These notes were written while working through the A Cloud Guru AWS Certified Solutions Architect - Associate online course. These notes are partly from the videos, and also from various other online sources. Primarily, they’re notes for me, but you might find them useful too.

Since the AWS platform is changing so quickly, it’s possible that some of these notes may be out of date, so please take that into consideration if you are reading them.

Please let me know in the comments below if you have any corrections or updates which you’d like me to add.

VPC (Virtual Private Cloud)


VPC applies to all exams. Need to know this inside-out.

A VPC is like a logical data center.

A VPC consists of:

  • Internet Gateways or Virtual Private Gateways
  • Route Tables
  • NACLs
  • Security Groups

All VPC traffic can be logged via Flowlogs

Creating a VPC also creates a route table, but doesn’t create a subnet or internet gateway by default


VPCs and Subnets

Use public facing subnets for public facing web servers Use private subnets for backend services, databases, etc

You can use a Bastion / Jump Box located in the public subnet to access instacnes in the private subnet by first SSH into the Bastion, and then using it to SSH to instances in the private subnet.

For multiple layers of security, it’s recommended you use a VPC in addition to security groups and NACLs (Network Access Control Lists).

Security groups (first layer of defense) exist at the instance level

NACLs (second layer of defense) exist at the subnet level

It’s possible to implement a private cloud (i.e. a corporate data center) using VPCs.

Each subnet is always mapped to an AZ (Availability Zone). It’s not possible to span subnets across multiple AZs. However, security groups, NACLs, and Route Tables CAN span multiple subnets and AZs.

Only one internet gateway can be attached to a subnet.

CIDR - Classless Inter-domain Routing

The first four IP addresses and the last IP address in each subnet CIDR block are not available for you to use, and cannot be assigned to an instance.


  • Network address.
  • Reserved by AWS for the VPC router.
  • Reserved by AWS for DNS.
  • Reserved by AWS for future use.
  • Network broadcast address. We do not support broadcast in a VPC, therefore we reserve this address.

Netmasks: /16 - support up to 65,536 IP addresses /24 - supports up to 256 IP addresses /28 - supports up to 16 IP addresses /32 - an absolute ip address - matches exactly one

To enable ping, you need to allow ICMP traffic.

Security groups vs NACLs

Security GroupNACL
Supports only Allow rulesSupports Allow and Deny rules
All rules are evaluated before allowing trafficEvaluates rules in nuumerical order. As soon as a rule is found allowing the traffic, the traffic is allowed.
Rules apply to specific instancesRules apply to ALL instances in the subnet
Unable to block IP addressesAble to block IP addresses

A NACL can be applied to multiple subnets. If you attempt to assign a NACL to a subnet which already has a NACL, the new NACL will replace the existing NACL for the subnet.

A subnet can have only one NACL assigned to it

Types of NACL:

  • Default - allows all traffic by default
  • Custom - denies all traffic by default

In order to allow outgoing traffic, enable outgoing and incoming ephermal ports (1024-65535)

NAT gateways and NAT instances

NAT is used for traffic routing

In order for a NAT instance to work, you need to disable source/dest checks via the Actions->Networking menu

It’s best practice to always enable HTTP and HTTPs traffic.

If you want you instances in private subnets to access the internet, you’ll need to to create a route from private subnet, through nat, and out to the internet.

Add to the private route table and set the target as the NAT to allow all traffic through. i.e. so you can run “yum update” on the console of an ec2 instance in a private subnet, and have it successfully connect and update the instance.

Put the NAT gateway in a public subnet and always update route tables to point to the NAT gateway and out to the internet

NAT gateways scale automatically up to 10GBPS

NAT instanceNAT Gateway
Custom EC2 instances provisioned via custom community AMIsProvisioned and managed by AWS
The amount of traffic handled by a NAT instance depends on it's size - bigger instances handle more traffic.Managed by AWS and scale automatically up to , and are prefererred over NAT instances which are custom community AMIs.
NAT instances use security groups.
Need source/dest checks disabled via the Actions->Networking menuNo need to disable source/dest check, no security group is needed; it is all AWS managed, rather than a custom EC2 instance which needs to be maintained.
Must be in the public subnet and must have a public ip address..

Full comparison between NAT gateways and NAT instances

Stateful vs Stateless

Security groups are stateful. This means that if you add an incoming HTTP rule, there will automatically be a corresponding outgoing one.

Subnet ACLs are stateless which means that if you add an incoming HTTP rule, you’ll need to add an outgoing one too, otherwise HTTP traffic won’t be able to get back out of your subnet.

Default VPC

AWS provids a default VPC. This is intended to make it user friendly to deploy and test EC2 instances on a new account. All default VPCs have routes out to the internet.

If you delete the default VPC, you’ll need to raise an Amazon support ticket to get it back.

VPC Peering

VPC peering allows direct network connection via a private ip address.

VPC peering is only supported in a star configuration.

Transitive peering / edge-to-edge routing is not supported. i.e. if you have VPC A <-> VPC B <-> VPC C, VPC A can communicate with VPC B, and VPC B with C, but A cannot directly communicate with C unless a direct connection is made between A and C.

VPC Peering is supported across multiple accounts, but not multiple regions.

Direct Connect

Direct connect uses a dedicated line, provisioned by your telco, between your data center and an AWS Direct Connect Facility. Data transferred via direct connect does not travel over the internet.

While VPCs are quick to set up, direct connect can take more than a month, and sometimes more than 6 months to get set up.

Exam tips

Know how to build out a VPC from memory before going into the exam. Even though you don’t actually build a VPC in the exam, the knowledge of how to build it out from memory will be immensely helpful.

Know the difference between:

  • Public and private subnets
  • NAT gateway and NAT instance

Know what a bastion host is, and that it is possible to use a dual purpose web server and bastion host.