If route table has a route to internet gateway - then subnet associated with that route table is public, otherwise the subnet is private. Steps to enable connection with internet from the subnet:

• Create internet gateway and attach it to the VPC.
• Add a route to the route table.
• Ensure that instances have public IP address.
• Ensure that security groups and network access control lists allow internet traffic.

AWS docs

Privately connect to AWS services from your subnet, that way traffic doesn't leave Amazon network. There are 2 types of VPC endpoints:

• Interface endpoints - supported by a lot of AWS services (full list).
• Gateway endpoints - supported by S3 and DynamoDB.

AWS docs

Connect VPCs across accounts and region, as if the resources in VPCs are part of the same network. AWS docs

Transit gateway - central hub for routing traffic between VPCs, VPN connections, and AWS Direct connections. AWS docs

VPN connectivity options:

• AWS Site-to-Site VPN
• AWS Client VPN
• AWS VPN CloudHub
• Third party software VPN appliance

AWS docs

An Elastic IP address is a static, public IPv4 address designed specifically for the dynamic nature of cloud computing. This feature allows you to associate an Elastic IP address with any instance or network interface within any Virtual Private Cloud (VPC) in your AWS account. AWS docs

Network Address Translation (NAT) gateway can be used so that instances in a private subnet can connect to services outside your VPC but external services cannot initiate a connection with those instances. AWS docs

VPC subnet sharing allows multiple AWS accounts to create their application resources into shared, centrally-managed virtual private clouds (VPC). AWS docs

VPC - a virtual network, that consists of one or more subnets.

• Each subnet resembles Availability Zone.
• Default VPC is created in each region for you.
• Number of subnets depends on the number of AZ in the region.

AWS docs

A subnet is a range of IP addresses in your VPC. Each subnet must reside within one Availability Zone.

Subnet type is determined by how routing is configured:
• Public subnet - the subnet has a direct route to the internet gateway.
• Private subnet - the subnet doesn not have a direct route to the internet gateway.
• VPN-only subnet - the subnet has a route to a site-to-site vpn connection.
• Isolated subnet - the subnet has no routes to destinations outside its VPC.

In the scheme below both subnets have access to internet. Public one - have direct route to internet gateway (igw-12345), private one - doesn't have direct access to internet gateway. AWS docs

A route table contains a set of rules, called routes, that determine where network traffic from your subnet or gateway is directed.

• Each subnet in your VPC must be associated with a route table.
• You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.
• A subnet can only be associated with one route table at a time, but you can associate multiple subnets with the same subnet route table.
• CIDR blocks for IPv4 and IPv6 are treated separately.
• Doesn't matter position of the rule in the table.

Route table rules priority (from highest to lowest): Longest prefix => Static routes => Prefix list routes => Propagated routes AWS docs

Private IPv4 addresses:

• Not reachable over the internet.
• For each VPC CIDR block must be specified (between /16 and /28 netmask)
• You can assign additional private IP addresses, that can be reassigned.
• You cannot change CIDR block after creation.
• AWS reserver first 4 and last private IP address in each subnet.

Public IPv4 addresses:

• When 'public IP address' is enabled for the subnet - IP address is assign automatically for each instance in the subnet.
• A public IP address is mapped to the primary private IP address.
• Assigned public IP is not associated with your account, it comes from AWS ip pool.
• Use elastic IP to have a persistent IP for your instances.

AWS docs

You can use prefix lists to make it easier to configure and maintain your security groups and route tables. There are two types of prefix lists:

• Customer-managed prefix lists — Sets of IP address ranges that you define and manage.
• AWS-managed prefix lists — Sets of IP address ranges for AWS services.

AWS docs

Classles Inter-Domain Routing notation - a concise way to represent collection of IP addresses. AWS docs

Network Address Usage (NAU) is a metric applied to resources in your virtual network to help you plan for and monitor the size of your VPC. Each VPC can have up to 64,000 NAU units by default. You can request a quota increase up to 256,000.

How NAU is calculated:
• 1 unit - private or public IP, additional network interface, prefix assigned to a network interface
• 6 units - NLB, GLB, VPC endpoint per AZ, Transit gateway attachment, Lambda function, NAT gateway, EFS mount target

AWS docs

A security group controls the traffic that is allowed to reach and leave the resources that it is associated with.

• Security group consists of inboud and outbound rules.
• Security group can be attached to the resources in VPC.
• Security groups are statefull. You always allowed to get response for the request, regardless of the inboud rules.
• You can specify only allow rules.
• When you assign multiple security groups to one instance - rules are aggregated to form a single set of rules.
• Another security group can be used as a source or destination of the rule.

AWS docs

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level.

• By default VPC comes with network ACL that allows all inbound and outbound traffic.
• Each subnet must be associated with only one network ACL. However, network ACL can be associted with multiple subnets.
• You can specify allow and deny rules.
• Rules are evaluated in order starting from the lowest number. If the traffic matches a rule, the rule is applied and all further rules are not evaluated.
• NACLs are stateless. You are not guaranteed to get response on the request.

AWS docs

Capture information abouth the IP traffic going to and from network interfaces in your VPC.

• Store logs in CloudWatch logs, S3 or Data Firehose.
• You can create a flow log for a VPC, a subnet, or a network interface.

AWS docs