AWS VPC Tutorial for Beginners: Setup and Configuration

published on 01 January 2024

Most IT professionals would agree that setting up a secure and functional virtual private cloud can be challenging.

This step-by-step AWS VPC tutorial for beginners promises to walk you through the entire process of configuring your first Amazon Virtual Private Cloud.

You'll learn VPC basics, how to define CIDR blocks, create subnets, set up internet and NAT gateways, configure security groups, establish connectivity with peering and VPNs, and more. By the end, you'll have a fully operational VPC architecture ready to deploy resources and applications.

Introduction to Amazon VPC

Amazon Virtual Private Cloud (VPC) is a foundational AWS service that enables users to launch AWS resources in a virtual network dedicated to their account. VPCs provide several key benefits:

Understanding the Basics of VPC

  • VPCs allow you to create an isolated section of the AWS cloud and control the virtual networking environment. This includes selecting your own IP address range, creating subnets, configuring route tables and network gateways.
  • Resources launched into a VPC can securely communicate with each other while being isolated from the rest of the AWS network.
  • You have complete control over your virtual networking environment in the AWS cloud.

Amazon VPC Overview

Amazon VPC lets you provision an isolated section of the AWS cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including:

  • Selecting your own IP address range
  • Creating subnets
  • Configuring route tables and network gateways
  • Controlling access to resources with security groups and network ACLs

This enables you to have full control over your virtual networking environment.

AWS VPC Documentation and Resources

For further reading on Amazon VPC capabilities and configuration best practices, refer to:

These resources provide in-depth information on all aspects of Amazon VPC.

What is AWS VPC for dummies?

An AWS VPC (Virtual Private Cloud) is a logically isolated virtual network within AWS. Here are some key things to know about VPCs for beginners:

  • A VPC lets you launch AWS resources like EC2 instances in a private, isolated section instead of the public AWS cloud. This gives you more control over security, network settings, IP addresses, etc.

  • A VPC spans all the Availability Zones in an AWS Region. Each AZ is like an isolated data center, so spanning AZs provides high availability.

  • Subnets are partitions within a VPC that allow you to group resources based on security or operational needs. Public subnets face the internet, private subnets don't.

  • You can customize IP address ranges, create subnets, set route tables and network gateways to make the VPC interact with the internet and on-premises networks.

  • Security groups and network ACLs let you filter VPC traffic much like a firewall.

  • VPC peering connects two VPCs privately so resources can communicate across VPCs. This allows popular architectures like hub-and-spoke networking.

  • VPC endpoints let you connect to AWS services like S3 or DynamoDB without leaving the VPC. This keeps traffic private within the AWS network.

In summary, a VPC is your own private cloud within the AWS cloud where you can isolate AWS resources in a customized network environment. VPCs give software engineers greater control, security, and flexibility for deploying applications on AWS.

How do I create a simple VPC in AWS?

Creating a simple VPC in AWS is straightforward with the VPC wizard. Here are the steps:

  1. Open the Amazon VPC console at
  2. In the VPC Dashboard, choose Create VPC
  3. Under VPC settings, choose VPC and more
  4. Complete these fields as follows:
    • Keep Auto-generated selected under Name tag auto-generation
    • IPv4 CIDR block: Enter a CIDR block (e.g.
    • IPv6 CIDR block: Select No IPv6 CIDR Block
  5. For Tenancy, keep the default Default
  6. Scroll down and leave the rest of the settings at their defaults
  7. Choose Create VPC. It takes several minutes for the VPC to be created

Once the VPC status changes to Available, you have successfully created a simple VPC in AWS that can be further customized by adding subnets, route tables, network gateways etc.

The key things to remember when creating a basic VPC are:

  • Select the VPC wizard for simplicity
  • Choose a valid private IPv4 CIDR block
  • Keep tenancy as default
  • Use the defaults for other settings initially
  • Wait for VPC to reach Available status

With just these few steps, you can quickly spin up a VPC in AWS to start building out your cloud network.

What is VPC in AWS in simple words?

A VPC (Virtual Private Cloud) in AWS is essentially a private network dedicated to your AWS account. Here are some key things to know about VPCs in simple terms:

  • It is a logically isolated section of the AWS cloud where you can launch AWS resources like EC2 instances. Your VPC is private and secure, separating your AWS workloads from other accounts.

  • You define a CIDR block (IP address range) for your VPC when you create it. Common CIDR blocks are or but you can customize to your needs.

  • A VPC contains subnets, which are smaller IP ranges within your VPC CIDR where you can group resources by function or access needs. Public vs private subnets control internet access.

  • You attach an internet gateway to give public subnets internet access. Private subnets access internet via NAT gateway.

  • Route tables define how subnets connect - to internet gateway, NAT, VPC peering connections, etc.

