Source · AWS SAA-C03 Exam Guide + AWS VPC documentation
Why this matters
SAA-C03 Exam Guide, Domain 2The VPC is the foundation every other AWS resource sits inside. If you can't reason about subnets, route tables, and traffic filtering, you can't answer questions about databases, load balancers, or security — they all depend on the network.
Networking questions are where exam candidates most often lose points, because the difference between a right and wrong answer is a single route or a stateful-vs-stateless nuance.
The concept
AWS VPC User GuideA VPC is a logically isolated network with a CIDR block (e.g. 10.0.0.0/16). You carve it into subnets, each living in one AZ. A subnet is public if its route table sends 0.0.0.0/0 to an Internet Gateway (IGW); otherwise it is private.
Private instances reach the internet outbound only through a NAT Gateway placed in a public subnet. Traffic filtering happens at two layers: security groups are stateful firewalls attached to instances (return traffic is auto-allowed), while Network ACLs are stateless firewalls at the subnet boundary (you must allow return traffic explicitly).
For private connectivity to AWS services, use VPC endpoints: Gateway endpoints (S3, DynamoDB) add a route-table entry at no cost, while Interface endpoints (PrivateLink) put an ENI in your subnet for most other services.
Worked scenario
AWS NAT Gateway documentationPrivate EC2 instances must download OS patches from the internet but must never accept inbound connections from it. How?
Place the instances in a private subnet, add a NAT Gateway in a public subnet, and point the private subnet's route for 0.0.0.0/0 at the NAT Gateway. The NAT allows outbound-initiated traffic and its return, but blocks unsolicited inbound connections.
Contrast with a common wrong answer: attaching an Internet Gateway to the private subnet would make it public and expose the instances. The exam tests whether you know a NAT Gateway is outbound-only.
How it connects
AWS Well-Architected — Security PillarNetworking underpins everything. VPC peering connects two VPCs privately but is non-transitive — for many VPCs you graduate to Transit Gateway.
Security groups tie directly into the compute and database domains: an RDS instance's security group must allow the app tier's security group as its source. VPC endpoints reduce cost and improve security by keeping S3/DynamoDB traffic off the public internet — a frequent cost-and-security overlap on the exam.
- Security groups are STATEFUL (return traffic auto-allowed); NACLs are STATELESS (allow return traffic explicitly).
- A NAT Gateway is outbound-only — it never lets the internet initiate connections inbound.
- VPC peering is NOT transitive; use Transit Gateway for hub-and-spoke topologies.
- Public subnet = route to IGW; private subnet = route to NAT for outbound.
- SG = stateful at the instance; NACL = stateless at the subnet.
- Gateway endpoints (S3/DynamoDB) are free; interface endpoints use PrivateLink ENIs.