// simulator

AWS VPC Networking Simulator

Learn AWS networking fundamentals with an interactive VPC simulator. Visualize how traffic flows through public and private subnets, understand NAT Gateways, Internet Gateways, and route tables.

Supported by

|Become a sponsor

AWS VPC Builder

Build your VPC by adding components. The simulator will tell you if something is misconfigured.

Quick start:

Core Infrastructure

Public Layer (Internet-Facing)

Private Layer (Protected)

Configuration Status

Add components to build your VPC architecture.

Select a scenario or press 4-6 to start:

1-3 presets4-6 simulateT testR reset

Key Concepts

Public Subnet: Has route to Internet Gateway - resources can have public IPs
Private Subnet: No direct internet route - resources are protected
NAT Gateway: Lets private resources reach internet without being exposed
Internet Gateway: The door between your VPC and the internet

Understanding AWS VPC Networking

A Virtual Private Cloud (VPC) is your own isolated section of the AWS cloud where you can launch resources in a virtual network that you define. Think of it as your own private data center in the cloud, with complete control over your networking environment.

Core Components

VPC (Virtual Private Cloud): Your isolated section of AWS cloud where you launch resources in a virtual network you define. Each VPC has its own IP address range (CIDR block), typically something like 10.0.0.0/16.
Public Subnet: A subnet with a route to the Internet Gateway. Resources here can have public IPs and be directly accessible from the internet. Web servers and load balancers typically live here.
Private Subnet: A subnet with no direct internet access. Resources are protected from public exposure. Databases, application servers, and sensitive workloads typically live here.
Internet Gateway:Allows communication between your VPC and the internet. It's horizontally scaled, redundant, and highly available. You attach one IGW per VPC.

Traffic Flow Concepts

NAT Gateway: Enables private subnet instances to access the internet (for updates, API calls) while remaining unreachable from outside. NAT Gateways must be placed in a public subnet and cost ~$0.045/hour plus data charges.
Route Table: Contains rules (routes) that determine where network traffic is directed. Public subnets route 0.0.0.0/0 to the IGW; private subnets route 0.0.0.0/0 to the NAT Gateway.
CIDR Block: IP address range for your VPC and subnets. The VPC might use 10.0.0.0/16 (65,536 IPs), with subnets like 10.0.1.0/24 (256 IPs) for public and 10.0.2.0/24 for private.
Availability Zone: Isolated locations within a region for high availability. Best practice is to deploy subnets across multiple AZs (e.g., us-east-1a, us-east-1b) for fault tolerance.

Common architecture patterns

Public Web Server: IGW + Public Subnet + EC2 with public IP. Simple setup for static sites or APIs.
Three-Tier App: Public subnet (ALB) then Private subnet (App servers) then Private subnet (Database).
Private with NAT: Private EC2 instances that need outbound internet (updates, APIs) via NAT Gateway.

Key concepts

Public vs Private: Public subnets route 0.0.0.0/0 to IGW; private subnets route to NAT.
NAT Gateway Cost: NAT Gateways cost ~$32/month plus data transfer. Consider NAT instances for dev environments.
Security Layers: Security Groups (stateful) plus NACLs (stateless) protect resources.
High Availability: Deploy across multiple AZs with subnets in each.
VPC Peering: Connect VPCs together for private communication across accounts or regions.
Elastic IP: Static public IP that can be associated with resources in public subnets.

Security best practices

Least Privilege: Only open necessary ports in Security Groups.
Defense in Depth: Use both Security Groups and NACLs.
Private by Default: Put resources in private subnets unless they need public access.
VPC Flow Logs: Enable flow logs to monitor and troubleshoot traffic.
Endpoints: Use VPC endpoints for AWS services to avoid internet traffic.