VPC is the single most cross-cutting topic across AWS certifications. It appears on CLF-C02 (lightly), SAA-C03 (heavily, ~22% of questions), DVA-C02 (in serverless networking contexts), SOA-C02 (~18%), SAP-C02 (very heavily, ~30%), and the Networking Specialty (ANS-C01) exam dedicates roughly 40% of its blueprint to VPC topics alone. Candidates who treat VPC as a footnote consistently underperform; candidates who master it score above the curve on every architecture-focused AWS exam.
This guide walks through the VPC concepts that show up most often on AWS exams: subnet and route table design, internet vs NAT gateways, security groups vs network ACLs, VPC endpoints, peering, Transit Gateway, and the cross-account networking patterns that confuse candidates at every certification level.
The VPC Mental Model AWS Tests
A VPC is a logically isolated network within an AWS region, defined by a CIDR block (typically /16 to /28). Subnets carve the VPC CIDR into smaller blocks within specific Availability Zones. Route tables direct traffic between subnets and to external destinations. Gateways provide pathways out of (or into) the VPC.
"Networking is where AWS architecture becomes architecture. Compute and storage are where you make trade-offs; networking is where you make decisions you cannot easily reverse." -- Werner Vogels, CTO of Amazon
CIDR block -- A range of IP addresses defined in Classless Inter-Domain Routing notation, such as 10.0.0.0/16 (65,536 addresses). Subnet -- A subdivision of a VPC CIDR block, bound to a single Availability Zone. Route table -- A set of rules associated with one or more subnets that determines where traffic from those subnets is directed.
Companies like Netflix, Capital One, and Airbnb run hundreds of VPCs per AWS account and tens of thousands of subnets in aggregate. The exam tests the foundational primitives that scale up to those production deployments.
For broader exam strategy, see AWS Solutions Architect Associate Domains That Matter Most.
Subnets, Route Tables, and the Public-Private Distinction
A subnet is "public" or "private" based on its route table, not on any inherent property. A public subnet has a route to an Internet Gateway (igw-...); a private subnet does not. The exam frequently tests this with scenarios where candidates must identify whether instances in a given subnet can reach the internet.
The standard three-tier VPC layout the exam expects you to know:
- Public subnets in each AZ, hosting NAT gateways and load balancers
- Private application subnets in each AZ, hosting EC2 / Fargate / Lambda
- Private database subnets in each AZ, hosting RDS / ElastiCache / Aurora
Each tier sits in its own subnet group with its own route table, and traffic flows public to app to database, never database to public directly. AWS publishes this as the default "VPC with public and private subnets" pattern in their reference architectures.
Route Table Behavior
Routes are evaluated most-specific first. A route table with 0.0.0.0/0 to an Internet Gateway and 10.0.0.0/16 as local will send VPC-internal traffic locally and external traffic out the IGW. Adding a more specific route, like 10.0.5.0/24 to a peering connection, overrides the local route for that range only.
A frequent exam trap: a subnet with both an Internet Gateway route and a NAT Gateway route. The exam asks which is used. The answer is the Internet Gateway, because outbound traffic with public IPs uses the IGW directly, while NAT is for instances without public IPs. Candidates who memorize "NAT for outbound" without understanding the public IP context lose points here.
Internet Gateway vs NAT Gateway vs NAT Instance
Three distinct services that the exam tests separately:
| Component | Direction | Use Case | Cost Pattern |
|---|---|---|---|
| Internet Gateway (IGW) | Bidirectional | Public subnets | Free, charges per GB egress |
| NAT Gateway | Outbound only | Private subnet egress | Hourly + per GB |
| NAT Instance | Outbound only | Legacy, customer-managed | EC2 instance cost |
| Egress-Only IGW | Outbound only (IPv6) | IPv6 private egress | Free |
The exam writes scenarios that ask which combination is needed. A private subnet needing outbound updates from yum or apt: NAT Gateway in a public subnet plus a route in the private subnet's route table to that NAT. A public subnet needing direct internet access: Internet Gateway plus public IPs assigned to instances.
"Most of the VPC questions on SAA-C03 hinge on understanding whether traffic is inbound, outbound, IPv4 or IPv6, and whether the source has a public IP. Walk through those four variables for every networking question." -- Adrian Cantrill, AWS instructor and former AWS Specialist Solutions Architect
NAT Gateway costs surprise candidates in cost-optimization scenarios. At roughly $0.045 per hour plus $0.045 per GB processed in us-east-1, a busy NAT can cost more than the EC2 instances behind it. Coca-Cola's cloud cost engineering team has publicly noted NAT Gateway charges as one of their top three AWS line items in early VPC deployments before they migrated to VPC endpoints.
Security Groups vs Network ACLs
This distinction is on every AWS architect-track exam. The exam expects you to recognize when each applies.
