AWS VPC Networking: Stop Shooting Yourself in the Foot 🔫🦶

Real talk: The first time I set up a VPC, I thought "How hard can networking be?" Two hours later, my EC2 instance couldn't reach the internet, my RDS database was unreachable, and I was Googling "what is a subnet" at 2 AM. 😭

Welcome to AWS VPC - where one checkbox can be the difference between "it works!" and "why is nothing working?!"

What Even Is a VPC? (Beyond "Virtual Network") 🌐

VPC = Virtual Private Cloud - Your own isolated network in AWS where your resources live.

Think of it like: An apartment building with security doors, floor divisions, and complex rules about who can visit who!

Without VPC knowledge:

You: "Why can't my Lambda reach my RDS?"
AWS: *crickets*
You: *spends 3 hours on Stack Overflow*

With VPC knowledge:

You: "Ah, Lambda is in a public subnet without NAT, and RDS is in a different security group!"
You: *fixes it in 2 minutes*

Real components:

• VPC: The whole apartment building
• Subnets: Individual floors (public vs private)
• Internet Gateway: The main entrance to the outside world
• NAT Gateway: Private exit (lets residents go out, but outsiders can't come in)
• Security Groups: Apartment door locks (stateful firewall)
• NACLs: Floor security checkpoints (stateless firewall)
• Route Tables: Maps showing which elevator goes where

Why VPCs are confusing: AWS gives you defaults, but they're rarely what you actually NEED in production! 🤯

The $200 NAT Gateway Bill: My VPC Horror Story 💀

When architecting our serverless backend, I needed Lambda functions to access RDS in a private subnet. Seemed simple, right?

What I naively did:

# Created VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16

# Created private subnet for RDS
aws ec2 create-subnet \
  --vpc-id vpc-12345 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a

# Created NAT Gateway (for Lambda to reach internet)
aws ec2 create-nat-gateway \
  --subnet-id subnet-12345 \
  --allocation-id eipalloc-12345

# Deployed 8 Lambda functions in VPC
# "Perfect! Everything's connected!"

What happened next:

1. NAT Gateway charges: $0.045/hour × 24 hours × 30 days = $32.40/month (just for existing!)
2. Data processing: 500GB × $0.045/GB = $22.50/month
3. Elastic IP: $0.005/hour (unused time) = $3.60/month
4. Multiply by 3 AZs (for high availability): $174.60/month
5. Boss: "Why is networking costing $200/month?!"
6. Me: learns about VPC endpoints 😅

The lesson: NAT Gateways are NOT free! Every AWS service call through NAT = $$$!

VPC Mistake #1: Lambda in VPC Without VPC Endpoints 🚨

The problem:

// Lambda function in VPC
exports.handler = async (event) => {
  const s3 = new AWS.S3();

  // This goes through NAT Gateway! 💸
  const file = await s3.getObject({
    Bucket: 'my-bucket',
    Key: 'data.json'
  }).promise();

  // This ALSO goes through NAT Gateway! 💸
  const dynamodb = new AWS.DynamoDB.DocumentClient();
  await dynamodb.put({
    TableName: 'Users',
    Item: { id: '123', name: 'John' }
  }).promise();

  return { statusCode: 200 };
  // Every AWS service call = NAT Gateway charges!
};

Cost breakdown (100K Lambda invocations/day):

Without VPC Endpoints:
- 100K requests × 2KB avg S3 response = 200MB/day
- 200MB × 30 days = 6GB/month
- 6GB × $0.045/GB (NAT) = $0.27/month
- Multiply by all services (DynamoDB, SQS, SNS...) = $5-10/month
- "Only $10? That's fine!"

