Module 1 – VPC Design Principles

Network Architecture Before Compute

Every cloud environment begins with a network.

Not with instances.
Not with containers.
Not with databases.

With networking.

If your VPC is poorly designed:

  • Security boundaries collapse
  • Scaling becomes chaotic
  • Traffic flow becomes unpredictable
  • Costs increase
  • Failure domains expand

Cloud reliability begins with segmentation.

1. CIDR Block Planning

Designing for Growth, Not Today

Your VPC begins with a CIDR block.

Example:

10.0.0.0/16

This gives you 65,536 IP addresses.

Why not use something smaller?

Because production systems grow.

Poor CIDR planning results in:

  • Overlapping networks
  • Re-architecture during scaling
  • Migration complexity
  • VPN conflicts

Recommended Strategy

For production-style labs:

VPC CIDR: 10.0.0.0/16

Divide into subnets:

Public Subnet AZ-A:   10.0.1.0/24
Public Subnet AZ-B:   10.0.2.0/24Private App AZ-A:     10.0.10.0/24
Private App AZ-B:     10.0.20.0/24Private DB AZ-A:      10.0.100.0/24
Private DB AZ-B:      10.0.110.0/24

This creates logical separation.

Segmentation is intentional, not accidental.

2. Public vs Private Subnet Segmentation

Controlling Exposure

Not every resource should face the internet.

Public Subnet

Has route to Internet Gateway.

Used for:

  • Load balancers
  • Bastion hosts
  • Reverse proxies

Public subnet is controlled entry point.

Private Subnet

No direct internet route.

Used for:

  • Application servers
  • Databases
  • Internal services

Private subnet reduces attack surface.

Production Flow Model

Internet

Internet Gateway

Public Subnet (Load Balancer)

Private App Subnet

Private DB Subnet

Database should never live in public subnet.

If it does, architecture is flawed.

3. Internet Gateway vs NAT Gateway

Understanding Traffic Direction

Cloud networking depends on controlled routing.

Internet Gateway (IGW)

  • Allows inbound and outbound traffic
  • Attached to VPC
  • Required for public subnets

If route table contains:

0.0.0.0/0 → IGW

That subnet is public.

NAT Gateway

  • Allows outbound traffic only
  • Used by private subnets
  • Blocks inbound internet traffic

Private instances need updates and package installs.

They reach internet through NAT.

But internet cannot initiate connection back.

Architectural Principle

Public subnet → IGW
Private subnet → NAT

Never attach private subnet directly to IGW.

4. Route Tables & Traffic Flow

Routing Defines Behavior

Every subnet is associated with a route table.

Public Route Table:

10.0.0.0/16 → local
0.0.0.0/0 → Internet Gateway

Private Route Table:

10.0.0.0/16 → local
0.0.0.0/0 → NAT Gateway

If traffic fails:

Check route table before checking instance.

Most connectivity failures are routing misconfigurations.

5. Availability Zones & High Availability

Designing for Failure

Single-AZ deployment is not resilient.

Hardware fails.
AZs fail.
Power fails.

High availability requires:

  • Multiple subnets across AZs
  • Load balancer spanning AZs
  • App instances distributed
  • Database replication

Multi-AZ Architecture Example

AZ-A:
  Public Subnet
  Private App Subnet
  Private DB SubnetAZ-B:
  Public Subnet
  Private App Subnet
  Private DB Subnet

Load balancer routes across AZs.

If one AZ fails:

Traffic shifts automatically.

Redundancy must be deliberate.

6. Failure Domains

Understanding Blast Radius

A failure domain is the scope of impact when something breaks.

Poor design:

  • All instances in one subnet
  • All services in one AZ
  • No separation between tiers

Result:

Single failure = total outage.

Proper segmentation limits blast radius.

7. Cost Awareness in Network Design

NAT Gateways cost money.

Cross-AZ traffic costs money.

Over-segmentation increases complexity.

Architecture is trade-off:

Security
Resilience
Cost

No design is free.

8. Lab Assignment

Design a VPC with:

  • /16 CIDR
  • Two public subnets (AZ-A and AZ-B)
  • Two private app subnets
  • Two private database subnets
  • Internet Gateway attached
  • NAT Gateway for private subnets
  • Proper route tables

Document:

  • Why each subnet exists
  • Why database is private
  • What happens if NAT fails
  • How traffic flows from internet to database

Deliverable:

Architecture diagram + written explanation.

If you cannot explain traffic path, you do not understand your network.

9. Production Reflection

Consider:

  • What happens if IGW is detached?
  • What happens if NAT fails?
  • How would you make NAT highly available?
  • What is the cost trade-off of multi-AZ NAT?

Architecture is anticipating failure.

Module Completion Criteria

You are ready for Module 2 when:

  • You understand CIDR planning
  • You can explain public vs private segmentation
  • You understand IGW vs NAT roles
  • You can trace packet flow across subnets
  • You understand AZ redundancy

Next:

→ Module 2 – Security Groups & IAM Strategy

Back To Top
Search
error: Content is protected !!