AWS VPC Networking: Designing Production Network Architecture

By /

AWS VPC Networking for Production Systems

AWS VPC networking architecture is the foundation of every cloud deployment. A well-designed VPC provides network isolation, controls traffic flow, and enables secure communication between services. Therefore, investing time in proper VPC design prevents costly re-architecture later and ensures your applications are secure and performant from day one.

Most production environments need multiple VPCs — separate networks for production, staging, and development, often across multiple AWS accounts. Moreover, services need to communicate across VPCs and with on-premises networks securely. Consequently, understanding subnets, route tables, NAT gateways, Transit Gateway, and PrivateLink is essential for cloud architects.

AWS VPC Networking Architecture: Multi-AZ Subnet Design

A production VPC should span at least 3 Availability Zones with public, private, and isolated subnet tiers. Public subnets host load balancers, private subnets host application workloads, and isolated subnets host databases with no internet access. Furthermore, use a CIDR block large enough for growth — /16 provides 65,536 IP addresses.

# CloudFormation: Production VPC with 3 AZs, 3 tiers
Resources:
  VPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsHostnames: true
      EnableDnsSupport: true
      Tags:
        - Key: Name
          Value: production-vpc

  # Public Subnets (ALB, NAT Gateway)
  PublicSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.1.0/24    # 254 IPs
      AvailabilityZone: !Select [0, !GetAZs '']
      MapPublicIpOnLaunch: true

  PublicSubnetB:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.2.0/24
      AvailabilityZone: !Select [1, !GetAZs '']

  PublicSubnetC:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.3.0/24
      AvailabilityZone: !Select [2, !GetAZs '']

  # Private Subnets (ECS, EKS, Lambda)
  PrivateSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.10.0/24
      AvailabilityZone: !Select [0, !GetAZs '']

  # Isolated Subnets (RDS, ElastiCache — no internet)
  IsolatedSubnetA:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref VPC
      CidrBlock: 10.0.20.0/24
      AvailabilityZone: !Select [0, !GetAZs '']

  # NAT Gateway for private subnet internet access
  NatGatewayA:
    Type: AWS::EC2::NatGateway
    Properties:
      AllocationId: !GetAtt NatEIPA.AllocationId
      SubnetId: !Ref PublicSubnetA
AWS VPC network architecture design
Three-tier subnet design isolates workloads with appropriate network access levels

Transit Gateway: Multi-VPC Connectivity

Transit Gateway acts as a central hub connecting multiple VPCs, VPN connections, and Direct Connect gateways. Instead of managing dozens of VPC peering connections, Transit Gateway simplifies networking to a hub-and-spoke model. Furthermore, route tables on Transit Gateway control which VPCs can communicate with each other.

# Transit Gateway connecting prod, staging, shared-services VPCs
TransitGateway:
  Type: AWS::EC2::TransitGateway
  Properties:
    AutoAcceptSharedAttachments: enable
    DefaultRouteTableAssociation: disable
    DefaultRouteTablePropagation: disable
    DnsSupport: enable
    Tags:
      - Key: Name
        Value: central-tgw

# Route table: Prod can reach shared-services but NOT staging
ProdRouteTable:
  Type: AWS::EC2::TransitGatewayRouteTable
  Properties:
    TransitGatewayId: !Ref TransitGateway

ProdToSharedRoute:
  Type: AWS::EC2::TransitGatewayRoute
  Properties:
    TransitGatewayRouteTableId: !Ref ProdRouteTable
    DestinationCidrBlock: 10.1.0.0/16  # shared-services VPC
    TransitGatewayAttachmentId: !Ref SharedServicesAttachment

VPC Endpoints and PrivateLink

VPC endpoints enable private connectivity to AWS services without traversing the internet. Gateway endpoints (S3, DynamoDB) are free, while interface endpoints (PrivateLink) cost per hour and per GB. Additionally, PrivateLink enables private connectivity to third-party services and your own services across VPCs.

VPC networking and private connectivity
VPC endpoints and PrivateLink keep traffic within the AWS network for security and performance

Security Groups and NACLs

Security groups are stateful firewalls at the instance level — allow rules only, return traffic automatically permitted. Network ACLs are stateless firewalls at the subnet level — require explicit allow for both inbound and outbound. Use security groups as your primary control and NACLs as an additional defense layer. See the AWS VPC documentation for complete networking reference.

Key Takeaways

  • Start with a solid foundation and build incrementally based on your requirements
  • Test thoroughly in staging before deploying to production environments
  • Monitor performance metrics and iterate based on real-world data
  • Follow security best practices and keep dependencies up to date
  • Document architectural decisions for future team members
Network security monitoring
Layer security groups and NACLs for defense-in-depth network security

In conclusion, AWS VPC networking architecture requires thoughtful design upfront to avoid costly re-architecture. Use multi-AZ, three-tier subnets for isolation, Transit Gateway for multi-VPC connectivity, and VPC endpoints for private AWS service access. Plan your CIDR ranges carefully and document your network topology — it’s the foundation everything else builds on.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top