Wait... scale that up:

With 10M requests/day:
- 600GB/month through NAT
- 600GB × $0.045 = $27/month just for data processing
- Plus $32.40 for NAT Gateway existing
- Total: $60/month PER availability zone!
- 3 AZs = $180/month! 😱

The solution - VPC Endpoints (FREE for AWS services!):

# Create S3 VPC Endpoint (Gateway endpoint - FREE!)
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-12345 \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids rtb-12345

# Create DynamoDB VPC Endpoint (Gateway endpoint - FREE!)
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-12345 \
  --service-name com.amazonaws.us-east-1.dynamodb \
  --route-table-ids rtb-12345

# For other services (Interface endpoints - $0.01/hour)
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-12345 \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.secretsmanager \
  --subnet-ids subnet-12345 subnet-67890

Results:

• S3/DynamoDB calls: FREE (no NAT Gateway!)
• Lambda to AWS services: Direct connection! ✨
• NAT Gateway data processing: 600GB → 50GB (only external APIs)
• Savings: $27 → $2.25/month (91% reduction!) 🎉

In production, I've deployed VPC endpoints for every Lambda-accessed AWS service. Cut our VPC networking costs by 85%! 💰

VPC Mistake #2: Public vs Private Subnet Confusion 🤔

The classic mistake:

# Created a "private" subnet
aws ec2 create-subnet --cidr-block 10.0.1.0/24 --availability-zone us-east-1a

# Launched RDS in it
aws rds create-db-instance --db-subnet-group my-private-subnets

# "Great! My database is private and secure!"

Plot twist: If your subnet has a route to an Internet Gateway, it's PUBLIC! 😱

What makes a subnet PUBLIC:

# Route table with Internet Gateway route = PUBLIC subnet
Route Table: rtb-public
Destination         Target
10.0.0.0/16        local
0.0.0.0/0          igw-12345  # <-- This makes it PUBLIC!

What makes a subnet PRIVATE:

# Route table WITHOUT Internet Gateway = PRIVATE subnet
Route Table: rtb-private
Destination         Target
10.0.0.0/16        local
0.0.0.0/0          nat-12345  # NAT Gateway, not Internet Gateway!

Real scenario - Public RDS (BAD!):

# Check your RDS subnet routes
aws ec2 describe-route-tables --filters "Name=association.subnet-id,Values=subnet-12345"

# Output shows:
# 0.0.0.0/0 -> igw-12345
#
# "Wait, my RDS is in a PUBLIC subnet?!" 💀
# "But security groups prevent access, right?"
# "...right?"

Security groups are NOT enough! Best practice: RDS in private subnets, ALWAYS!

The proper setup:

# PUBLIC Subnet (for ALB, NAT Gateway)
aws ec2 create-subnet \
  --vpc-id vpc-12345 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a \
  --map-public-ip-on-launch  # Auto-assign public IPs

# Associate with PUBLIC route table (has IGW)
aws ec2 associate-route-table \
  --subnet-id subnet-public \
  --route-table-id rtb-public

# PRIVATE Subnet (for EC2, RDS, Lambda)
aws ec2 create-subnet \
  --vpc-id vpc-12345 \
  --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1a

# Associate with PRIVATE route table (has NAT, not IGW)
aws ec2 associate-route-table \
  --subnet-id subnet-private \
  --route-table-id rtb-private

Rule of thumb:

• Public subnet: Load balancers, NAT Gateways, bastion hosts
• Private subnet: Application servers, databases, Lambda functions

A networking pattern that saved us: All compute in private subnets, only load balancers in public. Sleep better at night! 🛌

VPC Mistake #3: Security Group vs NACL Confusion 🔒

AWS has TWO firewalls per subnet. Most people only use one!

