Configuring Your Virtual Private Cloud (VPC)

Before you can build something scalable in the cloud, you need to start with the right foundation. In AWS, that foundation is called a Virtual Private Cloud, or VPC. It’s your own private corner of AWS where you can set up networks, define how traffic flows, and control access to the internet.

In this section, we’ll build a redundant, high-availability VPC setup using the “VPC only” option—rather than the guided “VPC and more” wizard—so you can learn how each component (subnets, route tables, gateways) is created and connected. This gives you full control and prepares you for creating more advanced designs later.

What is a VPC?

A Virtual Private Cloud is a logically isolated network inside AWS. Within a VPC, you define your own IP address ranges, create subnets, and control how your resources connect to each other and to the outside world.

When you first open the VPC Dashboard, you’ll see a list of network-related components organized by region—things like route tables, subnets, NAT gateways, and more. Each AWS region has its own set of networking resources, allowing you to build isolated or region-specific environments depending on your needs.

As your architecture grows, you might start building infrastructure in multiple regions. To visualize this, check out the EC2 Global View, which helps you manage and monitor your instances across different regions from a single place. In more advanced setups, these regions may even be connected through VPNs or AWS Transit Gateways to form a larger global infrastructure.

Key terms before we begin

VPCs may feel overwhelming at first—especially if you’re not familiar with network engineering. To avoid confusion, we’ll focus on the essential concepts you need to understand before creating your first setup.

VPC
A Virtual Private Cloud is a network that you control. When you create one, you define the IP range, divide it into subnets, and decide how it connects to the outside world.

CIDR Block
CIDR (Classless Inter-Domain Routing) defines the size of your IP range. We’ll use 10.0.0.0/16, which gives us a large pool of internal addresses to divide into smaller subnets.

Subnet
A subnet is a smaller slice of your VPC’s address space. Public subnets are used for internet-facing resources, while private subnets are for internal components.

Availability Zone (AZ)
Each AWS Region has multiple Availability Zones—physically separate data centers that provide redundancy. Spreading resources across zones makes your infrastructure more resilient.

Internet Gateway
This component allows your public resources to access the internet. Without it, even an EC2 instance with a public IP won’t be able to connect.

NAT Gateway
NAT (Network Address Translation) Gateways allow private resources (without public IPs) to initiate internet connections—for example, to download software updates—without being exposed to incoming traffic.

Route Table
Route tables define how traffic moves through your network. Each subnet is associated with a route table that tells it where to send outbound requests.

Security Group and Network ACL
These work as firewalls. Security Groups control traffic at the instance level, while Network ACLs control traffic at the subnet level. We’ll focus more on these in later chapters when securing servers and databases.

What you’re creating in this guide

In this guide, you’ll build a high-availability VPC architecture that’s simple enough for beginners, but structured in a way that mimics real-world deployments. This design is widely used in both production environments and learning labs, making it a reliable pattern to start with.

Here’s what you’ll create:

• A VPC with the address range 10.0.0.0/16
• Two public subnets and two private subnets (one in each Availability Zone)
  
  
• An Internet Gateway for public access
  
  
• Separate Route Tables to manage traffic in public and private areas
  
  

This setup supports load balancers, EC2 instances, and databases, and prepares you to scale across multiple zones with better reliability and control.

Building your VPC

To make setup easier for beginners, we’ll use the “VPC and more” option in the AWS Console. This guided approach automatically creates the core components you need: a VPC, subnets in two Availability Zones, an internet gateway, NAT gateways, and route tables. It follows AWS best practices and gives you a working network foundation in just a few clicks.

Step 1 – Open the VPC creation wizard

From the AWS Console, go to the VPC Dashboard.

Click Create VPC.

On the setup screen, select the option “VPC and more”.

This option sets up everything you need for a typical two-tier web application—no need to wire it all together manually.

Step 2 – Fill out the basic settings

In the first section of the form, provide the general settings for your new VPC and its related resources.

Name tag auto-generation: image-sharing-app

This name will be used to auto-generate tags for the VPC, subnets, route tables, gateways, and other components.

IPv4 CIDR block: 10.0.0.0/16

This defines the IP range available to your network. With /16, you have room to grow and create many subnets later.

IPv6 CIDR block: No IPv6 CIDR block

IPv6 isn't needed for now. We'll keep the setup focused on IPv4 to reduce complexity.

Tenancy: Default

Default tenancy is suitable for most users. It allows your resources to run on shared infrastructure, which is more cost-effective.

Number of Availability Zones (AZs): 2

This enables high availability by spreading resources across two data centers in your selected region.

Number of public subnets: 2

Each public subnet will be placed in a different AZ. These subnets are suitable for things like load balancers or public-facing web servers.

Number of private subnets: 2

Each private subnet will also be placed in a different AZ. These are ideal for secure resources like application servers and databases.

You can leave the CIDR block settings as-is unless you need to customize them. AWS will assign non-overlapping ranges automatically.

NAT Gateways: None

No NAT Gateways will be created. This means that resources in your private subnets will not have outbound internet access.

VPC Endpoints: S3 Gateway

This option creates a gateway endpoint that allows resources in your private subnets to access Amazon S3 directly—without routing through a NAT Gateway. It improves performance, enhances security, and helps reduce costs by keeping traffic within the AWS network. AWS will automatically associate the endpoint with the correct route tables.

Enable DNS hostnames: Checked

Enable DNS resolution: Checked

These DNS settings allow EC2 instances and other services in your VPC to resolve domain names and be addressed by hostname.

The wizard also shows a preview diagram summarizing the architecture it will build. This visual helps confirm that everything is aligned with your setup goals.

Once everything is filled in, review the summary of resources that AWS will create.

When ready, click Create VPC.

It will take a minute or two for AWS to provision everything. Once complete, you can click View VPC resources to explore your setup.

That’s it for now

You’ve just completed the setup of a production-ready network architecture. Your public subnets are ready to host internet-facing components like web servers, while your private subnets can securely run backend services such as databases. And because your network spans two Availability Zones, it’s built for high availability from the start.

This VPC configuration will serve as the foundation for upcoming sections, where we’ll add services like load balancers, Amazon RDS, and more. Each of those will fit into the structure you’ve just created.

Next, we’ll look at how to use Amazon Machine Images (AMIs) to recreate EC2 instances in your custom VPC—a powerful way to make your application portable and repeatable across environments.