AWS VPC Networking: Solutions Architect Study Guide

Q: What is the difference between a public subnet and a private subnet in AWS VPC?

A public subnet has a route table entry that directs internet-bound traffic (0.0.0.0/0) to an Internet Gateway. This allows resources with public IP addresses to communicate directly with the internet. A private subnet lacks this direct route to the Internet Gateway. Instead, private subnets typically route internet traffic through a NAT Gateway located in a public subnet. Resources in private subnets cannot initiate outbound connections to the internet unless using a NAT Gateway. They also cannot be directly accessed from the internet. For the AWS Solutions Architect exam, understand that web servers are typically placed in public subnets while databases and application servers are placed in private subnets for security. Private subnets are preferred for sensitive workloads because they limit exposure to internet-based attacks while still allowing controlled outbound connectivity.

Q: What are the key differences between Site-to-Site VPN and AWS Direct Connect?

Site-to-Site VPN establishes encrypted connections over the public internet using IPSec tunnels. It is quick to set up (usually hours), costs less, and works globally. However, performance depends on internet quality and provides variable latency. AWS Direct Connect establishes a dedicated physical connection to AWS infrastructure. It offers consistent high performance, lower latency, and higher available bandwidth. Setup takes weeks because AWS must physically provision the connection, and it costs significantly more. For the exam, remember that VPN is suitable for smaller organizations or non-critical workloads tolerating variable performance. Direct Connect suits large enterprises moving significant data or running latency-sensitive applications. It provides stable bandwidth guarantees, making it better for real-time applications like video streaming or financial trading. A hybrid approach uses both: Direct Connect for normal operations and VPN as failover backup.

Q: How do you troubleshoot connectivity issues between a private subnet and the internet?

Start by verifying the Network ACL rules allow both inbound and outbound traffic on the required ports. Remember that NACLs are stateless. Check the route table associated with the private subnet. It must have a route for the destination IP range pointing to a NAT Gateway or NAT instance. Verify the NAT Gateway has an Elastic IP and is located in a public subnet with internet access. Confirm that the public subnet containing the NAT Gateway has a route table with 0.0.0.0/0 pointing to the Internet Gateway. Review Security Group rules on the instance. Verify outbound rules permit traffic to the destination, and that the destination accepts return traffic. Check VPC Flow Logs to capture actual network traffic and identify where packets are being dropped. A common misconfiguration involves route tables that don't include the required routes, causing packets to be silently dropped. Another issue is NAT Gateways in private subnets, which cannot function because they cannot reach the Internet Gateway.

Q: What study strategy should I use to prepare for VPC networking on the Solutions Architect exam?

Begin by understanding the fundamental architecture of a well-designed VPC with public and private subnets. Understand how traffic flows through each component. Create flashcards for core concepts: definitions, CIDR notation rules, component relationships, and use cases for each connectivity option. Progress to scenario-based flashcards presenting architecture problems that require identifying the correct solution. Practice with exam-style questions that present flawed architectures you must critique. Use AWS documentation to understand the specific capabilities and limitations of each component. Build test VPCs in the AWS free tier. Hands-on practice solidifies understanding better than studying alone. Study connectivity options by comparing Direct Connect versus VPN across dimensions like setup time, cost, performance, and use cases. Focus heavily on route table configuration, Security Group rules, and NACL rules. The exam frequently tests these. Finally, review common architecture patterns like hub-and-spoke with Transit Gateway, multi-tier applications with proper subnet isolation, and high-availability designs with multiple AZs. Spending 30 minutes daily with focused flashcard study for 2-3 weeks should provide solid VPC mastery.

By FluentFlash Research Team·Updated 2026-04-30

AWS VPC (Virtual Private Cloud) networking is essential for the AWS Solutions Architect certification exam. This topic covers designing, implementing, and managing isolated network environments within AWS including subnets, security groups, routing, and connectivity options.

VPC concepts can feel complex due to many interconnected components. Flashcards break down VPC networking into bite-sized questions and answers, making it easier to build pattern recognition skills. You can quickly identify which networking solution fits different architecture scenarios presented on the exam.

