AWS VPC Guide 2025: From Basic Networking to VPC Lattice

Tweet                                                                            

What’s New in 2025

Key Updates and Changes

• VPC Lattice GA: Application-layer networking for microservices across VPCs
• IPAM Tiers: Free tier for single region, Advanced tier ($0.00027/IP/hour) for multi-region
• IPv6 Adoption: Dual-stack configurations now standard practice
• Enhanced Security: VPC Lattice enables zero-trust networking patterns
• Service Network Endpoints: Connect services across accounts without complex routing

Major Service Evolution

• VPC Peering: Still relevant for simple, pairwise connections
• Transit Gateway: Remains the choice for hub-and-spoke architectures
• VPC Lattice: New paradigm for application-layer connectivity
• IPAM Integration: Automated IP management across organizations
• Resource Gateways: New construct for secure resource sharing

Understanding what AWS provides for setting up private networks, security groups and more is important for anyone who calls themselves DevOps. In 2025, the networking landscape has evolved significantly with VPC Lattice and enhanced IPAM capabilities.

AWS allows you to define a software defined network. You do this with Amazon Virtual Private Cloud (Amazon VPC). You can define subnets, ingress rules, security groups, NAT gateways, Internet gateways, and more.

Amazon VPC

A VPC is a virtual private cloud. You can create multiple Amazon VPCs within a region that spans multiple availability zones. A VPC is an isolated area to deploy instances.

A VPC is associated with a CIDR block.

CIDR Address (source Wikipedia)

With CIDR block notation the /# denotes the size of the network or rather how many bits of the address will be used for the network. For example: 10.10.1.32/27 denotes a CIDR range (also known as CIDR block). It denotes that the first 27 bits of address is for the network (32 bits total). 32 - 27 leaves five bits for your servers. 00000-11111. The first five addresses are reserved in a subnet, and the last address is reserved for broadcast. This leaves us 26 addresses for our servers. There are tools to help build CIDR based subnets. From address 10.10.1.37 to 10.10.1.61. VPC address range may be as large as /16 (32-16 = 16 bits which allows for 65,536 available addresses) or as small as 16 addresses (/28 is 32 - 28 = 4 bits which is 16 available addresses). The addresses of two VPC should not overlap if you plan on adding VPC peering.

Cloudurable provides Cassandra training, Cassandra consulting, Cassandra support and helps setting up Cassandra clusters in AWS.

An Amazon VPC is made up of subnets, route tables, DHCP option sets, security groups, and Network ACLs.

An AWS VPC can also have Internet Gateways (IGWs), Virtual Private Gateways, VPGs, Elastic IP (EIP) addresses, Elastic Network Interfaces (ENIs), Endpoints, Peering, NAT gateways, Transit Gateways, and VPC Lattice service networks.

A VPC has a router defined by its route tables (per subnet and default).

VPC Connectivity Options in 2025

VPC Peering

• Use Case: Simple, pairwise VPC connections
• Best For: Few VPCs in same region
• Limitations: No transitive routing, max 125 peering connections

Transit Gateway

• Use Case: Hub-and-spoke, many-to-many VPC connectivity
• Best For: Centralized routing, on-premises connectivity
• Cost: $0.05/hour + data processing fees

VPC Lattice (New Paradigm)

• Use Case: Application-layer service connectivity
• Best For: Microservices, multi-account architectures
• Features:
  • Service discovery
  • Load balancing
  • Authentication/authorization
  • Overlapping IP support

Amazon VPC IP Address Manager (IPAM)

IPAM simplifies IP address management across your AWS Organization:

Free Tier

• Single region and account
• BYOIP (v4 and v6) management
• Public IP insights
• Amazon-provided IPv6 management

Advanced Tier ($0.00027/IP/hour)

• Multi-region and multi-account
• Private IPv4 management
• IP history auditing
• Organizational IP policies

Amazon Region and availability zones

AWS supports regions around the world and throughout the USA. A region is like a datacenter. Regions are independent of each other. You can place services in a region to be closer to your end consumer to lower latency and to improve reliability.

An Availability Zone (AZ) is isolated but multiple AZs live in a region. Placing your services and application in separate Availability Zones, protects you from outages. Each AZ in region has independent power, backup generators, UPS units, and often use different utility companies when possible. AZs may exists in a separate location of a metropolitan area. AZs are redundantly connected together with fast connections that deliver low-latency using multiple tier-1 transit providers.

A VPC lives in a single region and a VPC subnet must live in a single AZ.

VPC Subnets

A subnet is a part of an VPC’s IP address range. Just like a VPC you need to specify a CIDR blocks for a subnets. Subnets are associated with availability zones (independent power source and network). Subnets can be public or private. A private subnet is one that is not routable from the IGW.