Security Groups (Stateful - Most Common)

# Allow inbound HTTP from anywhere
aws ec2 authorize-security-group-ingress \
  --group-id sg-12345 \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

# Return traffic is AUTOMATICALLY allowed (stateful!)
# No need to add outbound rule for HTTP responses

Properties:

• ✅ Stateful (return traffic auto-allowed)
• ✅ Applied to instances (not subnets)
• ✅ Only ALLOW rules (no DENY)
• ✅ Easier to manage

Real example - Web server security group:

# Create security group
aws ec2 create-security-group \
  --group-name web-server-sg \
  --description "Allow HTTP/HTTPS" \
  --vpc-id vpc-12345

# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress \
  --group-id sg-web \
  --protocol tcp \
  --port 80 \
  --cidr 0.0.0.0/0

# Allow HTTPS from anywhere
aws ec2 authorize-security-group-ingress \
  --group-id sg-web \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0

# Allow SSH from your office only
aws ec2 authorize-security-group-ingress \
  --group-id sg-web \
  --protocol tcp \
  --port 22 \
  --cidr 203.0.113.0/24  # Your office IP range

NACLs (Stateless - Often Forgotten)

# NACL rule 100: Allow inbound HTTP
aws ec2 create-network-acl-entry \
  --network-acl-id acl-12345 \
  --rule-number 100 \
  --protocol tcp \
  --port-range From=80,To=80 \
  --cidr-block 0.0.0.0/0 \
  --ingress \
  --rule-action allow

# Must ALSO allow outbound (stateless!)
aws ec2 create-network-acl-entry \
  --network-acl-id acl-12345 \
  --rule-number 100 \
  --protocol tcp \
  --port-range From=1024,To=65535  # Ephemeral ports!
  --cidr-block 0.0.0.0/0 \
  --egress \
  --rule-action allow

Properties:

• ⚠️ Stateless (must allow return traffic manually!)
• ⚠️ Applied to subnets (affects ALL instances)
• ✅ ALLOW and DENY rules
• ⚠️ Rule numbers matter (evaluated in order)

When I use NACLs:

• Blocking specific IPs (DENY rules)
• Subnet-level defense (extra security layer)
• Compliance requirements (need explicit deny)

When I skip NACLs:

• Most of the time! Security groups are enough!
• Default NACL (allow all) is fine for 90% of use cases

The gotcha that bit me:

# I blocked a malicious IP in security group
aws ec2 revoke-security-group-ingress \
  --group-id sg-12345 \
  --cidr 198.51.100.0/24

# But security groups only have ALLOW rules!
# Can't explicitly DENY!

# Solution - Use NACL for DENY:
aws ec2 create-network-acl-entry \
  --network-acl-id acl-12345 \
  --rule-number 5 \
  --protocol tcp \
  --port-range From=0,To=65535 \
  --cidr-block 198.51.100.0/24 \
  --ingress \
  --rule-action deny  # Explicit DENY!

Security Group + NACL strategy:

• Security Groups: Default rules (allow HTTP, HTTPS, SSH)
• NACLs: Block bad actors (deny specific IPs/ranges)

VPC Mistake #4: Forgetting About Availability Zones 🌍

The disaster scenario:

# Created VPC with ONE subnet
aws ec2 create-subnet \
  --vpc-id vpc-12345 \
  --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a

# Launched everything in us-east-1a
# EC2, RDS, NAT Gateway, all in ONE AZ!

# Then... us-east-1a had an outage (happened in 2021!)
# Entire application DOWN! 💥

The proper setup - Multi-AZ everything:

# Public subnets (one per AZ)
aws ec2 create-subnet --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
aws ec2 create-subnet --cidr-block 10.0.2.0/24 --availability-zone us-east-1b
aws ec2 create-subnet --cidr-block 10.0.3.0/24 --availability-zone us-east-1c

# Private subnets (one per AZ)
aws ec2 create-subnet --cidr-block 10.0.11.0/24 --availability-zone us-east-1a
aws ec2 create-subnet --cidr-block 10.0.12.0/24 --availability-zone us-east-1b
aws ec2 create-subnet --cidr-block 10.0.13.0/24 --availability-zone us-east-1c

