AWSAWS SAA-C03

AWS VPC Fundamentals Explained for AWS SAA-C03

Your resources in AWS do not automatically sit in a protected private network. Without a VPC, they would be globally reachable by default. A Virtual Private Cloud is your isolated section of the AWS cloud, with its own IP address range, subnets, route tables, and security controls. Every architect working on AWS must understand VPC architecture because every other service, whether EC2, RDS, Lambda, or ECS, either runs inside a VPC or connects to one. The SAA-C03 exam tests VPC design, subnetting, security groups vs NACLs, and connectivity options more than almost any other topic.

8 min

4 sections · 6 exam key points

5 practice questions

VPC structure and subnet types

A VPC lives in a single AWS region and has a CIDR block that defines its IP address space, such as 10.0.0.0/16. You divide that space into subnets, each associated with one Availability Zone. Subnets do not span AZs, so a resilient architecture places resources in subnets across multiple AZs.

Public subnets have a route to an Internet Gateway in their route table, which means resources in those subnets can send and receive traffic from the internet. Private subnets have no such route, meaning resources in them are not directly reachable from the internet. A web server that needs to accept public connections goes in a public subnet. A database that should only accept connections from the application tier goes in a private subnet.

A NAT Gateway sits in a public subnet and gives resources in private subnets a way to initiate outbound connections to the internet (to download patches, call external APIs) without being reachable inbound. NAT Gateways are managed by AWS, highly available within an AZ, and charged per hour plus per GB of data processed. For HA across AZs, deploy a NAT Gateway in each AZ and configure private subnets in each AZ to route through their local NAT Gateway.

Security groups and NACLs

Security groups are stateful instance-level firewalls. Stateful means if you allow traffic in one direction, the return traffic is automatically allowed regardless of any other rule. Security groups only have allow rules. The absence of a rule is a deny. You apply security groups to EC2 instances, RDS databases, Lambda functions in VPCs, and load balancers. A single instance can have multiple security groups applied, and the rules across all of them are combined.

Network Access Control Lists (NACLs) operate at the subnet level and are stateless. Stateless means you must explicitly allow both inbound and outbound traffic, including the return traffic on ephemeral ports (1024 to 65535 for most responses). NACLs have both allow and deny rules, processed in numbered order from lowest to highest. The first matching rule wins. NACLs are useful for blocking specific IP addresses across an entire subnet.

Think of NACLs as the outer wall around a neighborhood (subnet) and security groups as the lock on each individual house (instance). You use the wall to block unwanted visitors from the neighborhood entirely. You use the lock to control who can enter specific houses.

VPC endpoints and connectivity

Without VPC endpoints, traffic from your VPC to AWS services like S3 travels over the public internet, even though both are in AWS. This creates cost, exposure, and latency. Gateway Endpoints add a route table entry that directs traffic to S3 or DynamoDB over the AWS private network instead, at no charge. Interface Endpoints create a private IP in your VPC for almost any AWS service, so traffic never leaves the Amazon network, though they do carry an hourly fee.

VPC peering connects two VPCs so they can route traffic to each other as if they were on the same network. Peering does not require a VPN or internet access. The catch is that peering is non-transitive: if VPC A peers with VPC B and VPC B peers with VPC C, A cannot reach C through B. Transit Gateway solves this for complex multi-VPC architectures by acting as a central hub.

How to choose the correct answer

Public vs private subnet: needs inbound internet connections = public subnet. Should not be reachable from internet = private subnet. Private subnet needs internet access for updates = NAT Gateway in public subnet.

Security group vs NACL: stateful, instance-level, allow-only = security group. Stateless, subnet-level, allow and deny = NACL. Block a specific IP from entering the subnet = NACL.

Traffic to S3 without internet = Gateway Endpoint (free). Traffic to other AWS services privately = Interface Endpoint (paid). Connect two VPCs = VPC peering (non-transitive). Connect many VPCs = Transit Gateway.

Bastion host: a single hardened EC2 instance in a public subnet used as the only SSH entry point to instances in private subnets. Alternative: AWS Systems Manager Session Manager removes the need for a bastion entirely.

Security groups vs NACLs

Attribute	Security Group	NACL
Level	Instance	Subnet
Stateful?	Yes (return traffic auto-allowed)	No (must allow inbound and outbound separately)
Rule types	Allow only	Allow and deny
Rule processing	All rules evaluated	In order, first match wins
Default behavior	Deny all inbound, allow all outbound	Allow all inbound and outbound

Key exam facts — AWS SAA-C03

Public subnet: route to Internet Gateway. Private subnet: no internet route.
NAT Gateway: private subnet outbound internet access. Deploy one per AZ for HA.
Security groups: stateful, instance-level, allow-only.
NACLs: stateless, subnet-level, allow and deny, must allow return traffic explicitly.
Gateway Endpoint: free, S3 and DynamoDB only. Interface Endpoint: paid, other services.
VPC peering: non-transitive. Transit Gateway: hub for many VPCs.

Common exam traps

Security groups can be used to block specific IP addresses.

Security groups only support allow rules. To block a specific IP address, use a NACL deny rule on the subnet or use AWS WAF if the traffic is HTTP/HTTPS.

A private subnet with a NAT Gateway is accessible from the internet.

The NAT Gateway allows resources in the private subnet to initiate outbound connections to the internet. It does not create inbound reachability. Traffic from the internet cannot initiate connections to private subnet resources through a NAT Gateway.

VPC peering is transitive, so peered VPCs can route to each other through a middle VPC.

VPC peering is explicitly non-transitive. VPC A peered with VPC B and VPC B peered with VPC C does not allow A to reach C. Each pair of VPCs that needs to communicate requires its own peering connection, or you must use Transit Gateway for hub-and-spoke routing.

