Networking 101 - Part 3

10 minute read
Content level: Foundational

This article introduces beginners to Amazon VPC, providing foundational knowledge on cloud network connectivity within the AWS environment.


In our previous articles, Networking 101 - Part 1 and Part 2, we explored the fundamentals of networking and the basics of VPCs in AWS. Building on this foundation, Part 3 delves deeper into VPC security, focusing on the crucial aspects of Security Groups, Network ACLs, and monitoring with VPC Flow Logs. Additionally, we discuss optimizing VPC cost efficiency and understanding AWS VPC quotas.

This article highlights the versatility of Amazon VPC through various use cases, demonstrating its capability to provide secure, scalable, and isolated environments for different applications in the cloud. Whether you're new to networking or aiming to enhance your AWS knowledge, this series aims to equip you with the essential concepts and skills to effectively manage and optimize VPCs in the AWS environment.

VPC Security Strengthening

VPC Security Strengthening Images

In the previous installment of Networking 101 - Part 2, you learned about controlling network access within your Virtual Private Cloud (VPC) through two key mechanisms:

  1. Security Groups: These function as firewalls, permitting only authorized traffic and routing it to specific parts of your network. For instance, if you wish to restrict traffic to a particular resource, you can configure a security group to authorize and route traffic exclusively to that resource, enhancing security.
  2. Network ACLs (Access Control Lists): These provide an additional layer of stateless, granular security if needed. They are considered stateless because allowing inbound traffic does not automatically permit outbound traffic.

When troubleshooting issues related to accessing resources in your VPC, it's advisable to begin by examining these security components. Often, such issues stem from misconfigurations within these components.

Monitoring Your VPC with VPC Flow Logs

Security in your network isn't just about controlling who can access it; it's also crucial to monitor and audit access patterns over time. AWS provides an easy way to monitor your VPC using VPC Flow Logs.

💡 VPC Flow Logs enable you to capture data about the traffic going to and from the network interfaces in your VPC. This constant auditing helps you track who is accessing your network and when they are doing so.

You can choose to store VPC Flow Logs data in Amazon CloudWatch or Amazon S3. This flexibility allows you to analyze the logs for networking monitoring, security analysis, and expense optimization. For storing VPC Flow Logs, S3 is a more cost-effective option compared to CloudWatch, especially for larger volumes of data. CloudWatch's pricing based on volume tiers can result in higher costs, while S3's tiered pricing structure offers more cost-effective options for organizations with substantial log data storage requirements.

Monitoring VPC flow logs delivered to CloudWatch logs

When monitoring VPCs and sending 50 terabytes (TB) of ingested VPC Flow Logs to CloudWatch Logs per month, with data archived for one month, the charges are calculated as follows:

  • Monthly charges for log ingestion:
   0 to 10TB @$0.50 per GB = 10 * 1,024 * $0.50 = $5,120.00
   10TB to 30TB @$0.25 per GB = 20 * 1,024 * $0.25 = $5,120.00
   30TB to 50TB @$0.10 per GB = 20 * 1,024 * $0.10 = $2,048.00
   Total log ingestion charges: $5,120.00 + $5,120.00 + $2,048.00 = $12,288.00
  • Monthly charges for log archival (assuming log data compresses to 25TB [50%]):
   25TB @ $0.03 per GB = 25 * 1024 * 0.03 = $768.00
  • 💲Monthly charges for CloudWatch: $12,288.00 (log ingestion) + $768.00 (log archival) = $13,056.00

Monitoring VPC flow logs delivered to S3

When monitoring VPCs and sending 50TB of ingested VPC Flow Logs, formatted in Apache Parquet, directly to S3 per month, with the data archived for one month, the charges are as follows:

  • Monthly charges for log ingestion:
   0 to 10TB @$0.25 per GB = 10 * 1,024 * $0.25 = $2,560.00
   10TB to 30TB @$0.15 per GB = 20 * 1,024 * $0.15 = $3,072.00
   30TB to 50TB @$0.075 per GB = 20 * 1,024 * $0.075 = $1,536.00
   Total Ingestion Charges = $2,560 + $3,072 + $1,536  = $7,168.00
  • Optional monthly charges for Apache Parquet format conversion:
   50TB @$0.03 per GB = 50 * 1,024 * $0.03 = $1,536.00
  • Monthly charges for log archival (assuming log data compresses to 25TB [50%]):
   25TB @ $0.023 per GB = 25 * 1024 * 0.023 = $588.80
  • 💲Monthly charges for S3: $7,168.00 (log ingestion) + $1,536.00 (Apache Parquet) + $588.80 (log archival) = $9,292.80

⚠️ Volume tiers reset at the beginning of each month.

💡 Remember, effective auditing of your VPC is crucial for security and performance. VPC Flow Logs provide the necessary visibility to make informed decisions and enhance your network's security and efficiency.

VPC Cost Efficiency

It's important to understand that there are no charges for creating and using a VPC. However, certain optional VPC capabilities incur usage-based charges. Here's a breakdown of the cost structure for various VPC components:

VPC ComponentCharge TypeCharged ForNot Charged For
VPCNo charge-Creating and using a VPC
SubnetsNo charge-Creating and using subnets
Route TablesNo charge-Creating and using route tables
Internet GatewayNo charge-Attaching to a VPC
NAT GatewayUsage-based (hourly)Number of NAT gateways and data processed-
VPC EndpointsUsage-based (hourly/data)Number of VPC endpoints and data processed-
Elastic IP Addresses (EIPs)Usage-basedNumber of EIPs allocated and not associatedEIPs associated with a running instance
VPC PeeringUsage-based (data transfer)Data transfer between peered VPCsCreating and accepting VPC peering connections
VPN ConnectionUsage-based (hourly/data)VPN connection hours and data transfer-
IP Address Manager (IPAM)Usage-based (monthly)Number of IPAM pools and usage-
Network ACLsNo charge-Creating and using network ACLs
Security GroupsNo charge-Creating and using security groups
IPv4 AddressesUsage-based (hourly)All public IPv4 addresses attached and not to a service-

⚠️ This table is based on typical AWS VPC pricing models as of the last update. Prices and components can vary based on region and specific configurations. Always refer to the AWS VPC Pricing page for the most up-to-date information.

💡 In addition to the above, you will also be billed for services that you launch into your VPC, such as Amazon EC2 or Amazon RDS.

VPC Quotas in AWS

When working with VPCs in AWS, it's crucial to be aware of the default limits imposed by the service. Each AWS account is limited to a maximum of five VPCs per Region. This quota is in place to help manage resources efficiently and ensure optimal performance.

If your project requires more than five VPCs in a single Region, you have the option to request an increase in this limit. To do so, you'll need to contact AWS Support and submit a service limit increase request. This process involves providing details about your use case and justifying the need for additional VPCs.

For more information on VPC quotas and how to request a limit increase, you can visit the AWS Service Quotas documentation and the AWS Support page for guidance on opening a support ticket.

Use Cases of Amazon VPC

As you've learned from the previous article, Amazon VPC enables users to establish a virtual network within the AWS ecosystem, offering full control over the virtual networking environment. These use cases demonstrate Amazon VPC's versatility in delivering secure, scalable, and isolated environments for a variety of applications and scenarios:

Case 1: Hosting a Public Website

Case 1: Hosting a Public Website

In this scenario, a company uses Amazon VPC to host a public-facing website. The presentation tier with web servers is placed in public subnets, allowing internet users to access the website. The application and database tiers are placed in private subnets for security. This setup ensures that the website is available to the public while keeping the business logic and data secure.

Case 2: Internal Application for Employees

Case 2: Internal Application for Employees

A company sets up an internal application (e.g., an intranet) within a VPC, accessible only by its employees. All three tiers (presentation, logic, and data) are placed in private subnets. Employees connect to the VPC over a VPN to access the application. This use case ensures that sensitive internal applications are not exposed to the public internet.

Case 3: Hybrid Cloud Integration

Case 3: Hybrid Cloud Integration In this use case, a company integrates its on-premises data center with its cloud infrastructure in AWS using Amazon VPC. The company uses a VPN or AWS Direct Connect to securely connect its on-premises network to the VPC. This setup allows seamless integration between on-premises and cloud resources, enabling the company to leverage the scalability and flexibility of the cloud while retaining some workloads on-premises.

Case 4: Multi-Tier Application with Microservices

A company deploys a multi-tier application with microservices architecture within a VPC. Each microservice is placed in its own private subnet, and communication between microservices is secured using security groups and NACLs. This setup provides isolation for each microservice, enhancing security and scalability. A public-facing load balancer in a public subnet routes incoming traffic to the appropriate microservices in the private subnets.


In Networking 101 - Part 3, the focus is on enhancing VPC security through Security Groups and Network ACLs, critical for managing network access effectively. The article also emphasizes the importance of monitoring VPCs using VPC Flow Logs to track and analyze traffic patterns. Furthermore, it discusses optimizing VPC costs by detailing charges for different components and the significance of understanding VPC quotas in AWS.

Moreover, the article explores the versatility of Amazon VPC through various use cases, illustrating its capability to provide secure, scalable, and isolated environments for hosting public websites, internal applications, hybrid cloud integration, and multi-tier applications with microservices architecture.

In the upcoming articles of this series, we will delve into more advanced networking topics and practical applications. Whether you are a beginner looking to start in networking or someone deeply interested in AWS and cloud technology, this series aims to equip you with the knowledge and tools to navigate the digital landscape confidently.

🙏 If you found this article informative and helpful, please consider sharing it with your friends and colleagues who might also benefit from this knowledge. Your support through likes and shares is greatly appreciated and motivates to continue creating valuable content for our readers.