IPv6 Considerations (2025)

• Dual-stack subnets are now recommended
• IPv6 CIDR blocks: /56 for VPC, /64 for subnets
• Egress-only Internet Gateway for IPv6 outbound traffic

Subnet Route tables

Route tables contain a set of ingress and egress rules called routes. These rules are applied to the subnet. The routes direct network traffic. The route tables connect subnets within a VPC so they can communicate. Routes are specified by CIDR and a target.

The most specific route that matches the traffic determines how to route the traffic. Route tables can specify which subnets are public and which subnets are private (if the subnet does or does not have a route to the InternetGateway). Each subnet is always associated with a route table which dictates routes for that subnet. If a route table for a subnet is not specified then that subnets uses the main route table (which is associated with the VPC).

Internet Gateways

An Internet Gateway (IGW) enables traffic from the public Internet to your VPC. Subnets that have route tables that target the IGW are public subnets.The IGW does network address translation from public IPs of EC2 instances to their private IP for incoming traffic. When an EC2 instance send IP traffic from a public subnet, the IGW acts as the NAT for the public subnet, and translates the reply address to the EC2 instance’s public IP (EIP). The IGW keep track of the mappings of EC2 instances private IP address and their public IP address. AWS ensures that the IGW is highly available and handles the horizontal scale, redundancy as needed.

We hope this information on AWS software defined networks is helpful. Please check out our Casandra consulting and Kafka consulting. We specialize in AWS DevOps Automation for Cassandra and Kafka. We also provide training geared towards AWS deployments.

VPC Lattice: Application-Layer Networking (2025)

VPC Lattice represents a paradigm shift in AWS networking, operating at Layer 7 instead of Layer 3/4:

Key Features

• Service Networks: Logical boundaries spanning VPCs and accounts
• Service Discovery: Automatic DNS resolution within availability zones
• Load Balancing: Built-in application load balancing
• Traffic Management: Request-level routing and policies
• Security: IAM policies, security groups, and TLS encryption

VPC Lattice Components

Service Network VPC Endpoints (SN-E)

• Connect VPCs to service networks
• Accessible from peered VPCs, Transit Gateway, or on-premises
• Support for overlapping IP addresses

Resource Gateways

• New VPC construct for resource sharing
• Provides secure ingress for external access
• Supports IP addresses, DNS targets, and managed services

Protocol Support

• HTTP/HTTPS
• gRPC
• TLS passthrough

Use Cases

1. Microservices: Service-to-service communication across accounts
2. Multi-tenant SaaS: Isolated customer workloads with shared services
3. Legacy Modernization: Connect modern and legacy applications

Amazon VPGs, CGWs and VPNs

Amazon allows VPCs to be connected to your existing data center to allow AWS to augment your existing IT infrastructure. You can connect your existing datacenter to an Amazon VPC using VPG (Virtual Private Gateways) and CGW (Customer Gateways).

Think of the VGW like the IGW but it sends traffic to your corporate network instead of the public Internet. VPGs connect to your companies Virtual Private Network (VPN) connector. The VPG is the Amazon side of the VPN connection. The CGW is the customer side of the VPN connector. CGWs are processes running on a server or network device.

You connect a VPG and a CGW with a VPN tunnel, which allows traffic between your corporate network and your Amazon VPCs. The VPN connection uses the IPSec (Internet Security Protocol) tunnels for higher availability to the AWS VPC.

You can setup the VPN connection to use dynamic routing if the CGW supports it (via Border Gateway Protocol). If your CGW does not support dynamic routing, use static routes to decide which traffic is meant for the VPC. Routes are propagated to the VPC to allow traffic back to your corporate network via the VGW.

NAT Gateways and NAT Instances

Amazon EC2 instances launched in a private subnet cannot access the Internet unless there is a NAT. A NAT is a network address translator. Even if you wanted to update your instances with yum install foo, you could not do it because they have no route to the public Internet.

NAT Gateway (Recommended)

• Managed service, highly available
• Up to 45 Gbps bandwidth
• Supports 55,000 simultaneous connections
• Deploy one per AZ for high availability

NAT Instance (Legacy)

• Self-managed EC2 instance
• Limited by instance type bandwidth
• Single point of failure
• Still used for specific filtering requirements

To allow Amazon EC2 instances within a private subnet to access Internet resources through the IGW using a NAT gateway, you must do the following:

• Set up the route table by connecting the private subnet to direct Internet traffic to the NAT gateway
• Deploy NAT gateway in a public subnet
• Associate the NAT gateway with an EIP

Enhanced networking: Placement groups and networking speed

In 2025, placement groups are crucial for high-performance computing:

Placement Group Strategies

1. Cluster: Low latency, high throughput (same rack)
2. Partition: Distributed workloads (separate racks)
3. Spread: Maximum availability (separate hosts)

Network Performance (2025)

• Standard instances: Up to 25 Gbps
• Network optimized: Up to 100 Gbps
• EFA-enabled: Up to 200 Gbps

To achieve maximum throughput, cluster placement groups must be in the same AZ.

