Back to all articles
Technical explainers 4 min read

VPC vs Subnet vs Security Group — Explained Simply

Confused by AWS networking? Learn how VPCs, Subnets, and Security Groups interact using real-world analogies that actually make sense.

CS
Cloudshalla Architecture
Published 2026-03-10

AWS Networking Doesn't Have to Be Hard

When you first log into AWS, the networking dashboard feels like a pilot's cockpit. CIDR blocks, Route Tables, Internet Gateways... it's overwhelming. However, if you break it down into a universal real-world analogy, it becomes permanent knowledge.

The "Gated Office Building" Analogy

1. The VPC (Virtual Private Cloud) = The Campus Perimeter

Think of a VPC as a giant fenced perimeter around your corporate campus. It establishes your absolute boundaries on the internet. Anything inside the fence is yours. Anything outside the fence is the wild internet.

When you create a VPC with a CIDR block of 10.0.0.0/16, you are effectively buying a plot of land that can hold roughly 65,000 distinct IP addresses (employees).

2. The Subnet = Individual Buildings / Floors

You cannot just throw 65,000 employees into a massive open field. You organize them. A subnet is a physical segmentation of your campus. You carve up your VPC into smaller chunks.

  • Public Subnet (The Reception Area): This lobby has doors to the outside streets (Internet Gateway). The public can walk in here. You put your public Web Servers here.
  • Private Subnet (The Vault / Server Room): This floor has NO doors to the outside streets. The only way in is through the reception area. You put your databases here so hackers cannot directly access them.

3. The Security Group = The Bouncer at the Server Door

A Security Group (SG) is a highly specific bouncer assigned to a specific room (or EC2 instance).

Imagine you have a web server in the Reception Area. You assign a Security Group to it. You tell the bouncer: "Only allow people speaking HTTP (Port 80) or HTTPS (Port 443) inside." If someone tries to enter speaking SSH (Port 22), the bouncer silently drops them.

Because the bouncer is stateful, if they let an employee out to grab lunch, they automatically remember their face and let them back in without checking ID again.

What about NACLs?

Network Access Control Lists (NACLs) are the security guards at the front gate of the Subnet building. They check traffic *before* it even reaches the instance's Security Group bouncer. Unlike Security Groups (which only allow), NACLs can be used to explicitly DENY a specific malicious IP address from entering the building entirely.

Ready to start your journey?

Stop reading and start building. Access scenario-based labs, practice exams, and interview roadmaps today.

Start Practicing Free