Module 1

AWS Fundamentals

Build a secure network foundation with VPC, subnets, Internet Gateway, NAT Gateway, and Security Groups.

VPCSubnetsIGWNATSecurity Groups

What You'll Learn

Every AWS deployment starts with networking. In this module, you'll build a production-grade network foundation from scratch — understanding VPCs, subnets, route tables, gateways, and security groups.

🌐 VPC

Your own isolated virtual network in AWS — like having your own data center in the cloud.

🔀 Subnets

Divide your VPC into public (internet-facing) and private (internal-only) segments.

🚪 Gateways

Internet Gateway for public access, NAT Gateway for private subnet outbound traffic.

🛡️ Security Groups

Stateful firewalls that control inbound and outbound traffic at the instance level.

Azure ↔ AWS Mapping

If you're coming from Azure, these are your familiar concepts with new names:

Azure	AWS	Notes
`VNet`	`VPC`	AWS requires explicit Internet Gateway
`Subnet`	`Subnet`	Same concept, route tables per subnet
`NSG`	`Security Group`	AWS SGs are allow-only, no deny rules
`Route Table`	`Route Table`	Identical concept
`(implicit)`	`Internet Gateway`	Azure VNets auto-get internet; AWS needs IGW
`NAT Gateway`	`NAT Gateway`	Same purpose! ~$32/mo in AWS

☁️ Azure Parallel

Biggest difference: In Azure, a VNet automatically has internet access. In AWS, you must explicitly create and attach an Internet Gateway (IGW) to your VPC and configure route tables.

Step 1: Create a VPC

A VPC (Virtual Private Cloud) is your isolated network in AWS. Think of it as your own private data center with a defined IP range.

CIDR Blocks

You define the VPC's IP range using CIDR notation. 10.0.0.0/16gives you 65,536 IP addresses — more than enough for learning.

bash

# Create VPC via CLI
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=aws-sandbox-vpc}]'

📘 Key Concept

CIDR cheat sheet: /16 = 65,536 IPs, /24 = 256 IPs, /28 = 16 IPs. Each subnet gets a slice of the VPC's CIDR range.

CloudFormation

yaml01-vpc-networking.yaml

VPC:
  Type: AWS::EC2::VPC
  Properties:
    CidrBlock: 10.0.0.0/16
    EnableDnsSupport: true
    EnableDnsHostnames: true
    Tags:
      - Key: Name
        Value: aws-sandbox-vpc

Step 2: Create Subnets

Subnets divide your VPC into segments. The key pattern is:

Public subnets — For resources that need direct internet access (ALB, NAT GW)
Private subnets — For resources that should NOT be directly accessible (EC2, RDS)

Always create subnets in at least 2 Availability Zones for high availability.

yaml

# Public Subnet (gets auto-assigned public IP)
PublicSubnet1:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref VPC
    CidrBlock: 10.0.1.0/24      # 256 IPs
    AvailabilityZone: us-east-1a
    MapPublicIpOnLaunch: true    # Auto-assign public IP

# Private Subnet (no public IP)
PrivateSubnet1:
  Type: AWS::EC2::Subnet
  Properties:
    VpcId: !Ref VPC
    CidrBlock: 10.0.10.0/24
    AvailabilityZone: us-east-1a

☁️ Azure Parallel

In Azure, subnets in a VNet are all "private" by default and you use NSGs to control access. In AWS, the public/private distinction comes from the route table — public subnets route to IGW, private subnets route to NAT GW.

Step 3: Internet Gateway & NAT Gateway

Internet Gateway (IGW)

The IGW allows resources in public subnets to communicate with the internet. It's a two-way door — traffic can go in and out.

NAT Gateway

The NAT Gateway lets private subnet resources make outbound internet requests (e.g., downloading updates) without being directly accessible from the internet. It's a one-way door — traffic goes out only.

⚠️ Warning

Cost alert: NAT Gateways cost ~$0.045/hr (~$32/month). Delete them when not actively learning!

bash

# Create Internet Gateway and attach to VPC
IGW_ID=$(aws ec2 create-internet-gateway --query 'InternetGateway.InternetGatewayId' --output text)
aws ec2 attach-internet-gateway --internet-gateway-id $IGW_ID --vpc-id $VPC_ID

Step 4: Security Groups

Security Groups are stateful firewalls attached to instances. They're the most important security layer in your VPC.

Key Rules

Allow-only: You can only write ALLOW rules (no DENY). Anything not allowed is denied.
Stateful: If you allow inbound traffic, the return traffic is automatically allowed.
SG references: You can reference other SGs as sources — this is a best practice.

The Security Group Chain

Our architecture uses a chain pattern for defense in depth:

text

Internet → [ALB SG: allow 80/443 from 0.0.0.0/0]
              → [EC2 SG: allow 3000 from ALB SG only]
                  → [RDS SG: allow 5432 from EC2 SG only]

☁️ Azure Parallel

Azure NSGs can have both ALLOW and DENY rules with priority ordering. AWS Security Groups are simpler: allow-only, stateful, and defaulting to deny-all.

🧪

Hands-On: Deploy the VPC Stack

Deploy the full VPC and networking infrastructure with one command:

bash

# Deploy the VPC CloudFormation stack
aws cloudformation create-stack \
  --stack-name aws-sandbox-vpc \
  --template-body file://cloudformation/01-vpc-networking.yaml

# Wait for completion
aws cloudformation wait stack-create-complete \
  --stack-name aws-sandbox-vpc

# Verify — list all subnets in the new VPC
VPC_ID=$(aws cloudformation describe-stacks \
  --stack-name aws-sandbox-vpc \
  --query 'Stacks[0].Outputs[?OutputKey==`VpcId`].OutputValue' \
  --output text)

aws ec2 describe-subnets \
  --filters "Name=vpc-id,Values=$VPC_ID" \
  --query 'Subnets[*].{Name:Tags[?Key==`Name`].Value|[0],CIDR:CidrBlock,AZ:AvailabilityZone}'

You should see 4 subnets: 2 public and 2 private across 2 AZs.

Key Takeaways

VPCs are isolated networks — always start here before deploying anything
Use public subnets for load balancers and bastion hosts only
Keep EC2 and RDS in private subnets — never expose them directly
Security Groups reference each other to create a defense chain
Always deploy across at least 2 AZs for high availability