Mastering VPC networking is critical for architects who design secure, scalable, and resilient cloud infrastructure. The exam heavily emphasizes practical scenarios where you must choose the right networking components for specific requirements.

Key Takeaways

•VPC foundation: Master CIDR notation, public vs private subnets, Internet Gateways, NAT Gateways, and how traffic flows through each component
•Security layers: Distinguish Security Groups (stateful, instance-level) from Network ACLs (stateless, subnet-level) and apply least privilege principles
•Connectivity options: Compare Site-to-Site VPN, AWS Direct Connect, VPC Peering, and Transit Gateway based on performance, cost, setup time, and scalability
•Routing expertise: Understand route tables, route priority (most specific wins), local routes, and how to configure routes for all subnet types
•High-availability design: Implement redundant components across multiple Availability Zones, including NAT Gateways in each AZ for failover capability
•Practical troubleshooting: Diagnose connectivity issues by checking NACLs, route tables, Security Groups, NAT Gateway configuration, and interpreting VPC Flow Logs

VPC Fundamentals and Core Components

A Virtual Private Cloud (VPC) is a logically isolated network environment within AWS where you launch your resources. Every AWS account has a default VPC, but Solutions Architects must understand how to create and configure custom VPCs for specific use cases.

Core VPC Components

The core components of a VPC include:

Subnets (public and private) for organizing resources
Internet Gateways (IGW) for outbound internet connectivity
Network Address Translation (NAT) gateways for private subnet internet access
Virtual Private Gateways (VGW) for VPN connections
VPC endpoints for private connectivity to AWS services

Public vs Private Subnets

Public subnets contain resources accessible from the internet via an Internet Gateway. Private subnets cannot directly access the internet without a NAT gateway. Understanding this distinction is fundamental for designing secure architectures where databases stay isolated from the internet.

CIDR Notation and IP Planning

Understanding CIDR notation is critical because you must calculate IP address ranges for VPCs and subnets. A VPC typically uses a /16 CIDR block (providing 65,536 IP addresses), while subnets use /24 blocks (256 IPs). Multi-AZ deployments require subnets in different Availability Zones for high availability.

Route Tables and Traffic Flow

Route tables determine how traffic flows within the VPC and to external networks. Each subnet must be associated with a route table that specifies where packets with certain destination IPs should be directed. Default routes often point to the Internet Gateway for public subnets or NAT gateways for private subnets.

Security Groups and Network Access Control Lists

Security Groups and Network ACLs (NACLs) form the two-layer firewall system in AWS VPCs, though they operate differently. Understanding both is essential for the exam.

Security Groups: Stateful Firewalls

Security Groups are stateful firewalls at the instance level, meaning they track connections and automatically allow return traffic. When you create an inbound rule allowing TCP traffic on port 80, the Security Group automatically permits the corresponding outbound response traffic without requiring an explicit outbound rule.

Security Groups use an allow-list model where you must explicitly permit traffic. Anything not explicitly allowed is denied. Security Groups can reference other Security Groups, enabling dynamic rule management when resources are added to the same security group.

Network ACLs: Stateless Firewalls

Network ACLs are stateless firewalls at the subnet level that examine each packet independently without tracking connections. NACLs evaluate rules in numerical order and stop at the first matching rule. This requires you to explicitly allow both inbound and outbound traffic.

Choosing Between Security Groups and NACLs

For the Solutions Architect exam, you should understand when to use each. Use Security Groups for fine-grained instance control and application-layer security. Use NACLs for subnet-level protection and additional defense layers.

A common exam scenario involves restricting SSH access to only specific IP addresses. You would implement this with a Security Group inbound rule allowing TCP 22 from specific CIDR blocks. Another scenario might require allowing ephemeral ports (1024-65535) in an NACL for return traffic.

VPC Connectivity Options and Hybrid Architecture

The Solutions Architect exam extensively covers methods for connecting VPCs to on-premises networks and to other VPCs. Each option has distinct tradeoffs in setup time, cost, and performance.

Site-to-Site VPN

Site-to-Site VPN is the fundamental connection option using encrypted IPSec tunnels over the internet. You establish a Virtual Private Gateway (VGW) on the AWS side and a Customer Gateway on the on-premises side. VPN is quick to set up but performance depends on internet quality.

