VPC Design Best Practices: What It Is and When to Use It
Definition
VPC Design Best Practices are a set of architectural principles for creating secure, scalable, and operationally efficient virtual networks within Amazon Web Services (AWS). Following these practices helps prevent common issues like IP address exhaustion, security vulnerabilities, and costly redesigns by establishing a solid network foundation from the start for any workload deployed in an Amazon Virtual Private Cloud (Amazon VPC).
How It Works
A well-designed VPC acts as the foundational layer for your AWS infrastructure. The best practices revolve around the strategic configuration and interconnection of its core components.
1. IP Address and Subnet Planning
- CIDR Block Sizing: The first and most critical decision is choosing the Classless Inter-Domain Routing (CIDR) block for the VPC. The size must be between a /16 (65,536 IPs) and a /28 (16 IPs) netmask. A common mistake is choosing a block that is too small, leading to IP exhaustion, or one that overlaps with on-premises networks or other VPCs you may need to connect to later. A /16 is a common choice for production VPCs, but careful planning is essential to avoid wasting IP space.
- Subnet Strategy: A VPC spans all Availability Zones (AZs) in a region, but a subnet resides within a single AZ. For high availability, it's a best practice to create subnets in multiple AZs. A standard architecture includes:
- Public Subnets: These subnets have a route to an Internet Gateway (IGW). Resources here, like load balancers or bastion hosts, can be directly accessed from the internet.
- Private Subnets: These subnets do not have a direct route to the internet. Resources like application servers and databases should be placed here for security. They can access the internet for software updates via a NAT Gateway placed in a public subnet.
- Subnet Sizing: Subnets should be sized for their purpose with room for growth. AWS reserves the first four and the last one IP address in every subnet CIDR block.
2. Layered Security Model
- Security Groups (SGs): These act as a stateful firewall at the instance (or more accurately, the Elastic Network Interface) level. They only support
allowrules. Because they are stateful, if you allow an inbound request, the corresponding outbound response is automatically permitted. Best practice is to apply the principle of least privilege, for example, allowing a web server's security group to accept traffic only from the load balancer's security group. - Network Access Control Lists (NACLs): These are stateless firewalls operating at the subnet level. They support both
allowanddenyrules, which are evaluated in numerical order. Because they are stateless, you must explicitly define rules for both inbound and outbound traffic. NACLs serve as a secondary defense layer, often used to block known malicious IPs or enforce broad subnet-level policies.
3. Scalable Connectivity
- VPC Peering: This creates a direct, 1-to-1 network connection between two VPCs. It's simple and cost-effective for a small number of connections. However, it is non-transitive (a VPC peered with two others cannot route traffic between them) and becomes difficult to manage at scale, creating a complex "mesh" of connections.
- AWS Transit Gateway (TGW): For connecting many VPCs and on-premises networks, a Transit Gateway is the modern best practice. It acts as a cloud router in a hub-and-spoke model, simplifying network management and scaling linearly. This is the preferred solution for multi-account, enterprise-scale environments.
4. Private Integration with AWS Services
- VPC Endpoints: To access AWS services like Amazon S3 or Amazon DynamoDB without traversing the public internet, you should use VPC Endpoints. This enhances security and can significantly reduce costs by avoiding NAT Gateway data processing fees.
- Gateway Endpoints: These are free and are used for Amazon S3 and DynamoDB. They work by adding a prefix list target to your route table.
- Interface Endpoints (AWS PrivateLink): These use an ENI in your subnet to provide private connectivity to most other AWS services. They have an hourly charge and a per-GB data processing fee, but these are typically lower than NAT Gateway charges.
Key Features and Limits
- VPCs per Region: Default is 5, but this can be increased.
- Subnets per VPC: 200.
- IPv4 CIDR blocks per VPC: 1 primary and up to 4 secondary by default, increasable to 50.
- Security Groups per Network Interface: 5 (default), can be increased. The product of SGs per interface and rules per SG cannot exceed 1000.
- Rules per Security Group: 60 inbound and 60 outbound by default.
- Network ACLs per VPC: 200.
- Active VPC Peering connections per VPC: 50 (default), can be increased to 125.
- VPC Endpoint Bandwidth: Scales automatically from 10 Gbps up to 100 Gbps per AZ.
Common Use Cases
- Multi-Tier Web Application: A classic design with a public subnet for web servers (or an Application Load Balancer) and private subnets for application servers and databases, ensuring the backend is isolated from direct internet access.
- Shared Services VPC: A central VPC hosts common services like directory services, logging, or security appliances. Other VPCs connect to it via AWS Transit Gateway to consume these services, reducing duplication and centralizing management.
- Hybrid Cloud Connectivity: An enterprise connects its on-premises data center to a VPC using AWS Direct Connect or a Site-to-Site VPN, typically terminating on a Transit Gateway to extend its network into the cloud for migration or bursting.