Security group (SG) -- A stateful, instance-level firewall that allows traffic in and automatically allows the return traffic out, regardless of outbound rules. Default deny inbound, default allow outbound. Supports allow rules only.
Network ACL (NACL) -- A stateless, subnet-level firewall where return traffic must be explicitly allowed by a separate rule. Default allow on the default NACL, default deny on custom NACLs. Supports allow and deny rules, evaluated in numeric order.
| Feature | Security Group | Network ACL |
|---|---|---|
| Statefulness | Stateful | Stateless |
| Scope | Instance / ENI | Subnet |
| Rules | Allow only | Allow and deny |
| Evaluation | All rules combined | Numbered, lowest first |
| Default outbound | Allow all | Allow all (default NACL) |
| Default inbound | Deny all | Allow all (default NACL) |
A common scenario: traffic is being allowed by a security group but blocked by a NACL. The candidate must identify that NACL changes are needed. The trap is that NACL rules apply in both directions and need ephemeral port allowances (typically 1024-65535) for return traffic. Forgetting ephemeral ports is the single most-missed NACL detail.
For deeper IAM and security boundary patterns, see AWS IAM Policies and Cross-Account Access: The Exam-Critical Patterns.
VPC Endpoints: Gateway vs Interface
VPC endpoints let private subnets access AWS services without traversing the internet. There are two types, and the exam tests both.
- Gateway endpoint -- For S3 and DynamoDB only; free; route table entry rather than a network interface
- Interface endpoint (PrivateLink) -- For most other AWS services; uses an Elastic Network Interface in your subnet; charged per hour and per GB
Use cases the exam tests:
- Private subnet needs S3 access -- gateway endpoint, no NAT required
- Private subnet needs SQS access -- interface endpoint, ENI in subnet
- Cross-account access to a service published via PrivateLink -- interface endpoint to the partner's service
- Restricting S3 bucket access to a specific VPC -- bucket policy with
aws:sourceVpcecondition
Capital One has publicly described migrating from NAT Gateway to gateway endpoints for S3 access, citing both cost reduction (eliminating NAT GB charges) and security improvement (traffic never leaves AWS network).
A Cost-Optimization Pattern
A frequent SAA-C03 question: "A team's Lambda functions in a private subnet read from S3 and DynamoDB at high volume. NAT Gateway charges are too high. What is the most cost-effective fix?" The answer is gateway endpoints for both services, eliminating the NAT Gateway processing charge for that traffic entirely. A representative savings figure: a workload pulling 10 TB/month from S3 saves roughly $450 per month on NAT processing alone.
VPC Peering, Transit Gateway, and Cloud WAN
Three approaches to connecting multiple VPCs, each with distinct tradeoffs:
- VPC Peering -- One-to-one, non-transitive connection between two VPCs. Cheapest for small numbers of VPCs.
- Transit Gateway -- Hub-and-spoke router connecting many VPCs and on-premises networks. Scales to thousands of VPCs.
- AWS Cloud WAN -- Global network management for multi-region, multi-VPC, multi-account deployments.
Peering is non-transitive: if VPC A peers with B, and B peers with C, A cannot reach C through B. The exam tests this directly. The fix for transitive connectivity at scale is Transit Gateway, which routes between attached VPCs and supports cross-region peering of Transit Gateways themselves.
| Connectivity Need | Recommended Service |
|---|---|
| 2 VPCs, same region | VPC Peering |
| 5+ VPCs, same region | Transit Gateway |
| Cross-region, multiple VPCs | Transit Gateway with cross-region peering |
| Global, multi-account, policy-driven | AWS Cloud WAN |
| Cross-account API only (not full network) | PrivateLink |
"Transit Gateway replaces VPC peering meshes the way a star topology replaces full mesh in classical networking. It scales architectures that VPC peering cannot." -- Stephane Maarek, AWS instructor and Udemy bestselling author
For broader networking sequencing in your study plan, see AWS Specialty Certifications Ranked.
Hybrid Connectivity: VPN, Direct Connect, and Site-to-Site
Hybrid connectivity questions appear on every architect exam. Three options:
- AWS Site-to-Site VPN -- IPsec tunnel over the public internet, fast to set up, lower bandwidth, encrypted
- AWS Direct Connect (DX) -- Dedicated fiber link, predictable latency, higher bandwidth (1 Gbps to 100 Gbps), longer provisioning
- Direct Connect with VPN -- DX as the transport, IPsec on top for encryption (a common compliance requirement)
The exam tests selection criteria. Predictable low latency requirement: DX. Encryption-in-transit requirement: VPN, or DX + VPN. Quick setup for a 30-day project: VPN. Long-term primary connectivity for a regulated bank: DX with VPN backup.
A subtle but tested point: DX itself does not encrypt traffic. The link is private but not encrypted. Compliance regimes like PCI-DSS and HIPAA often require encryption regardless of network privacy, which is why DX + VPN is the right answer for regulated workloads.