DHCP Options

A VPC is associated with a DHCP Option Set.

Dynamic Host Configuration Protocol (DHCP) provides a standard for configuring TCP/IP networks.

DHCP Options allow you to configure DHCP per VPC as follows:

• domain name
• domain name server
• NTP servers
• NetBIOS name servers
• NetBIOS node type

By default AWS creates and associates a DHCP option set for your Amazon VPC. The default DHCP option set uses domain-name-servers set to AmazonProvidedDNS (Amazon Domain Name System), and the domain-name set to the domain name for your region.

EIP

AWS has a pool of public IP addresses available to rent per region. These public IP addresses are called Elastic IP Addresses (EIPs). You check out an EIP like a library book. As long as you have the EIP checked out, no one else can use it. You can keep the EIP as long as you want but you pay for it. Unused EIPs cost $0.005/hour. You can assign an EIP to an instance (and only one). You could spin up a new upgraded version of the instance from a snapshot, and the reassign the EIP to the new upgraded instance.

EIPs allow using a set of fixed public IP addresses that can be reassigned to underlying infrastructure which could change over time. EIPs are allocated in a VPC, but can be moved to another VPC in the same region. EIPs can be assigned to resources like EC2 instances.

ENIs

An ENI is an Elastic Network Interfaces. An ENI is often just called a network interface in AWS speak. An ENI is a virtual network interface that you can attach to an instance in a VPC. You can also detach an ENI and attach to another EC2 instance.

An ENI can have the following properties:

• description
• primary private IPv4 address
• multiple secondary private IPv4 addresses (up to 50)
• EIP per private address
• public IPv4 address
• multiple IPv6 addresses
• multiple security groups (up to 5)
• MAC address
• source/destination check flag

ENI Use Cases (2025)

• Multi-homed instances: Multiple interfaces on different subnets
• Licensing: MAC address-based licensing
• Low-budget HA: Move ENI between instances
• Network appliances: Separate management and data planes

Security Groups

A security group (SG) is a stateful firewall that controls inbound and outbound network traffic to EC2 instances and AWS resources like Elastic Load Balancers. Security groups being stateful means an Amazon instance (or resource) is allowed to respond to an inbound traffic with outbound traffic. AWS EC2 instances have to be associated with a security group if not specified then it is associated with the default security group for the VPC. AWS EC2 instances can be associated with security groups after they are already running. Each VPC can have up to 500 security groups (increased from 500 in 2025).

Rules are only allow rules. Rules consist of the following attributes:

• Source (CIDR, prefix list, or SG id)
• Protocol (TCP, ICMP, UDP, HTTP, HTTPS, SSH, etc.)
• Port range (8000-8080)

Security groups specify up to 60 inbound and 60 outbound rules (increased from 50) using CIDRs or other security groups. AWS will evaluate every rule before deciding to permit traffic.

Security Group Best Practices (2025)

1. Use descriptive names and tags
2. Implement least privilege access
3. Use SG references instead of IP ranges where possible
4. Regular audits with AWS Config
5. Use AWS Firewall Manager for organization-wide policies

NACL

Network ACL Control List (NACL) is a stateless layer of security. NACLs act as a stateless firewall. NACLs provide a number ordered list of rules. The lowest number rule is evaluated first. First rule that allows or denies wins. NACLS support both allow rules and deny rules. Return traffic must be allowed (stateless). NACL applies to the whole subnet.

Cloudurable provides Cassandra training, Cassandra consulting, Cassandra support and helps setting up Cassandra clusters in AWS.

VPC Endpoints

VPC endpoints enable private connections to AWS services without Internet Gateway:

Interface Endpoints (2025 Updates)

• Powered by AWS PrivateLink
• Support for 100+ AWS services
• Cross-region endpoint support
• IPv6 support

Gateway Endpoints

• S3 and DynamoDB only
• No additional charges
• Route table based

Gateway Load Balancer Endpoints

• Third-party virtual appliances
• Transparent network gateway
• Scales with traffic

Related and important

Auto Scaling

Auto Scaling is used scale Amazon EC2 capacity up or down automatically. You can autoscale a group of instances based on workload. It can be used to recover when instances go down by automatically spinning up an instance to take its place. Auto Scaling groups can span multiple AZs. In 2025, predictive scaling uses ML to anticipate traffic patterns.

