Back to docsRecipe
Recipe: AWS VPC subnet + route design
A production-ready VPC layout with public, private, and database subnets across three Availability Zones. Includes NAT Gateway routing, VPC endpoints for S3 and DynamoDB, and network ACLs.
Architecture
- CIDR:
10.0.0.0/16 - 3 public subnets — ALB / bastion tier
- 3 private subnets — application tier
- 3 database subnets — RDS / ElastiCache
- Single NAT Gateway in AZ-a with route failover
Route tables
| Subnet | Destination | Target |
|---|---|---|
| Public | 0.0.0.0/0 | Internet Gateway |
| Private | 0.0.0.0/0 | NAT Gateway |
| Database | 0.0.0.0/0 | (none — isolated) |
VPC Endpoints
Gateway endpoints for S3 and DynamoDB keep traffic off the public internet. Interface endpoints for ECR, Secrets Manager, and CloudWatch Logs route through private subnets — no NAT Gateway charges for AWS API calls.
NACL rules
Database subnets deny all inbound from outside the VPC. Private subnets allow inbound only from the public tier on ephemeral ports. Public subnets allow 443 from 0.0.0.0/0 and 22 from a trusted bastion CIDR.
Last updated: June 2025 · Terraform module available in the module registry