Practice questions — AWS VPC

These questions are representative of what you will see on AWS SAA-C03 exams. The correct answer and explanation are shown immediately below each question.

Q1.A web application needs its database tier to be accessible only from the application tier, not from the internet. Where should the database be placed?

A.In a public subnet with a security group blocking internet traffic

B.In a private subnet with no route to an Internet Gateway

C.In a public subnet with a NACL denying all inbound traffic

D.In a separate VPC with VPC peering to the application VPC

Explanation: Private subnets have no route to an Internet Gateway, making them unreachable from the internet by design. The database should be in a private subnet and communicate with the application tier (in public or private subnets) through security group rules. A security group on a public subnet still exposes the resource to potential internet traffic if the route exists.

Q2.An EC2 instance in a private subnet needs to download software updates from the internet. The instance should not be directly reachable from the internet. What is the correct solution?

A.Assign the instance a public IP address

B.Deploy a NAT Gateway in a public subnet and route private subnet outbound traffic through it

C.Create a VPC endpoint for internet access

D.Enable IPv6 on the private subnet

Explanation: A NAT Gateway in a public subnet allows resources in private subnets to initiate outbound connections to the internet while remaining unreachable inbound. The private subnet's route table directs 0.0.0.0/0 to the NAT Gateway. The NAT Gateway then connects to the Internet Gateway for actual internet access. No public IP is assigned to the private instance.

Q3.A security engineer needs to block all traffic from a specific malicious IP address (203.0.113.50) to all EC2 instances in a subnet. Which AWS feature should be used?

A.Security group deny rule on each instance

B.Network ACL deny rule on the subnet

C.VPC routing table modification

D.AWS WAF rule on the VPC

Explanation: NACLs operate at the subnet level and support deny rules, making them ideal for blocking specific IP addresses across all resources in a subnet. Security groups only support allow rules — you cannot create a deny rule in a security group. WAF is for HTTP/HTTPS web application traffic, not general IP blocking at the network level.

Q4.An application in a private VPC subnet needs to access S3 without traffic traversing the public internet. What is the most cost-effective solution?

A.Deploy a NAT Gateway for internet access to S3

B.Create a Gateway VPC Endpoint for S3

C.Create an Interface VPC Endpoint for S3

D.Assign the EC2 instances public IPs to access S3 directly

Explanation: A Gateway VPC Endpoint for S3 (and DynamoDB) adds a route table entry directing S3 traffic over the AWS private network at no additional cost. Interface Endpoints create a private ENI in your VPC for a fee. NAT Gateway works but routes traffic through the public internet and costs money per GB. Gateway Endpoints are free and keep S3 traffic on the AWS network.

Q5.VPC-A is peered with VPC-B. VPC-B is peered with VPC-C. Can an EC2 instance in VPC-A communicate with an EC2 instance in VPC-C through VPC-B?

A.Yes, because VPC peering allows transitive routing through intermediate VPCs

B.No, because VPC peering is non-transitive

C.Yes, but only if VPC-B has a transit gateway attached

D.No, unless all three VPCs are in the same region

Explanation: VPC peering is explicitly non-transitive. VPC-A can communicate with VPC-B (they're peered), and VPC-B can communicate with VPC-C (they're peered), but VPC-A cannot reach VPC-C through VPC-B. Each pair that needs communication requires its own peering connection. Transit Gateway solves this by acting as a hub where all connected VPCs can route to each other.

Frequently asked questions — AWS VPC

What is the difference between a public subnet and a private subnet in AWS?

A public subnet has a route table entry that directs internet-bound traffic (0.0.0.0/0) to an Internet Gateway (IGW). Resources in a public subnet can have public IP addresses and be directly reachable from the internet. A private subnet has no route to an Internet Gateway, so resources in it cannot be directly reached from (or reach) the internet. Private subnet resources use a NAT Gateway for outbound-only internet access.

What is the difference between a security group and a NACL in AWS?

Security groups are stateful (return traffic is automatically allowed), operate at the instance level, and only support allow rules. NACLs are stateless (you must explicitly allow both inbound and outbound, including ephemeral ports), operate at the subnet level, and support both allow and deny rules. Use security groups for per-instance access control. Use NACLs to block specific IP addresses at the subnet boundary or add an extra layer of defense.

What is a NAT Gateway and when do I need one?

A NAT Gateway allows EC2 instances in private subnets to initiate outbound internet connections (downloading packages, calling APIs) while remaining unreachable from the internet inbound. It sits in a public subnet and translates private IP addresses to its public IP for outbound traffic. For high availability, deploy one NAT Gateway per Availability Zone and configure each private subnet's route to point to the NAT Gateway in the same AZ.

What is a VPC Endpoint and what are the two types?

VPC Endpoints allow traffic from your VPC to reach AWS services without traversing the public internet. Gateway Endpoints are free and work only for S3 and DynamoDB — they add an entry to your route table. Interface Endpoints create a private network interface (ENI) in your VPC subnet for almost any AWS service — they have an hourly fee but keep all traffic on the AWS network and support VPC endpoint policies.

How is VPC tested on AWS SAA-C03?

SAA-C03 heavily tests VPC architecture: public vs private subnet design, Internet Gateway vs NAT Gateway, security groups vs NACLs (stateful vs stateless), VPC Endpoints (Gateway for S3/DynamoDB, Interface for others), VPC peering (non-transitive), Transit Gateway, and VPN/Direct Connect for hybrid connectivity. Expect multi-tier architecture scenarios where you must identify the correct placement of resources and the right connectivity components.

Practice this topic

AWS SAA-C03practice questions

Test yourself on AWS VPC

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime