When I started designing the network for our Moodle LMS deployment on AWS, I quickly realised that getting the VPC architecture right from the start would save a lot of pain later. Here’s the approach I took and why.
What is a VPC?
A Virtual Private Cloud (VPC) is your own isolated section of the AWS cloud. Think of it as your private data centre inside AWS — you control the IP address ranges, subnets, routing, and what can talk to what. By default, nothing inside your VPC is accessible from the internet unless you explicitly allow it.
Public vs private subnets
The core principle of a secure VPC is separating resources that need internet access from those that don’t.
Public subnets are connected to an Internet Gateway. Resources here — like a load balancer or a bastion host — can be reached from the internet and can reach out to it directly.
Private subnets have no direct internet connection. Your application servers and databases live here. They can’t be reached from the outside world, which is exactly what you want for anything containing sensitive data or application logic.
The NAT Gateway problem
Here’s the catch: resources in private subnets still need to reach the internet sometimes — to download software updates, pull packages, or call external APIs. But you don’t want them publicly reachable.
This is what a NAT Gateway solves. It sits in a public subnet and acts as a middleman: private resources send outbound traffic through the NAT Gateway, which forwards it to the internet. Return traffic comes back the same way. But no inbound connections can be initiated from outside — the private resources remain unreachable.
Our final architecture
- Two public subnets across two availability zones — for the load balancer
- Two private subnets across two availability zones — for EC2 app servers and RDS
- One NAT Gateway in a public subnet — for outbound traffic from private subnets
- IAM roles on EC2 instances — no hardcoded credentials anywhere
- Security groups as the final layer — only allowing traffic on the specific ports each service needs
What I learned
The biggest insight was that security in AWS is about layers, not a single firewall. The VPC design, security groups, IAM roles, and NACLs all work together. Getting one layer wrong doesn’t necessarily mean a breach — but getting all of them right means you can sleep at night.