AWS Direct Connect

AWS Direct Connect provides a dedicated physical connection that offers consistent network performance and lower latency compared to VPN. Setup takes longer and costs significantly more. For exam purposes, remember that Direct Connect is preferred when you need guaranteed bandwidth, low latency, or large data transfer volumes.

VPC Peering and Transit Gateway

VPC Peering connects two VPCs, allowing traffic between them as if they were on the same network. When peering VPCs, you must enable DNS resolution and configure route tables on both sides appropriately.

Transit Gateway is a hub-and-spoke architecture that simplifies connecting multiple VPCs and on-premises networks. It eliminates the need for mesh peering and is essential for large organizations with many VPCs.

VPC Endpoints

VPC endpoints come in two types. Gateway endpoints for S3 and DynamoDB use prefix lists in route tables. Interface endpoints use AWS PrivateLink for accessing other AWS services privately. The exam tests whether you understand the differences in availability, scalability, and cost implications of each connectivity option.

Routing, DNS, and Traffic Management

Route tables are the core routing mechanism in VPCs, determining how packets are directed based on destination IP addresses. Each route consists of a destination CIDR block and a target (Internet Gateway, NAT Gateway, Virtual Private Gateway, peering connection, or transit gateway).

Route Priority and Configuration

Routes are evaluated from most specific to least specific, so a /32 route takes precedence over a /0 route. The local route, which routes traffic within the VPC, is automatically created and cannot be modified. When designing multi-tier architectures, you typically create separate route tables for public and private subnets.

Public route tables include a default route (0.0.0.0/0) pointing to an Internet Gateway. Private route tables route internet traffic through a NAT Gateway in a public subnet. For hybrid architectures, route tables include routes for on-premises CIDR blocks pointing to a Virtual Private Gateway.

DNS and Private Hosted Zones

AWS Route 53, while a managed DNS service, is often referenced in VPC context for DNS failover scenarios. Private hosted zones resolve DNS names only within specific VPCs. This enables you to maintain internal DNS names separate from public DNS.

Traffic Management Beyond Routing

For traffic management beyond basic routing, you can use Network Load Balancers (NLBs) for ultra-high performance and Network Address Translation, or Application Load Balancers for content-based routing. Understanding the difference between static routes (configured manually) and dynamic routes (learned through protocols like BGP with Direct Connect) is essential.

VPC Design Patterns and Best Practices for the Exam

High-availability VPC design requires spreading resources across multiple Availability Zones with redundant components at each layer. A best-practice architecture includes public and private subnets in each AZ with NAT Gateways in each public subnet. This avoids a single point of failure in a single AZ.

Security Best Practices

For security, implement the principle of least privilege by creating specific Security Groups for each tier (web tier, application tier, database tier). Avoid overly permissive rules. Network segmentation through private subnets isolates sensitive resources from the internet. Enable VPC Flow Logs to capture network traffic information for troubleshooting and security analysis.

When designing for compliance requirements like PCI DSS or HIPAA, you must implement proper network isolation. You must also maintain audit trails of network traffic.

Cost Optimization

Cost optimization for VPC involves right-sizing NAT Gateway instances. Remember that NAT Gateways charge per GB of data processed and per hour. Other strategies include consolidating VPCs where possible and using VPC endpoints instead of NAT Gateways for accessing AWS services. The exam often presents scenarios requiring cost-effective network design without sacrificing security or availability.

Common Architectural Mistakes

Common mistakes include creating too many VPCs (increasing operational complexity), insufficient use of private subnets (exposing databases to internet), misconfiguring route tables (causing traffic black holes), and failing to implement redundant NAT Gateways. Practice scenarios that require you to identify and fix these architectural flaws, as the exam frequently includes flawed designs you must critique.

Start Studying AWS VPC Networking

Master VPC architecture, security controls, and connectivity options with interactive flashcards designed for AWS Solutions Architect certification. Practice spaced repetition learning to build pattern recognition for exam scenarios.

Create Free Flashcards

Frequently Asked Questions

What is the difference between a public subnet and a private subnet in AWS VPC?

