Beta

Amazon Elastic Compute Cloud (EC2)

Introduction

Introduction to VPC subnet route table internet gateway and nat gateway

Amazon Web Services (AWS) provides a global, highly reliable backbone to deploy secure and scalable network architectures. In this guide, you’ll learn how VPCs, subnets, route tables, Internet Gateways, and NAT Gateways work together to isolate and manage traffic for your EC2 instances.

First, let’s explore AWS’s global footprint:

The image shows a map highlighting AWS global network regions, specifically US East (Ohio) and Singapore, with their respective availability zones.

AWS Regions are fully isolated geographic areas. Each Region contains multiple Availability Zones (AZs)—separate data centers that ensure fault tolerance and high availability. Behind the scenes, the AWS Backbone Network securely interconnects Regions and edge locations for low-latency, high-throughput performance.

Virtual Private Cloud (VPC): Your Private Network

A Virtual Private Cloud (VPC) is your own private, logically isolated section of the AWS Cloud. It acts like a gated community, where you control who enters, leaves, and communicates internally.

Key VPC capabilities:

FeatureDescription
IsolationLogical separation from other AWS accounts
Customizable IP RangeDefine your own CIDR block and segment with subnets
Hybrid ConnectivityConnect on-premises via VPN, Direct Connect, and VPC Peering
AWS Service IntegrationSeamlessly integrates with EC2, RDS, ELB, Lambda, and more

The image is a presentation slide featuring four key points: Isolation, Customizable, Hybrid – Connectivity, and AWS Integration, with corresponding icons. On the right, there's a cloud and shield icon on a gradient background.

Note

Remember: VPCs do not span Regions. Resources in one Region (and its AZs) cannot communicate with resources in another without a peer connection or VPN.

Subnets: Segmenting Your VPC

Subnets subdivide a VPC into smaller IP ranges within a single AZ—like dividing a housing lane into individual plots. Use subnets to isolate workloads (web servers, APIs, databases) based on security and routing needs.

The image is a diagram illustrating the concept of subnets within a virtual private cloud (VPC), comparing them to plots in a housing lane. It shows different types of subnets like web-app, backend API, and database subnets.

By placing subnets in multiple AZs, you build high-availability architectures:

The image illustrates AWS networking with a VPC containing subnets for web apps, backend APIs, and databases, located in the Singapore region. It also shows availability zones labeled ap-southeast-1a, 1b, and 1c.

Route Tables: Traffic Signposts

Route tables control how packets flow between subnets, VPC peering connections, Internet Gateways, and NAT Gateways. Each entry maps a destination CIDR to a target.

Example “App VPC” route table:

DestinationTarget
10.10.0.0/16VPC Peering Connection
0.0.0.0/0Internet Gateway (igw-xxxx)

The image is a diagram illustrating route tables for a network, showing connections between an "App VPC" and two destinations: a "Swimming pool/Security VPC" and a "Gym/Sandbox VPC," with specific routes and targets.

Internet Gateway: Public Access Point

An Internet Gateway (IGW) is a horizontally scaled, redundant VPC component that allows communication between your VPC and the Internet.

To enable Internet access for a subnet:

  1. Create and attach an IGW to your VPC.
  2. Add a route to your route table:
    • Destination: 0.0.0.0/0
    • Target: igw-<gateway-id>
  3. Assign public or Elastic IPs to your EC2 instances.

The image is a diagram illustrating an Internet Gateway setup, showing an EC2 instance connected to an Internet Gateway, which routes traffic to a target destination.

NAT Gateway: Secure Outbound Connectivity

A NAT Gateway allows instances in private subnets to initiate outbound Internet traffic while preventing inbound connections.

Setup steps:

  1. Launch a NAT Gateway in a public subnet.
  2. Update the private subnet’s route table:
    • Destination: 0.0.0.0/0
    • Target: nat-<gateway-id>

Instances in the private subnet will use the NAT Gateway for OS updates, API calls, and package downloads without exposing their private IPs.

Warning

Each NAT Gateway incurs an hourly charge and data processing fees. Consider using a NAT instance for low-throughput scenarios.

Watch Video

Watch video content

Previous
Background what and why of EC2
Next
Introduction to Security Group