Trisul's Blog

Network & Cloud Engineering Insights

Building Secure AWS VPC Networks: Complete Architecture Guide

Written by Trisul ·

Designing a secure and scalable AWS VPC requires careful planning of subnets, route tables, security groups, and network access control lists. In this comprehensive guide, you'll learn how to architect enterprise-grade VPC networks that follow AWS best practices for security and performance.

VPC Architecture Components

  • VPC: Your isolated network environment in AWS
  • Subnets: Public and private network segments
  • Route Tables: Control traffic routing between subnets
  • Security Groups: Instance-level firewall rules
  • NACLs: Subnet-level network access control

Step 1: Plan Your CIDR Blocks

# Main VPC CIDR
VPC CIDR: 10.0.0.0/16

# Public Subnets (for load balancers, NAT gateways)
Public Subnet AZ-1a: 10.0.1.0/24
Public Subnet AZ-1b: 10.0.2.0/24

# Private Subnets (for application servers)
Private Subnet AZ-1a: 10.0.10.0/24
Private Subnet AZ-1b: 10.0.20.0/24

# Database Subnets (for RDS, ElastiCache)
DB Subnet AZ-1a: 10.0.100.0/24
DB Subnet AZ-1b: 10.0.200.0/24

Step 2: Create VPC and Subnets

# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=MyVPC}]'

# Create Internet Gateway
aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=MyIGW}]'

# Attach IGW to VPC
aws ec2 attach-internet-gateway --vpc-id vpc-12345678 --internet-gateway-id igw-87654321

Step 3: Configure Route Tables

# Create custom route table for public subnets
aws ec2 create-route-table --vpc-id vpc-12345678 --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PublicRouteTable}]'

# Add route to Internet Gateway
aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-87654321

# Associate public subnets with public route table
aws ec2 associate-route-table --subnet-id subnet-12345678 --route-table-id rtb-12345678

Step 4: Set Up NAT Gateway for Private Subnets

# Allocate Elastic IP for NAT Gateway
aws ec2 allocate-address --domain vpc

# Create NAT Gateway in public subnet
aws ec2 create-nat-gateway --subnet-id subnet-12345678 --allocation-id eipalloc-12345678

# Create route table for private subnets
aws ec2 create-route-table --vpc-id vpc-12345678 --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=PrivateRouteTable}]'

# Add route to NAT Gateway
aws ec2 create-route --route-table-id rtb-87654321 --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-12345678

Step 5: Configure Security Groups

# Web Server Security Group
aws ec2 create-security-group --group-name WebServerSG --description "Security group for web servers" --vpc-id vpc-12345678

# Allow HTTP and HTTPS from anywhere
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 443 --cidr 0.0.0.0/0

# Allow SSH from bastion host only
aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 22 --source-group sg-87654321

Step 6: Network ACLs for Additional Security

# Create custom NACL
aws ec2 create-network-acl --vpc-id vpc-12345678 --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=WebTierNACL}]'

# Allow inbound HTTP/HTTPS
aws ec2 create-network-acl-entry --network-acl-id acl-12345678 --rule-number 100 --protocol tcp --port-range From=80,To=80 --cidr-block 0.0.0.0/0 --rule-action allow

# Allow outbound responses
aws ec2 create-network-acl-entry --network-acl-id acl-12345678 --rule-number 100 --protocol tcp --port-range From=1024,To=65535 --cidr-block 0.0.0.0/0 --rule-action allow --egress

Best Practices for VPC Security

  • Use multiple Availability Zones for high availability
  • Implement least privilege access with security groups
  • Use VPC Flow Logs for network monitoring
  • Enable GuardDuty for threat detection
  • Use AWS Config for compliance monitoring

Conclusion

A well-architected VPC provides the foundation for secure and scalable cloud infrastructure. By following these patterns and implementing proper network segmentation, you can build enterprise-grade networks that meet security and compliance requirements while maintaining high performance.

Need help designing your VPC architecture? Let's discuss your requirements!