A public subnet has a route table entry that directs internet-bound traffic (0.0.0.0/0) to an Internet Gateway. This allows resources with public IP addresses to communicate directly with the internet. A private subnet lacks this direct route to the Internet Gateway.

Instead, private subnets typically route internet traffic through a NAT Gateway located in a public subnet. Resources in private subnets cannot initiate outbound connections to the internet unless using a NAT Gateway. They also cannot be directly accessed from the internet.

For the AWS Solutions Architect exam, understand that web servers are typically placed in public subnets while databases and application servers are placed in private subnets for security. Private subnets are preferred for sensitive workloads because they limit exposure to internet-based attacks while still allowing controlled outbound connectivity.

Why are flashcards effective for mastering VPC networking concepts?

VPC networking involves many components with interconnected relationships and specific use cases. This makes it ideal for spaced repetition learning through flashcards. Flashcards break complex topics into atomic concepts. Examples include "What does a Network ACL do?" or "When should you use a VPC endpoint versus NAT Gateway?"

You can practice these repeatedly to strengthen long-term retention and pattern recognition crucial for exam performance. Flashcards force active recall, which is more effective than passive reading. Your brain must retrieve information rather than simply recognizing it.

For VPC networking, flashcards work particularly well for memorizing CIDR notation calculations, the differences between stateful and stateless firewalls, routing priority rules, and which connectivity option suits different scenarios. Consistently practicing with flashcards develops the automatic pattern matching necessary to quickly identify the correct solution in timed exam questions.

What are the key differences between Site-to-Site VPN and AWS Direct Connect?

Site-to-Site VPN establishes encrypted connections over the public internet using IPSec tunnels. It is quick to set up (usually hours), costs less, and works globally. However, performance depends on internet quality and provides variable latency.

AWS Direct Connect establishes a dedicated physical connection to AWS infrastructure. It offers consistent high performance, lower latency, and higher available bandwidth. Setup takes weeks because AWS must physically provision the connection, and it costs significantly more.

For the exam, remember that VPN is suitable for smaller organizations or non-critical workloads tolerating variable performance. Direct Connect suits large enterprises moving significant data or running latency-sensitive applications. It provides stable bandwidth guarantees, making it better for real-time applications like video streaming or financial trading. A hybrid approach uses both: Direct Connect for normal operations and VPN as failover backup.

How do you troubleshoot connectivity issues between a private subnet and the internet?

Start by verifying the Network ACL rules allow both inbound and outbound traffic on the required ports. Remember that NACLs are stateless. Check the route table associated with the private subnet. It must have a route for the destination IP range pointing to a NAT Gateway or NAT instance.

Verify the NAT Gateway has an Elastic IP and is located in a public subnet with internet access. Confirm that the public subnet containing the NAT Gateway has a route table with 0.0.0.0/0 pointing to the Internet Gateway.

Review Security Group rules on the instance. Verify outbound rules permit traffic to the destination, and that the destination accepts return traffic. Check VPC Flow Logs to capture actual network traffic and identify where packets are being dropped.

A common misconfiguration involves route tables that don't include the required routes, causing packets to be silently dropped. Another issue is NAT Gateways in private subnets, which cannot function because they cannot reach the Internet Gateway.

What study strategy should I use to prepare for VPC networking on the Solutions Architect exam?

Begin by understanding the fundamental architecture of a well-designed VPC with public and private subnets. Understand how traffic flows through each component. Create flashcards for core concepts: definitions, CIDR notation rules, component relationships, and use cases for each connectivity option.

Progress to scenario-based flashcards presenting architecture problems that require identifying the correct solution. Practice with exam-style questions that present flawed architectures you must critique. Use AWS documentation to understand the specific capabilities and limitations of each component.

Build test VPCs in the AWS free tier. Hands-on practice solidifies understanding better than studying alone. Study connectivity options by comparing Direct Connect versus VPN across dimensions like setup time, cost, performance, and use cases.

Focus heavily on route table configuration, Security Group rules, and NACL rules. The exam frequently tests these. Finally, review common architecture patterns like hub-and-spoke with Transit Gateway, multi-tier applications with proper subnet isolation, and high-availability designs with multiple AZs. Spending 30 minutes daily with focused flashcard study for 2-3 weeks should provide solid VPC mastery.