Networking

Amazon VPC Network Design - Subnet Architecture and NAT Gateway Optimization

Learn how to design public/private subnet separation, layered security group management, and reduce NAT Gateway costs with Gateway VPC Endpoints.

約 3 分で読めます

VPC Overview

VPC is a service that lets you build a logically isolated virtual network on AWS. You define an IP address range with a CIDR block and control the network using subnets, route tables, security groups, and network ACLs. By separating public and private subnets, you establish a security boundary between internet-facing resources and internal resources.

Subnet Design and NAT Gateway

Public subnets have a route to the internet gateway and host ALBs and NAT Gateways. Private subnets have no direct route to the internet and host EC2, RDS, and Lambda. NAT Gateways provide outbound connectivity from private subnets (for package updates, API calls, etc.) but incur hourly and data processing charges. For access to S3 and DynamoDB, use VPC Endpoints (gateway type, free of charge) to bypass the NAT Gateway and reduce costs. VPC Flow Logs record ENI-level traffic to CloudWatch Logs or S3, enabling detection of unauthorized access and investigation of connectivity issues.

Security Group and NACL Design

Security groups are stateful, instance-level firewalls that define allow rules only. The recommended design is to separate security groups by layer - application (ALB), business logic (EC2/ECS), and data (RDS) - and reference security group IDs for inter-layer communication. Network ACLs are stateless, subnet-level firewalls that can define both allow and deny rules. They are used for explicitly blocking access from specific IP ranges or for coarse-grained control at the subnet level. Enable VPC Flow Logs to analyze traffic denied by security groups and NACLs, and periodically review your rules for gaps or excess. To deepen your knowledge of network design, specialized books on Amazon can be a helpful resource.

NAT Gateway Cost Optimization

NAT Gateways incur data processing charges (approximately $0.062 per GB) and hourly charges (approximately $0.062/hour), and costs can spike rapidly in environments with heavy outbound traffic. The most effective cost reduction is to configure Gateway VPC Endpoints (free) for S3 and DynamoDB so that traffic bypasses the NAT Gateway. For frequently accessed AWS services like ECR, CloudWatch Logs, and STS, set up Interface VPC Endpoints to reduce NAT Gateway data processing volume. In a multi-AZ configuration with a NAT Gateway in each AZ, there are no cross-AZ data transfer charges, but the hourly charge applies per NAT Gateway. Use Cost Explorer to track NAT Gateway costs monthly and quantitatively evaluate the savings from adding VPC Endpoints.

Summary

VPC provides multi-layered network security through subnet separation, security groups, and network ACLs. Separate security groups by application layer, business logic layer, and data layer, and analyze traffic with VPC Flow Logs. Establish free private connectivity to S3 and DynamoDB with Gateway VPC Endpoints and optimize NAT Gateway data processing costs.

Related Services

Amazon VPCBuild a logically isolated virtual network on AWSAmazon EC2A compute service that provides virtual servers in the cloudAWS PrivateLinkConnect privately from your VPC to AWS services and third-party services without traversing the internet

Related Articles

Building a Hub-and-Spoke Network with AWS Transit Gateway - Multi-VPC Connectivity DesignConsolidate multiple VPCs and on-premises networks in a hub-and-spoke topology, establish security boundaries with route table isolation, and enable multi-region connectivity through peering.Private Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint ServicesConnect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.

More on This Topic

Building a Service Mesh with AWS App Mesh - Controlling and Observing Microservice CommunicationLearn how to declaratively configure canary deployments, retry policies, and mTLS encryption using Envoy sidecars, and visualize service dependencies with X-Ray integration.Service Discovery with AWS Cloud Map - Dynamic Name Resolution for MicroservicesDynamically discover microservice endpoints using DNS-based and API-based approaches. Learn how to automate service registration and deregistration through integration with ECS and EKS.How CloudFront's 600+ PoPs Work - Anycast Routing and the Cache HierarchyLearn how CloudFront routes user requests to the nearest PoP using Anycast, the two-tier structure of edge locations and regional edge caches, and the design factors that determine cache hit rates.Dedicated Connection Design - Achieving Stable Private Network Connectivity with Direct ConnectLearn about dedicated connection design with AWS Direct Connect, including choosing between dedicated and hosted connections, redundancy configurations, and achieving stable private network connectivity through VPC integration.Building Dedicated Connections with AWS Direct Connect - Redundancy Design and Traffic ControlDesign redundant dedicated connections and connect to VPCs across multiple regions with Direct Connect Gateway. This article also covers bandwidth aggregation with LAG and MACsec encryption.Elastic IP Address Management and Design - Static IP Usage and Cost OptimizationLearn about Elastic IP allocation, EC2 association, cost implications of unused EIPs, and alternative approaches to consider.Why ELB Has Three Types - The Design Rationale Behind ALB, NLB, and CLBExplore why ALB, NLB, and CLB (Classic) coexist rather than being unified into a single service, examining OSI model layers, performance characteristics, and historical context.Global Network Optimization with AWS Global Accelerator - Low-Latency Delivery and FailoverLearn how to route traffic onto the AWS global network using Anycast IPs, design endpoint groups, and achieve failover through health checks.

Similar Articles and Services

Amazon VPCA service for building a logically isolated virtual network within the AWS cloud, giving you full control over IP address ranges, routing, and securityThe Real Reason NAT Gateway Is Expensive - How Data Processing Charges Work and How to Avoid ThemBreak down the mechanisms behind NAT Gateway's high hourly and data processing charges, and explore practical cost-reduction strategies including VPC endpoints, NAT instances, and IPv6 migration.Private Connectivity with AWS PrivateLink - VPC Endpoints and Endpoint ServicesConnect to AWS services privately without traversing the internet. Learn about free Gateway Endpoints and building Endpoint Services.AWS PrivateLinkA networking feature that enables private connectivity from within a VPC to AWS services and third-party services without traversing the internet