIDR 10.0.0.0/8
172.16.0.0–172.31.255.255, CIDR 172.16.0.0/12
192.168.0.0–192.168.255.255, CIDR 192.168.0.0/16

You can add multiple CIDR blocks to your VPC but CIDR blocks must not overlap. We can’t have both 10.0.0.0/28 and 10.0.0.1/28 in a VPC. You can never modify the range of an existing CIDR block

Subnet Sizing

When you divide an IP network into multiple parts, each part is called a subnet. The subnets have CIDR blocks that are subsets of the CIDR block of the VPC.

The number of available IPv4 addresses in your subnet’s CIDR block is not exactly what you think it would be.

In the console

In a /24 IPv4 we would expect 256 addresses, 2^(32–24) = 2⁸ = 256. The reason there are only 251 available is that AWS reserves some of the IP addresses for it’s own use.

The 5 missing IP addresses are reserved as follows:

172.31.80.0 is used as the network address
172.31.80.1 is reserved for the VPC router
172.31.80.2 is reserved for the DNS
172.31.80.3 is reserved by AWS for future use
172.31.80.255 is the network broadcast address. AWS does not support broadcast so this is reserved.

If a question asks what IP addresses you can use, the first 4 IP addresses are reserved, as well as the last one. Make sure you are able to translate CIDR blocks to IP address ranges.

Route Tables

Route tables specify how network traffic from subnets or the internet should be directed within the VPC. Every subnet needs to be associated with a route table. This route table will direct traffic to the subnet.

Example

Here is a route table for a VPC with CIDR block 172.31.0.0/16.

This route table is saying that traffic to the VPC (172.31.0.0/16) is local to the VPC and that traffic elsewhere (0.0.0.0/0) goes to igw-d2b99dba (this is an internet gateway, we discuss this later).

Implied Routing

At the beginning of this section we said that every subnet needs to be associated with a route table, but our route table didn’t say anything about any subnets. This is explained by the following image:

The text in the middle says “The following subnets have not been explicitly associated with any route tables and are therefor associated with the main route table.

There is a main route table which is created when a new VPC is created. You do not need to explicitly associate a new subnet with a route table, there is an automatic association with the main route table.

You do not need to explicitly define routes for traffic between subnets. The VPC knows what ranges your subnets exist on and will take care of this for you.

Main Route Table

Suppose you have two subnets and two route tables. Initially, both subnets have an implicit association with Route Table A, the main route table. We want to change both subnets to be associated with route table B.