# NAT Gateways (one per AZ)
aws ec2 create-nat-gateway --subnet-id subnet-public-1a --allocation-id eip-1a
aws ec2 create-nat-gateway --subnet-id subnet-public-1b --allocation-id eip-1b
aws ec2 create-nat-gateway --subnet-id subnet-public-1c --allocation-id eip-1c

Terraform config (cleaner):

variable "availability_zones" {
  default = ["us-east-1a", "us-east-1b", "us-east-1c"]
}

# Public subnets
resource "aws_subnet" "public" {
  count             = length(var.availability_zones)
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.${count.index + 1}.0/24"
  availability_zone = var.availability_zones[count.index]

  map_public_ip_on_launch = true

  tags = {
    Name = "public-${var.availability_zones[count.index]}"
  }
}

# Private subnets
resource "aws_subnet" "private" {
  count             = length(var.availability_zones)
  vpc_id            = aws_vpc.main.id
  cidr_block        = "10.0.${count.index + 11}.0/24"
  availability_zone = var.availability_zones[count.index]

  tags = {
    Name = "private-${var.availability_zones[count.index]}"
  }
}

Cost warning:

• 1 NAT Gateway: $32.40/month
• 3 NAT Gateways: $97.20/month

Worth it? YES! Downtime costs way more than $65/month! ⚠️

When architecting on AWS, I learned: One AZ = single point of failure. Three AZs = sleep well at night!

VPC Mistake #5: Wrong CIDR Block Size 📏

The problem:

# Created VPC with tiny CIDR
aws ec2 create-vpc --cidr-block 10.0.0.0/28
# This gives you 16 IPs (11 usable after AWS reserves 5!)

# Launched 5 EC2 instances
# Launched RDS (uses 2 IPs)
# Launched ALB (uses 1 IP per subnet)
# Added Lambda ENIs (uses 1 IP per concurrent execution)

# "Error: No available IP addresses in subnet!" 😱
# Can't launch anything new!

AWS reserves 5 IPs per subnet:

10.0.0.0    - Network address
10.0.0.1    - VPC router
10.0.0.2    - DNS server
10.0.0.3    - Future use
10.0.0.255  - Broadcast

CIDR sizing guide:

/28 = 16 IPs (11 usable)    - TOO SMALL!
/27 = 32 IPs (27 usable)    - Still tight
/26 = 64 IPs (59 usable)    - Minimum for small apps
/24 = 256 IPs (251 usable)  - Good for most use cases
/20 = 4096 IPs              - Production-grade
/16 = 65536 IPs             - Maximum VPC size

My production VPC setup:

# VPC: /16 (65K IPs - room to grow!)
aws ec2 create-vpc --cidr-block 10.0.0.0/16

# Public subnets: /24 (256 IPs each)
# 10.0.1.0/24 (us-east-1a)
# 10.0.2.0/24 (us-east-1b)
# 10.0.3.0/24 (us-east-1c)

# Private subnets: /20 (4K IPs each - Lambda ENIs!)
# 10.0.16.0/20 (us-east-1a)
# 10.0.32.0/20 (us-east-1b)
# 10.0.48.0/20 (us-east-1c)

# Database subnets: /24 (256 IPs each)
# 10.0.11.0/24 (us-east-1a)
# 10.0.12.0/24 (us-east-1b)
# 10.0.13.0/24 (us-east-1c)

Why private subnets are /20? Lambda creates ENIs (Elastic Network Interfaces) for each concurrent execution. 1000 concurrent Lambdas = 1000 IPs needed!

Rule of thumb:

• VPC: Start with /16 (plan for growth!)
• Public subnets: /24 (256 IPs is plenty for load balancers)
• Private app subnets: /20 (4K IPs for Lambda/ECS scaling)
• Database subnets: /24 (databases don't need many IPs)

VPC Mistake #6: No VPC Flow Logs (Debugging Blind) 👁️

What I learned the hard way: You can't debug what you can't see!