  • Network ACLs and security groups act like VPC firewalls, controlling allowed traffic in and out.

So in summary - a VPC is your own private cloud network in AWS that lets you control subnets, IP addresses, routes, security, and access. You have full control to customize it as needed for your workloads.

How do I get into AWS VPC?

To access resources in an AWS VPC (Virtual Private Cloud), you have a few different options:

Use AWS Client VPN

AWS Client VPN allows you to securely connect to your VPC resources from your local computer using an OpenVPN-based VPN connection. To set this up:

  1. Create or identify a VPC with at least one subnet
  2. Identify a suitable CIDR range for the client IP addresses that does not overlap with the VPC CIDR
  3. Review the rules and limitations for Client VPN endpoints
  4. Create a Client VPN endpoint and download the client configuration
  5. Connect to the Client VPN endpoint from your local OpenVPN client

Once connected via Client VPN, your local computer will have access to resources in your VPC as if it were an instance within that VPC.

Connect via AWS Site-to-Site VPN

You can also set up a Site-to-Site VPN between your on-premises network and your VPC. This allows resources on either side to communicate over an encrypted VPN tunnel.

To set this up:

  1. Create a customer gateway on your on-premises network
  2. Create a virtual private gateway attached to your VPC
  3. Establish a Site-to-Site VPN connection between the two gateways

Once the VPN connection is established, hosts on either side of the tunnel can communicate securely.

Launch an EC2 Instance

You can simply launch an EC2 instance directly into your VPC subnets to gain access. By default, you can connect to the instance using SSH or RDP if you configure a public IP address. For private subnets, you would need to connect via a bastion host or VPN instead.

So in summary, Client VPN, Site-to-Site VPN, and direct EC2 instance access are good options for securely accessing resources within an AWS VPC.

Defining and Setting Up Your VPC

Defining the IP address range for your VPC is an important first step in setting it up. Here is a guide for beginners on how to create a VPC from scratch in AWS using CIDR notation and the VPC Wizard.

Defining VPC CIDR Blocks

When creating a VPC, you need to define a CIDR block, which specifies the allowed IP address range. Some key points:

  • CIDR notation combines an IP address and subnet mask into one routeable address, like
  • The subnet mask (/16) defines the number of available IP addresses. Higher masks mean fewer IPs.
  • A /16 block provides 65,536 IP addresses. A /24 block provides 256 addresses.
  • Best practice is to allocate /16 or /20 blocks for a VPC. This allows room to add subnets.

Carefully consider your IP range, as it can't be easily changed later without recreating your VPC.

How to Create a VPC in AWS Step by Step

Follow these steps to create a VPC from scratch:

  1. Go to the VPC Dashboard in the AWS Management Console.
  2. Click Your VPCs in the left pane and then click Create VPC.
  3. Enter a meaningful name and IPv4 CIDR block. For beginners, use
  4. Scroll down and click Create VPC. Your new VPC will now appear in the list.

That covers the basics of creating a VPC. But additional configuration is needed before launching resources.

Using the VPC Wizard for Easy Configuration

AWS provides a VPC Wizard that simplifies initial setup:

  • Select VPC with a Single Public Subnet to deploy an end-to-end VPC with subnet, route table, internet gateway, security groups, etc.
  • Specify the IPv4 CIDR, subnet AZ, and subnet CIDR.
  • Review and click Create VPC. Resources like subnets and route tables will automatically be created and configured.

The Wizard accelerates basic one-click VPC creation, while giving less flexibility than manual setup. It's great for VPC beginners.


Creating and Managing Subnets within Your VPC

Understanding the Parts of VPC: Subnets

A VPC (Virtual Private Cloud) on AWS consists of several key components that work together to provide a private network environment. One critical piece is subnets, which segment the VPC network into smaller sections that can be associated with availability zones.

Some key things to know about subnets in a VPC:

  • Subnets allow you to partition your VPC network into separate sections, which provides more control and segmentation.
  • Each subnet must be mapped to an availability zone, which provides fault tolerance and high availability.
  • Subnets can be either public or private. Public subnets have direct access to the internet while private subnets do not.

When creating a VPC, it's important to plan out your subnets and IP address ranges carefully based on your application architecture and security requirements.

Creating Subnets: A Practical Guide

Here is a step-by-step guide to creating subnets within your AWS VPC:

  1. Log into the AWS Management Console and navigate to the VPC Dashboard.
  2. In the left sidebar, click Subnets under the VPC section.
  3. Click the orange Create subnet button.
  4. Enter a descriptive name tag for your subnet.
  5. Select the target VPC you want to add this subnet to.
  6. Select an availability zone to map the subnet to.
  7. Define the IPv4 CIDR block for the subnet, such as
  8. Specify if this will be a public or private subnet.
  9. Click Create subnet to finish.

