Skip to main content

AWS VPC Networking Simulator - Learn How Virtual Private Clouds Work

AWS VPC Builder

Build your VPC by adding components. The simulator will tell you if something is misconfigured.

Quick start:
Core Infrastructure
Public Layer (Internet-Facing)
Private Layer (Protected)
Configuration Status

Add components to build your VPC architecture.

Select a scenario or press 4-6 to start:

Key Concepts

  • Public Subnet: Has route to Internet Gateway - resources can have public IPs
  • Private Subnet: No direct internet route - resources are protected
  • NAT Gateway: Lets private resources reach internet without being exposed
  • Internet Gateway: The door between your VPC and the internet

Understanding AWS VPC Networking

A Virtual Private Cloud (VPC) is your own isolated section of the AWS cloud where you can launch resources in a virtual network that you define. Think of it as your own private data center in the cloud, with complete control over your networking environment.

Core Components

VPC (Virtual Private Cloud): Your isolated section of AWS cloud where you launch resources in a virtual network you define. Each VPC has its own IP address range (CIDR block), typically something like 10.0.0.0/16.
Public Subnet: A subnet with a route to the Internet Gateway. Resources here can have public IPs and be directly accessible from the internet. Web servers and load balancers typically live here.
Private Subnet: A subnet with no direct internet access. Resources are protected from public exposure. Databases, application servers, and sensitive workloads typically live here.
Internet Gateway: Allows communication between your VPC and the internet. It's horizontally scaled, redundant, and highly available. You attach one IGW per VPC.

Traffic Flow Concepts

NAT Gateway: Enables private subnet instances to access the internet (for updates, API calls) while remaining unreachable from outside. NAT Gateways must be placed in a public subnet and cost ~$0.045/hour plus data charges.
Route Table: Contains rules (routes) that determine where network traffic is directed. Public subnets route 0.0.0.0/0 to the IGW; private subnets route 0.0.0.0/0 to the NAT Gateway.
CIDR Block: IP address range for your VPC and subnets. The VPC might use 10.0.0.0/16 (65,536 IPs), with subnets like 10.0.1.0/24 (256 IPs) for public and 10.0.2.0/24 for private.
Availability Zone: Isolated locations within a region for high availability. Best practice is to deploy subnets across multiple AZs (e.g., us-east-1a, us-east-1b) for fault tolerance.

🏗️ Common Architecture Patterns

Public Web Server

IGW + Public Subnet + EC2 with public IP. Simple setup for static sites or APIs.

Three-Tier App

Public subnet (ALB) → Private subnet (App servers) → Private subnet (Database).

Private with NAT

Private EC2 instances that need outbound internet (updates, APIs) via NAT Gateway.

💡 Key Concepts to Remember

  • Public vs Private: Public subnets route 0.0.0.0/0 to IGW; private subnets route to NAT
  • NAT Gateway Cost: NAT Gateways cost ~$32/month + data transfer - consider NAT instances for dev environments
  • Security Layers: Security Groups (stateful) + NACLs (stateless) protect resources
  • High Availability: Deploy across multiple AZs with subnets in each
  • VPC Peering: Connect VPCs together for private communication across accounts or regions
  • Elastic IP: Static public IP that can be associated with resources in public subnets

🔒 Security Best Practices

  • Least Privilege: Only open necessary ports in Security Groups
  • Defense in Depth: Use both Security Groups and NACLs
  • Private by Default: Put resources in private subnets unless they need public access
  • VPC Flow Logs: Enable flow logs to monitor and troubleshoot traffic
  • Endpoints: Use VPC endpoints for AWS services to avoid internet traffic

Share this simulator

Share on TwitterShare on FacebookShare on LinkedIn