Amazon Route 53

Amazon Route 53 is a DNS as a service. Route 53 is highly available and scalable. You can use easily assign resources DNS names instead of configuring with public IP addresses. In 2025, Route 53 Resolver endpoints enable hybrid DNS resolution between on-premises and AWS.

Amazon CloudWatch

Amazon CloudWatch is a monitoring service it uses for its AWS Cloud resources and services. However you can use CloudWatch for your services and applications.

CloudWatch can track key performance indicators (KPIs) and metrics, allow log aggregation, and can easily create alarms. You can even trigger AWS Lambda functions based on limits of an KPI or how often an item shows up in log stream in a give period of time.

CloudWatch VPC Insights (2025)

• VPC Flow Logs analysis
• Network performance monitoring
• Traffic pattern visualization
• Anomaly detection with ML

Amazon CloudFormation

CloudFormation allows developers, DevOps, and Ops create and manage a collection of related AWS resources. You can create and update items in a predictable fashion. You do this by creating CloudFormation templates which are written in JSON or YAML. Then you can submit the templates to be create stacks which can be updated. In 2025, CDK (Cloud Development Kit) is increasingly preferred for infrastructure as code.

IAM

AWS Identity and Access Management (IAM) enables secure control access to AWS Cloud services and resources for their users. IAM defines, users, roles, and allows you to apply this to EC2 instances as well as users or groups of users. To use CloudWatch logging or metrics from an application, you would need to assign rights to a role and then associate an IAM role with your EC2 instance.

IAM Updates (2025)

• IAM Identity Center (successor to SSO)
• Attribute-based access control (ABAC)
• Permissions boundaries
• Service control policies (SCPs) in Organizations

Network Security Services

AWS Network Firewall

• Managed firewall service
• Stateful and stateless rules
• IPS/IDS capabilities
• Central management across VPCs

AWS WAF

• Web application firewall
• Protection against common exploits
• Rate limiting
• Bot control

AWS Shield

• Standard: Free DDoS protection
• Advanced: Enhanced DDoS protection with 24x7 support

VPC Design Best Practices for 2025

IP Address Planning

1. Use IPAM for centralized management
2. Plan for IPv6 adoption
3. Reserve space for future growth
4. Use non-overlapping CIDR blocks

High Availability

1. Multi-AZ deployments
2. NAT Gateway per AZ
3. Cross-region replication
4. Use Route 53 health checks

Security

1. Defense in depth with multiple layers
2. Use VPC Flow Logs
3. Enable GuardDuty
4. Regular security assessments

Cost Optimization

1. Use VPC endpoints to reduce NAT Gateway costs
2. Right-size NAT Gateways
3. Clean up unused EIPs
4. Consider VPC Lattice vs Transit Gateway costs

Slide deck that covers configuring AWS Cassandra to run in an Amazon VPC

About us

Cloudurable™ streamline DevOps for Cassandra running on AWS provides AMIs, CloudWatch Monitoring, CloudFormation templates and monitoring tools to support Cassandra in production running in EC2. We also teach advanced Cassandra courses which teaches how one could develop, support and deploy Cassandra to production in AWS EC2.

More info

Please take some time to read the Advantage of using Cloudurable™.

Cloudurable provides:

• Subscription Cassandra support to streamline DevOps (Support subscription pricing for Cassandra and Kafka in AWS)
• Quickstart Mentoring Consulting for Developers and DevOps
• Architectural Analysis Consulting
• Training and mentoring for Cassandra for DevOps and Developers
• Training and mentoring for Kafka for DevOps and Developers

Feedback

We hope you enjoyed this article. Please provide [feedback](https://cloudurable.com/contact/index.html).
#### About Cloudurable Cloudurable provides [Cassandra training](https://cloudurable.com/cassandra-course/index.html "Onsite, Instructor-Led, Cassandra Training"), [Cassandra consulting](https://cloudurable.com/kafka-aws-consulting/index.html "Cassandra professional services"), [Cassandra support](https://cloudurable.com/subscription_support/index.html) and helps [setting up Cassandra clusters in AWS](https://cloudurable.com/services/index.html). Cloudurable also provides [Kafka training](https://cloudurable.com/kafka-training/index.html "Onsite, Instructor-Led, Kafka Training"), [Kafka consulting](https://cloudurable.com/kafka-aws-consulting/index.html), [Kafka support](https://cloudurable.com/subscription_support/index.html) and helps [setting up Kafka clusters in AWS](https://cloudurable.com/services/index.html).

Check out our new GoLang course. We provide onsite Go Lang training which is instructor led.

Tweet                                                                            

comments powered by Disqus