Repeat these steps to create multiple subnets segmented however makes sense for your application infrastructure. For example, you may want both private and public subnets spread across different availability zones.

When defining CIDR blocks, make sure there is no overlapping IP address range with your VPC or other subnets. Using incremental blocks like, makes this easy.

Deploying EC2 Instances in Custom Subnets

Once you have subnets created within your VPC, you can launch EC2 instances directly into those subnets:

  1. Go to the EC2 dashboard and click Launch Instance.
  2. In Step 1, select the target AMI and instance type.
  3. In Step 2, select the VPC you created.
  4. In Step 3, select the specific subnet you want to deploy the instance into.
  5. Complete any other configuration in the steps that follow.
  6. Click Launch instance.

Your EC2 instance will now deploy directly into the selected subnet and VPC. By launching instances across different custom subnets, you can achieve segmentation based on public/private access, availability zone resilience, and more.

Configuring Internet and NAT Gateways

Configuring Internet and NAT Gateways is an important step in setting up communication between your VPC resources and the internet. This section will cover:

Setting Up an Internet Gateway

An Internet Gateway allows resources in your VPC to connect to the internet. Here are the steps to set one up:

  1. Log into the AWS Management Console and navigate to the VPC Dashboard
  2. Click on Internet Gateways in the left sidebar and then click Create internet gateway
  3. Give your internet gateway a name and click Create
  4. Once created, select the internet gateway and click Attach to VPC
  5. Select your VPC from the list and click Attach

The internet gateway is now attached to your VPC. Any public subnets you create in this VPC will now have internet access.

Establishing a NAT Gateway for Private Subnets

A NAT Gateway allows resources in private subnets to access the internet while keeping the instances private. To create one:

  1. Navigate to the VPC Dashboard and click NAT Gateways in the left sidebar
  2. Click Create NAT Gateway and select the public subnet you want to place it in
  3. Click Allocate Elastic IP to assign a public IP address to the gateway
  4. Once created, edit your private subnet's route table
  5. Add a route with destination and target as your NAT Gateway

Now instances launched in your private subnet can access the internet through the NAT Gateway while remaining private.

Configuring these gateways is essential for controlling internet access within your VPC. The internet gateway enables public resources to connect out, while the NAT Gateway allows private resources to access the internet in a secure way.

Implementing Security Measures

Security is a critical component when setting up a VPC. Properly configuring security groups and network ACLs allows you to control access to your VPC resources. Here are some best practices for securing your VPC:

Configure Security Groups and NACLs

Security groups and network ACLs serve complementary purposes in VPC security:

  • Security Groups - Act as a firewall at the instance level, controlling inbound and outbound traffic for an instance
  • Network ACLs - Act as a firewall at the subnet level, controlling inbound and outbound traffic for a whole subnet

When creating security groups:

  • Start with restrictive settings and open ports as needed
  • Use security groups to allow necessary traffic only
  • Leverage security group rules instead of allowing all traffic

When creating network ACLs:

  • Set rules to deny all traffic by default
  • Add rules to allow necessary subnets and ports
  • Use NACLs as a second layer of defense behind security groups

By leveraging both tools, you can implement fine-grained access controls.

Best Practices for VPC Security

Here are some additional best practices:

  • Use VPC flow logs to monitor network traffic
  • Enable VPC endpoint services to connect directly to AWS services without an internet gateway
  • Use multiple availability zones to improve resiliency
  • Implement identity and access management (IAM) to manage permissions
  • Enable encryption of data at rest and in transit
  • Use immutable infrastructure patterns to prevent accidental misconfiguration
  • Automate security checks and monitoring using tools like AWS Config

Following security best practices allows you to create an isolated, trusted network environment for your applications and data.

Expanding Connectivity with VPC Peering and VPNs

Expanding the connectivity of your VPC enables more advanced network architectures on AWS. There are several options to connect your VPC to other VPCs and on-premises infrastructure.

Configure VPC Peering Connections

VPC peering allows private connectivity between two VPCs. VPC peering connections are virtual network connections and do not utilize physical network infrastructure.

To configure a VPC peering connection:

  1. Navigate to the VPC console and select the VPC you wish to peer with another VPC
  2. Click Actions > Create Peering Connection
  3. Select the second VPC to peer with
  4. Accept the peering request in the second VPC

Once established, instances in both VPCs can communicate over private IP addresses as if they are within the same network. VPC peering does not support transitive peering between VPCs. Each VPC peering connection is between two VPCs only.

Setting Up AWS Client VPN and Site-to-Site VPN

There are two options for setting up a VPN for secure access to resources within a VPC:

  • AWS Client VPN - Provides secure remote access to VPC resources for external clients. Client VPN allows clients to establish an encrypted TLS VPN session with the Client VPN endpoint.