- Multi-Account Environments: Organizations use AWS Organizations and a multi-VPC, multi-account strategy for billing and security isolation. A Transit Gateway in a central network account provides inter-VPC connectivity and a single point for egress traffic inspection.
- Data-Intensive Workloads: A VPC designed for a data analytics platform might use Gateway Endpoints to provide high-throughput, zero-cost access to data stored in Amazon S3 for processing by Amazon EMR or Redshift clusters running in private subnets.
Pricing Model
Creating and using an Amazon VPC itself is free. However, you are charged for certain components you provision:
- AWS NAT Gateway: Billed per hour the gateway is provisioned and per gigabyte of data processed. This is often a significant source of operational cost.
- VPC Interface Endpoints (AWS PrivateLink): Billed per hour and per gigabyte of data processed, though typically at a lower rate than NAT Gateways.
- AWS Transit Gateway: Billed per attachment per hour and per gigabyte of data processed.
- Data Transfer: Standard AWS data transfer charges apply for data transferred out to the internet or between Availability Zones.
Gateway VPC Endpoints for S3 and DynamoDB are free.
Pros and Cons
Pros:
- Security & Isolation: Provides complete logical isolation, giving you granular control over network boundaries and traffic flow.
- Architectural Flexibility: Enables the design of complex, multi-tier, and hybrid network topologies.
- Scalability: Designed to scale from a single instance to thousands, with features like Transit Gateway supporting massive multi-VPC architectures.
- Enhanced Control: Full control over IP addressing, routing, and security layers.
Cons:
- Complexity: Can have a steep learning curve. Misconfigurations in routing or security rules can lead to connectivity issues or security vulnerabilities.
- Cost Management: Components like NAT Gateways and Transit Gateways can become expensive if not monitored and optimized.
- IP Address Management: Poor initial CIDR planning can lead to overlapping ranges or IP exhaustion, requiring significant effort to remediate.
Comparison with Alternatives
- Default VPC vs. Custom VPC: Every AWS account has a Default VPC in each region for an easy start. However, for any production workload, it is a critical best practice to create a Custom VPC. Default VPCs have pre-configured public subnets, which can lead to accidentally exposing resources to the internet. A Custom VPC forces intentional design of subnets, routing, and security from the ground up.
- Single VPC vs. Multi-VPC Architecture: While a single VPC is simpler to manage initially, a multi-VPC strategy (e.g., one VPC per environment or business unit) provides better security isolation, reduces the blast radius of misconfigurations, and simplifies billing and governance. Connecting these VPCs with a Transit Gateway is the standard for scalable, multi-account architectures.
Exam Relevance
VPC design is a foundational and heavily tested topic across multiple AWS certifications, especially:
- AWS Certified Solutions Architect - Associate (SAA-C03): Expect questions on the difference between public and private subnets, NAT Gateways vs. Internet Gateways, Security Groups vs. NACLs, VPC Peering vs. Transit Gateway, and the use cases for VPC Endpoints.
- AWS Certified Solutions Architect - Professional (SAP-C02): Deeper questions on multi-account and hybrid connectivity strategies, complex routing scenarios with Transit Gateway, and cost optimization of network traffic.
- AWS Certified Advanced Networking - Specialty (ANS-C01): In-depth testing of all VPC components, hybrid DNS, Direct Connect, and large-scale routing designs.
- AWS Certified Security - Specialty (SCS-C02): Focuses on the security aspects, including the proper use of SGs and NACLs, VPC Endpoints, traffic inspection patterns, and VPC Flow Logs for auditing.
Frequently Asked Questions
Q: How do I choose the right CIDR block for my VPC?
A: Plan for future growth and potential network connections. Choose a CIDR block from the RFC 1918 private address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) that does not overlap with your on-premises networks or other VPCs you might peer with. It's better to allocate a slightly larger block (like a /16) and subnet it efficiently than to run out of IP addresses later.
Q: What is the key difference between a Security Group and a Network ACL?
A: The primary difference is that Security Groups are stateful and operate at the instance level, while Network ACLs are stateless and operate at the subnet level. Security Groups only have allow rules, and because they are stateful, return traffic is automatically allowed. NACLs have both allow and deny rules and require you to explicitly permit return traffic.
Q: When should I use AWS Transit Gateway instead of VPC Peering?
A: Use VPC Peering for simple, one-to-one connections between a small number of VPCs (fewer than 10). Use AWS Transit Gateway when you need to connect many VPCs (dozens or hundreds), require transitive routing, or want to centralize connectivity to on-premises networks in a hub-and-spoke model. Transit Gateway simplifies management and scales far more effectively than a mesh of peering connections.
This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official AWS documentation before making production decisions.