The mystery connection error:

Application: "Error: Connection timeout to RDS"
Me: "Is the security group right? ✅"
Me: "Is the subnet right? ✅"
Me: "Is the route table right? ✅"
Me: "Then WHY ISN'T IT WORKING?!" 😭

Enable VPC Flow Logs:

# Create CloudWatch log group
aws logs create-log-group --log-group-name /aws/vpc/flow-logs

# Create IAM role for Flow Logs
aws iam create-role \
  --role-name vpc-flow-logs-role \
  --assume-role-policy-document file://trust-policy.json

# Enable Flow Logs
aws ec2 create-flow-logs \
  --resource-type VPC \
  --resource-ids vpc-12345 \
  --traffic-type ALL \
  --log-destination-type cloud-watch-logs \
  --log-group-name /aws/vpc/flow-logs \
  --deliver-logs-permission-arn arn:aws:iam::123456789:role/vpc-flow-logs-role

Flow log format:

2 123456789 eni-abc123 10.0.1.5 10.0.2.10 49152 3306 6 10 5000 1620000000 1620000060 ACCEPT OK
|    |         |       |         |        |     |    |  |   |     |           |           |     |
|    |         |       |         |        |     |    |  |   |     |           |           |     +-- Log status
|    |         |       |         |        |     |    |  |   |     |           |           +-------- Action
|    |         |       |         |        |     |    |  |   |     |           +-------------------- End time
|    |         |       |         |        |     |    |  |   |     +-------------------------------- Start time
|    |         |       |         |        |     |    |  |   +-------------------------------------- Bytes
|    |         |       |         |        |     |    |  +------------------------------------------ Packets
|    |         |       |         |        |     |    +--------------------------------------------- Protocol
|    |         |       |         |        |     +-------------------------------------------------- Destination port
|    |         |       |         |        +-------------------------------------------------------- Source port
|    |         |       |         +----------------------------------------------------------------- Destination IP
|    |         |       +--------------------------------------------------------------------------- Source IP
|    |         +----------------------------------------------------------------------------------- ENI
|    +----------------------------------------------------------------------------------------- Account ID
+------------------------------------------------------------------------------------------------ Version

Debugging with Flow Logs:

# Check if traffic is being REJECTED
aws logs filter-log-events \
  --log-group-name /aws/vpc/flow-logs \
  --filter-pattern '[version, account, eni, source, destination, srcport, destport, protocol, packets, bytes, start, end, action="REJECT", status]' \
  --max-items 20

# Check traffic to specific IP
aws logs filter-log-events \
  --log-group-name /aws/vpc/flow-logs \
  --filter-pattern '[version, account, eni, source="10.0.1.5", destination, srcport, destport, protocol, packets, bytes, start, end, action, status]'

What I discovered:

10.0.1.5 -> 10.0.2.10:3306 REJECT

Translation: EC2 instance (10.0.1.5) trying to reach RDS (10.0.2.10:3306), but it's REJECTED!

Why? NACL was blocking return traffic (stateless firewall strikes again!)

A troubleshooting pattern that saved us: Flow Logs first, then check security groups, then route tables. 90% of issues show up in Flow Logs! 🕵️

The VPC Cost Optimization Playbook 💰

Here's how I cut our VPC costs from $200/month to $50/month:

1. Use VPC Endpoints Instead of NAT Gateway

# Before: All Lambda traffic through NAT ($180/month)
# After: S3/DynamoDB through VPC endpoints ($0!)

# Gateway endpoints (FREE!)
aws ec2 create-vpc-endpoint \
  --vpc-id vpc-12345 \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids rtb-12345

# Interface endpoints ($0.01/hour = $7.20/month)
# Still cheaper than NAT Gateway ($32.40/month)!

Savings: $180 → $30/month 🎉

2. Single NAT Gateway (If You Can)

# Before: 3 NAT Gateways (high availability)
# Cost: 3 × $32.40 = $97.20/month

# After: 1 NAT Gateway (acceptable risk)
# Cost: $32.40/month

# Savings: $64.80/month

Trade-off: If that AZ fails, outbound internet access is down. Worth it? Depends on your SLA!