  • AWS Site-to-Site VPN - Allows an on-premises network to access resources in a VPC using an IPsec VPN connection. Traffic between the on-premises network and the VPC is encrypted.

To configure Client VPN:

  1. Create a Client VPN endpoint in the target VPC
  2. Download the Client VPN endpoint configuration file
  3. Install the file on the client to establish the VPN connection

To configure a Site-to-Site VPN:

  1. Create a virtual private gateway and attach it to the target VPC
  2. Create a customer gateway resource in the on-premises network
  3. Establish the Site-to-Site VPN connection between the VPC and the customer gateway

Leveraging AWS VPN CloudHub and Direct Connect

For more advanced connectivity, AWS offers two additional services:

  • AWS VPN CloudHub - Acts as a central hub to interconnect multiple Site-to-Site VPN connections. Useful for establishing connectivity between multiple branch offices and VPCs.

  • AWS Direct Connect - Provides dedicated private connectivity between on-premises infrastructure and VPCs on AWS. Direct Connect offers high bandwidth options up to 100 Gbps.

To utilize VPN CloudHub, create multiple Site-to-Site VPN connections terminating on the CloudHub. The CloudHub will route traffic between all connected VPNs.

For Direct Connect, establish a dedicated network circuit between the on-premises location and AWS Direct Connect locations. Then create a Direct Connect gateway to allow VPCs to access the dedicated connection.

Advanced VPC Features and Services

Creating VPC Endpoints for Private Service Access

VPC Endpoints allow you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. VPC endpoints are horizontally scaled, redundant, and highly available VPC components that allow communication between instances in your VPC and services without imposing availability risks or bandwidth constraints on your network traffic.

To create a VPC endpoint:

  1. Open the Amazon VPC console
  2. In the left navigation pane, choose Endpoints and select Create Endpoint
  3. Select the AWS service category and service name
  4. Select the VPC and subnets to associate with the endpoint
  5. Configure the endpoint policy and route tables as needed
  6. Review and confirm the endpoint configuration

Once created, resources in your VPC can access the service via the endpoint DNS name without leaving the AWS network. VPC endpoints enable building application architectures that maximize security and resiliency.

Using IPv6 in a VPC

IPv6 can be enabled for VPCs to provide vastly expanded addressing capabilities over IPv4. To use IPv6:

  • When creating a VPC and subnets, select the IPv6 CIDR blocks to associate in addition to IPv4 CIDR blocks.
  • Launch EC2 instances with IPv6 addresses in your VPC subnets.
  • Update route tables, network ACLs, and security groups to allow IPv6 traffic as needed.
  • For internet access, an egress-only internet gateway must be created and a route for ::/0 (IPv6 equivalent of in IPv4) targeting the egress-only internet gateway must be added.

Enabling IPv6 does not impact existing IPv4 connectivity and communication from the VPC. Resources can communicate over IPv4, IPv6, or both, with no additional charges for IPv6 usage.

Monitoring Traffic with VPC Flow Logs

VPC Flow Logs enable capturing information about IP traffic going into and out of network interfaces in your VPC. Flow log data can be published to Amazon CloudWatch Logs or Amazon S3.

To create flow logs:

  1. Open the Amazon VPC console
  2. Navigate to Flow Logs in the left pane and click Create Flow Log
  3. Specify the VPC, subnet, or network interface to monitor
  4. Select the destination (CloudWatch Logs or S3)
  5. Set filters to customize the traffic captured
  6. Click Create

Analysis of flow log data provides visibility into network traffic for security, audit, and troubleshooting purposes. Flow logs can help identify anomalous traffic, malicious activity, or network misconfigurations.

Conclusion: Recap and Best Practices

Setting up a VPC can seem daunting at first, but this tutorial has walked through the key steps for beginners. Here's a quick recap of what we've covered:

  • Defined VPC basics like CIDR blocks, subnets, route tables, and more
  • Created a custom VPC in the AWS console using the VPC Wizard
  • Added public and private subnets across multiple Availability Zones
  • Configured route tables and security groups appropriately
  • Launched EC2 instances and tested connectivity
  • Set up VPC endpoints, NAT gateways, VPN, and Direct Connect

Following best practices will ensure your VPC is secure, resilient, and efficient:

  • Use VPC flow logs and CloudTrail to monitor activity
  • Apply the principle of least privilege with security groups
  • Automate VPC deployments instead of manual console work
  • Peer VPCs instead of using complicated connectivity
  • Right size CIDR blocks to allow for future growth

With the basics covered here, you're now ready to build real applications inside your own Amazon Virtual Private Cloud!

Related posts

Read more