MACsec for Direct Connect
Newer DX connections at 10 Gbps and above support MACsec, which provides line-rate encryption at layer 2. The exam has begun including MACsec in 2024-2025 SAA-C03 question pools as an alternative to VPN-over-DX for high-throughput regulated workloads.
DNS, Route 53 Resolver, and VPC
DNS in VPC has its own tested complexity. Each VPC has a default DNS resolver at the .2 address of the VPC CIDR (e.g., 10.0.0.2 for a 10.0.0.0/16 VPC). Route 53 Resolver extends this with:
- Inbound endpoints -- Allow on-premises DNS queries to resolve VPC private hosted zones
- Outbound endpoints -- Allow VPC instances to resolve on-premises DNS via conditional forwarding rules
- Resolver rules -- Define which queries forward to which DNS resolvers
A frequent exam scenario involves a hybrid setup where on-premises servers cannot resolve *.internal private hostnames in the VPC. The fix is an inbound resolver endpoint plus on-premises DNS conditional forwarding to that endpoint's IPs.
Linux Foundation training material on DNS, Cisco networking guides, and Werner Vogels' published architecture posts all converge on the same insight: DNS is where most hybrid cloud failures originate, and AWS exam writers know it.
For lab setup of these patterns in a free account, see AWS Free Tier Labs to Prepare for Any AWS Exam.
Common VPC Question Patterns and How to Answer Them
A short list of question shapes to recognize:
- "Cannot reach the internet from a private subnet" -- check route table for NAT route, NAT in public subnet, NAT subnet has IGW route
- "S3 access from VPC must not traverse the internet" -- gateway endpoint for S3, optionally bucket policy restriction
- "Two VPCs with overlapping CIDRs must communicate" -- not directly possible; use PrivateLink for service-level access or NAT for IP rewriting
- "Centralize egress for many VPCs" -- Transit Gateway with shared egress VPC hosting NAT
- "Reduce NAT Gateway cost" -- gateway endpoints for S3/DynamoDB, interface endpoints for other services
- "Cross-account RDS access" -- VPC peering or PrivateLink, with database subnet group adjustments
See also: AWS S3 Storage Classes Explained for Solutions Architect Associate Candidates, AWS Exam Question Patterns: How to Read Scenarios Correctly, Practice Question Banks That Actually Help.
A Two-Week VPC Mastery Plan
For candidates within an 8-week SAA-C03 schedule, dedicate weeks 3-4 to VPC depth:
- Build a full three-tier VPC manually in your AWS Free Tier account: 2 AZs, public subnets, private app subnets, private DB subnets, IGW, NAT, all route tables
- Add a gateway endpoint for S3 and verify private subnet S3 access without NAT
- Peer your VPC with a second VPC in the same region, configure routes, test connectivity
- Convert the peering to a Transit Gateway attachment for both VPCs
- Configure security groups and NACLs to allow specific port traffic, then deliberately break each rule and observe the failure mode
- Take 25 VPC-specific practice questions and review every wrong answer against your built infrastructure
This hands-on loop converts abstract networking diagrams into muscle memory. Capital One's cloud onboarding curriculum, parts of which they have publicly described, follows a nearly identical pattern for new cloud engineers.
A useful supplementary exercise: deliberately create misconfigurations and diagnose them. Remove a route from a route table and observe the connectivity failure. Detach a NAT Gateway and watch outbound traffic stop. Apply a deny rule on a NACL and identify the symptom from CloudWatch VPC Flow Logs. These hands-on failure modes correspond directly to exam scenario wording. Candidates who have only built working configurations often struggle to identify the root cause when the exam describes a broken one.
A final tip applicable across every AWS exam: on any networking question, draw the topology on the scratch paper or whiteboard provided. Even a rough sketch of "VPC, subnet, instance, route table, gateway" turns abstract scenarios into visual problems your brain can solve faster. Test takers who skip this step typically lose 60-90 seconds per networking question to re-reading the scenario, and that time loss compounds across the 14-16 networking questions on a typical SAA-C03 exam, easily costing five minutes of pacing buffer over the full session.
References
- Amazon Web Services. Amazon VPC User Guide. docs.aws.amazon.com/vpc, 2024.
- Amazon Web Services. AWS Certified Solutions Architect - Associate (SAA-C03) Exam Guide. AWS Training and Certification, 2024.
- Vogels, Werner. Building Networks on AWS: Lessons from a Decade of Customer Architectures. AWS re:Invent, 2023.
- Maarek, Stephane. Ultimate AWS Certified Solutions Architect Associate SAA-C03. Udemy / Packt Publishing, 2024.
- Cantrill, Adrian. AWS Networking Fundamentals Course. learn.cantrill.io, 2024.
- Wittig, Andreas, and Michael Wittig. Amazon Web Services in Action, Third Edition. Manning Publications, 2023.
- Hamilton, James. Datacenter Networks at Cloud Scale. Perspectives Blog, 2022.