VPC & Subnet Design
A VPC (Virtual Private Cloud) is an isolated virtual network within AWS. It spans all AZs in a region. Subnets are subdivisions within a single AZ — public subnets have routes to an Internet Gateway; private subnets don't.
A VPC is a walled city. Public subnets are the market district (facing the road/internet). Private subnets are the residential area. NAT Gateway is the gate guard who lets residents go out but doesn't let strangers walk in.
CIDR planning: use /16 for the VPC (65,536 addresses), /24 for subnets (256 addresses). Public subnet: has an IGW route, instances get public IPs. Private subnet: no IGW route, instances access the internet via NAT Gateway (managed, HA) or NAT Instance (cheaper, self-managed). Route tables control traffic flow. VPC Peering connects two VPCs (no transitive routing). Transit Gateway (TGW) is a hub for connecting many VPCs and on-prem networks. VPC Endpoints let services (S3, DynamoDB) be accessed without traversing the internet.
VPC Flow Logs capture IP traffic metadata for security analysis — they don't capture packet payloads. NAT Gateway is AZ-specific — deploy one per AZ for HA, as cross-AZ NAT incurs data transfer costs and a single-AZ NAT is a single point of failure. AWS PrivateLink creates private endpoints for services without peering — traffic never traverses the internet. VPC Sharing (RAM) lets multiple accounts share subnets from a central VPC, reducing the number of VPCs and NAT Gateways. IPv6 subnets always get a public IPv6 CIDR — egress-only IGW provides outbound-only IPv6 access for private resources.
I design VPCs with a /16 CIDR split into public and private subnets per AZ. Public subnets host load balancers and NAT Gateways; private subnets host compute and databases. NAT Gateways are per-AZ for HA. I use VPC Endpoints for S3 and DynamoDB to keep traffic on AWS's private network. For multi-VPC connectivity, Transit Gateway scales better than full-mesh VPC peering.
Deploying a single NAT Gateway in one AZ for all private subnets. If that AZ goes down, all private instances lose internet access. Deploy one NAT Gateway per AZ and route each private subnet to its local NAT Gateway.