In Chapter 3: Terraform Modules, we introduced the concept of reusable infrastructure components through Terraform modules. We explored how modules help standardize and simplify the provisioning of critical cloud resources, such as Virtual Private Clouds (VPCs) and EKS clusters.

In this chapter, we’ll take a closer look at one of the most foundational infrastructure components: the VPC (Virtual Private Cloud). A VPC defines the isolated network environment in which all other AWS resources—like compute instances, databases, and Kubernetes clusters—operate. Understanding how the VPC module works is essential to designing secure, scalable, and well-organized cloud infrastructure.

What Problem Are We Solving?

Imagine AWS as a vast metropolitan city where organizations can deploy and run digital infrastructure. While this shared environment provides immense scalability and flexibility, no organization wants its resources directly exposed to or mixed with others. Just as you’d prefer your own private property within a busy city—complete with fencing, roads, and security—a VPC (Virtual Private Cloud) offers that same level of isolation and control in the cloud.

A VPC is a logically isolated section of the AWS cloud where you can define and manage your own networking environment. It provides a secure and private foundation on which all other AWS resources—such as EC2 instances, RDS databases, or EKS clusters—are deployed.

Key benefits of a VPC include:

• Isolation

  Your resources operate in a logically separate network, fully isolated from those of other AWS customers.

• Control

  You define the network topology—including IP address ranges, subnets, route tables, and gateways—according to your architectural and operational needs.

• Security

  Using network access control lists (ACLs), security groups, and route configurations, you can enforce fine-grained rules for inbound and outbound traffic.

In essence, a VPC is your private, fenced-off estate within AWS. You determine where resources are placed (subnets), how they communicate internally (routing), and what traffic is allowed to enter or exit (gateways and firewalls). This makes the VPC a foundational building block for secure and scalable cloud infrastructure.

What is a VPC? (Your Private Cloud Estate)

A VPC is your private, isolated virtual network within AWS. It's the foundational layer for almost everything you build in AWS.

Let's break down the key parts of your cloud estate:

1. IP Address Range (CIDR Block):
   • This is like the total land area of your estate. It's a range of IP addresses (e.g., 10.123.0.0/16) that only your VPC can use. No other VPC can use the exact same range in the same region, ensuring your network addresses don't clash with others.
   • For example, 10.123.0.0/16 allows for a very large number of private IP addresses that your resources can use.
2. Subnets (Rooms/Sections in Your Estate):
   • You don't just have one big open field; you divide your estate into smaller, organized sections or "rooms." These are called subnets.
   • Each subnet is a smaller range of IP addresses taken from your main VPC CIDR block (e.g., 10.123.1.0/24, 10.123.2.0/24).
   • Subnets are typically tied to an Availability Zone (AZ), which is a physically separate data center within an AWS region. Spreading subnets across multiple AZs makes your infrastructure more resilient to outages.
   • We primarily use two types of subnets:
     • Public Subnets (The Front Yard): These subnets have a direct connection to the internet. Resources here (like web servers that need to be accessed from the internet) can have public IP addresses.
     • Private Subnets (The Backyard): These subnets have no direct connection to the internet. Resources here (like databases or application servers that should only talk to other parts of your system) have only private IP addresses, making them more secure.
3. Route Tables (Road Maps):
   • Each subnet needs a "road map" to know where to send network traffic. This map is called a route table.
   • A route table defines how traffic from the subnet is directed. For example, it tells traffic destined for the internet to go through an Internet Gateway.
4. Internet Gateway (IGW) (The Main Entrance/Exit):
   • This is the front gate of your estate, allowing traffic to flow between your VPC's public subnets and the internet. Without an IGW, your public subnets couldn't talk to the outside world.
5. NAT Gateway (A Postal Service for Your Backyard):
   • What if resources in your private backyard (private subnets) need to access the internet (e.g., to download software updates) but you don't want the internet to directly access them?
   • A NAT Gateway acts like a secure postal service. Resources in private subnets send their outbound requests to the NAT Gateway, which then sends them to the internet and brings back the replies. It hides the private IPs, ensuring no direct inbound connections from the internet to your private resources.

How Our Project Uses the VPC Module

In our project, we use a Terraform module to provision the VPC. This module encapsulates all the logic and configurations needed to define the structure of our "estate"—including the overall IP address range, subnet layout, and access control points.