← back to blog
cloud·Sep 14, 2025·11 min read

AWS VPC Deep Dive: Advanced Networking Patterns for Production

Mastering AWS VPC design — CIDR planning that scales, NAT Gateway HA per AZ, VPC PrivateLink for service isolation, Transit Gateway for multi-account mesh, and VPC Flow Logs for security forensics.

SJ
Sabin Joshi
DevOps Engineer
#aws#vpc#networking#nat-gateway#privatelink#transit-gateway#vpc-flow-logs

CIDR Planning Is Forever

The worst AWS architecture mistake is poor CIDR planning. Overlapping IP ranges between VPCs, on-premises networks, and future acquisitions will force expensive re-architecting. You cannot change VPC CIDR blocks without destroying the VPC. Get this right upfront.

Our hierarchical scheme: /8 per org → /16 per AWS account → /20 per VPC → /24 per subnet. This allows 50+ accounts with no collisions.

ℹ️Reserve 100.64.0.0/10 (IANA Shared Address Space) for internal-only VPCs. Routable within AWS, won't conflict with RFC-1918 on-prem space.

Three-Tier Subnet Model

Three-Tier VPC Subnet Architecture (3 AZs)
{arr('a','#555')} Internet Gateway VPC: 10.0.0.0/16 us-east-1a us-east-1b us-east-1c Public /24 · 10.0.1.0/24 ALB NAT GW Public /24 · 10.0.2.0/24 ALB NAT GW Public /24 · 10.0.3.0/24 NAT GW Private App /23 · 10.0.10.0/23 EKS ECS Tasks Private App /23 · 10.0.12.0/23 Private App /23 · 10.0.14.0/23 Private Data /24 · 10.0.20.0/24 Aurora ElastiCache Private Data /24 · 10.0.21.0/24 Private Data /24 · 10.0.22.0/24

NAT Gateway High Availability

Common mistake: one NAT Gateway in one AZ, shared by all private subnets. When that AZ has issues, all outbound traffic from private subnets fails. Deploy one NAT GW per AZ and route each AZ's private subnets through their local NAT GW.

resource "aws_nat_gateway" "az_a" {
  allocation_id = aws_eip.nat_a.id
  subnet_id     = aws_subnet.public_a.id
}
resource "aws_route" "private_a_nat" {
  route_table_id         = aws_route_table.private_a.id
  destination_cidr_block = "0.0.0.0/0"
  nat_gateway_id         = aws_nat_gateway.az_a.id  # local AZ NAT GW
}

PrivateLink exposes services across VPCs without peering — traffic never leaves AWS, the service provider never touches the consumer VPC. We use it to expose internal microservices between teams without granting full VPC access.

resource "aws_vpc_endpoint_service" "payment_api" {
  acceptance_required        = true
  network_load_balancer_arns = [aws_lb.payment_nlb.arn]
  allowed_principals         = ["arn:aws:iam::CONSUMER_ACCT:root"]
}
resource "aws_vpc_endpoint" "consume_payment" {
  vpc_id              = var.consumer_vpc_id
  service_name        = data.aws_vpc_endpoint_service.payment.service_name
  vpc_endpoint_type   = "Interface"
  private_dns_enabled = true
}

VPC Flow Logs

Enable Flow Logs on all production VPCs. Essential for debugging connectivity and security forensics. Use the custom flow log format including pkt-src-aws-service and pkt-dst-aws-service fields — this reveals exactly which AWS services your instances communicate with, invaluable for building least-privilege security groups.

💡Ship Flow Logs to S3 with Athena for long-term queries. Keep CloudWatch Logs for real-time investigation. Run a weekly Athena query to find unexpected egress patterns — these often reveal misconfigured apps or active exfiltration attempts.