Cheat sheetAWS-02

VPC & Networking

AWS SAA / VPC & Networking

Isolate workloads in a VPC, control reachability with route tables, and filter traffic with security groups and NACLs.

IGW
Internet GatewayRoute 0.0.0.0/0 here to make a subnet public (in + out).
NAT
NAT GatewayOutbound-only internet for private subnets; no inbound.
SG
Security GroupStateful firewall on the instance/ENI; return traffic auto-allowed.
NACL
Network ACLStateless firewall at the subnet; allow return traffic explicitly.

Private subnets route outbound via a NAT Gateway; only public subnets route to the IGW.

Patch private hostsPrivate subnet → NAT Gateway → IGW: outbound updates, no inbound exposure.
Private S3 accessGateway endpoint keeps S3 traffic on the AWS network at no extra cost.
Public subnet route: 0.0.0.0/0 -> igw-xxxx
Private subnet route: 0.0.0.0/0 -> nat-xxxx
SG source = another SG id (not a CIDR)
vpcsubnetsnatsecurity-groupsnaclendpoints
review in 6d