3. NAT Instance Instead of NAT Gateway

# NAT Gateway: $32.40/month + data processing
# NAT Instance (t3.nano): $4.75/month + data processing

# Savings: $27.65/month per AZ!

Setup NAT instance:

# Launch t3.nano with NAT AMI
aws ec2 run-instances \
  --image-id ami-nat \
  --instance-type t3.nano \
  --subnet-id subnet-public \
  --associate-public-ip-address

# Disable source/destination checks
aws ec2 modify-instance-attribute \
  --instance-id i-nat \
  --no-source-dest-check

# Update route table
aws ec2 create-route \
  --route-table-id rtb-private \
  --destination-cidr-block 0.0.0.0/0 \
  --instance-id i-nat

Downside: You manage it (patching, monitoring, etc.)

When I use NAT instances: Low-traffic environments, cost-sensitive projects!

4. IPv6 (Skip NAT Entirely!)

# Enable IPv6 on VPC
aws ec2 associate-vpc-cidr-block \
  --vpc-id vpc-12345 \
  --amazon-provided-ipv6-cidr-block

# Enable IPv6 on subnet
aws ec2 associate-subnet-cidr-block \
  --subnet-id subnet-12345 \
  --ipv6-cidr-block 2600:1f00::/64

# Route IPv6 traffic directly to Internet Gateway (NO NAT NEEDED!)
aws ec2 create-route \
  --route-table-id rtb-private \
  --destination-ipv6-cidr-block ::/0 \
  --gateway-id igw-12345

Benefits:

• No NAT Gateway needed! ($0 instead of $32.40/month)
• Direct internet access for private resources
• More IP addresses than you'll ever need

Gotcha: Not all services support IPv6 yet!

The Production VPC Architecture That Actually Works 🏗️

Here's my battle-tested VPC setup:

VPC: 10.0.0.0/16 (65K IPs)

Availability Zone A (us-east-1a):
├── Public Subnet (10.0.1.0/24)
│   ├── NAT Gateway
│   ├── Application Load Balancer
│   └── Bastion Host
├── Private App Subnet (10.0.16.0/20)
│   ├── EC2 Instances
│   ├── Lambda ENIs
│   └── ECS Tasks
└── Private DB Subnet (10.0.11.0/24)
    ├── RDS Primary
    └── ElastiCache

Availability Zone B (us-east-1b):
├── Public Subnet (10.0.2.0/24)
│   ├── NAT Gateway
│   └── ALB (Multi-AZ)
├── Private App Subnet (10.0.32.0/20)
│   └── EC2 + Lambda + ECS
└── Private DB Subnet (10.0.12.0/24)
    └── RDS Read Replica

Availability Zone C (us-east-1c):
├── Public Subnet (10.0.3.0/24)
│   ├── NAT Gateway
│   └── ALB (Multi-AZ)
├── Private App Subnet (10.0.48.0/20)
│   └── EC2 + Lambda + ECS
└── Private DB Subnet (10.0.13.0/24)
    └── RDS Standby

VPC Endpoints:
├── S3 (Gateway - FREE!)
├── DynamoDB (Gateway - FREE!)
├── Secrets Manager (Interface - $7.20/month)
└── SQS (Interface - $7.20/month)

Security Groups:

sg-alb: Allow 80, 443 from 0.0.0.0/0
sg-app: Allow all from sg-alb
sg-db: Allow 3306 from sg-app
sg-bastion: Allow 22 from office IP

Route Tables:

rtb-public: 0.0.0.0/0 -> igw-12345
rtb-private-1a: 0.0.0.0/0 -> nat-1a
rtb-private-1b: 0.0.0.0/0 -> nat-1b
rtb-private-1c: 0.0.0.0/0 -> nat-1c

Cost:

• 3 NAT Gateways: $97.20/month
• 2 Interface VPC Endpoints: $14.40/month
• Total: $111.60/month

Worth it? This setup survived AWS outages, DDoS attacks, and Black Friday traffic. 100% uptime! 🏆

Quick Start: Your VPC Checklist ✅

Setting up a production VPC? Use this checklist:

1. Create VPC with /16 CIDR:

   aws ec2 create-vpc --cidr-block 10.0.0.0/16
   

2. Create subnets in 3 AZs:

   • Public: /24 each (3 total)
   • Private: /20 each (3 total)
   • Database: /24 each (3 total)

3. Create Internet Gateway:

   aws ec2 create-internet-gateway
   aws ec2 attach-internet-gateway --vpc-id vpc-12345 --internet-gateway-id igw-12345
   

4. Create NAT Gateways (one per AZ):

   aws ec2 create-nat-gateway --subnet-id subnet-public-1a
   

5. Create route tables:

   • Public route table → IGW
   • Private route tables → NAT Gateway (one per AZ)

6. Set up Security Groups:

   • ALB: Allow 80, 443
   • App: Allow from ALB
   • DB: Allow from App

7. Enable VPC Flow Logs:

   aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345
   

8. Create VPC Endpoints:

   aws ec2 create-vpc-endpoint --service-name com.amazonaws.us-east-1.s3
   

9. Test everything! Launch EC2, check internet access, verify RDS connectivity!

The Bottom Line 💡

VPC networking is complex, but once you understand it, AWS becomes 10× easier!

The essentials:

1. Subnets: Public (IGW) vs Private (NAT)
2. Security: Security Groups (stateful) + NACLs (stateless)
3. High Availability: Multi-AZ everything!
4. Cost: VPC endpoints >> NAT Gateway for AWS services
5. Debugging: Enable Flow Logs from day one!

The truth about VPC:

It's not "set it and forget it" - it's "set it up right once, then forget it!" One hour of proper planning saves months of troubleshooting!

When architecting our e-commerce backend, I learned: VPCs are like foundations - nobody cares if they're good, but everyone notices if they're bad! Get it right the first time. Use multiple AZs. Enable Flow Logs. Sleep well knowing your networking is solid! 🌐

You don't need perfect VPC design from day one - you need SECURE, SCALABLE defaults that work! 🚀

Your Action Plan 🎯

This week:

1. Audit your existing VPC (check subnet routes!)
2. Enable VPC Flow Logs (debugging future self will thank you)
3. Create VPC endpoints for S3/DynamoDB (free money!)
4. Verify multi-AZ setup (or add missing AZs)

This month:

1. Review security groups (least privilege!)
2. Set up NACLs for critical subnets
3. Implement bastion host for SSH access
4. Monitor NAT Gateway costs (consider alternatives)

This quarter:

1. Migrate to VPC endpoints (cut NAT costs)
2. Automate VPC setup with Terraform
3. Implement VPC peering for multi-VPC architecture
4. Become the networking guru on your team! 🏆

Resources Worth Your Time 📚

Tools I use daily:

• AWS VPC Subnet Calculator - CIDR planning
• VPC Reachability Analyzer - Test connectivity
• Terraform AWS VPC Module - Production-ready IaC

Reading list:

• AWS VPC Documentation
• VPC Best Practices

Real talk: The best VPC is one you understand! Start simple, add complexity only when needed!

---

Still confused about VPC? Connect with me on LinkedIn and share your networking war stories!

Want to see my VPC Terraform configs? Check out my GitHub - production-ready examples!

Now go forth and network responsibly! 🌐✨

---

P.S. If your RDS is in a public subnet, fix that RIGHT NOW! I'll wait. Seriously. Public databases = security nightmare waiting to happen! 🚨

P.P.S. I once forgot to create NAT Gateways in all AZs. During an AZ outage, half our Lambda functions couldn't reach the internet. Multi-AZ EVERYTHING, people! Learn from my pain! 💸