Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

AWS VPC Design Patterns

February 13, 2026 | AWS VPC Networking

Three production VPC patterns.

Three Production VPC Design Patterns

Your VPC design determines network security, scalability, and operational complexity. Choosing the right pattern from the start saves costly re-architecture later. Here are three proven patterns for different scales and requirements.

Pattern 1: Single VPC (Small Teams)

A single VPC with public, private, and data subnets across multiple AZs:

VPC: 10.0.0.0/16
├── Public Subnets (ALB, NAT Gateway)
│   ├── 10.0.1.0/24 (us-east-1a)
│   └── 10.0.2.0/24 (us-east-1b)
├── Private Subnets (Application)
│   ├── 10.0.10.0/24 (us-east-1a)
│   └── 10.0.11.0/24 (us-east-1b)
└── Data Subnets (RDS, ElastiCache)
    ├── 10.0.20.0/24 (us-east-1a)
    └── 10.0.21.0/24 (us-east-1b)

Best for: Teams with <5 services, single environment, simple compliance needs.

Pattern 2: Multi-VPC per Environment

Separate VPCs for dev, staging, and production with VPC peering:

Production VPC: 10.0.0.0/16
Staging VPC:    10.1.0.0/16
Development VPC: 10.2.0.0/16
Shared Services VPC: 10.3.0.0/16 (CI/CD, monitoring, DNS)

Peering:
  Production ↔ Shared Services
  Staging ↔ Shared Services
  Development ↔ Shared Services

Best for: Teams needing environment isolation, regulatory requirements, moderate scale.

Pattern 3: Hub-and-Spoke with Transit Gateway

Centralized networking with Transit Gateway for many VPCs and hybrid connectivity:

Transit Gateway (hub)
├── Production VPC (10.0.0.0/16)
├── Staging VPC (10.1.0.0/16)
├── Development VPC (10.2.0.0/16)
├── Shared Services VPC (10.3.0.0/16)
├── Security VPC (10.4.0.0/16) — inspection, logging
├── Site-to-Site VPN → On-premises (172.16.0.0/12)
└── Direct Connect → Data center

Best for: Enterprise scale, multiple teams/accounts, hybrid cloud, compliance-heavy industries.

CIDR Planning Best Practices

  • Use /16 for VPCs — Provides 65,536 IPs, enough for growth
  • Use /24 for subnets — 251 usable IPs per subnet (AWS reserves 5)
  • Don't overlap CIDRs — Especially with on-premises networks and other VPCs
  • Plan for 3 AZs — Even if starting with 2, allocate CIDR space for a third
  • Reserve ranges for future VPCs — Use 10.0-10.3 now, keep 10.4-10.255 available

Subnet Strategy

Subnet TypePurposeInternet Access
PublicLoad balancers, NAT Gateways, bastion hostsDirect (IGW)
PrivateApplication servers, containers, LambdaVia NAT Gateway
DataRDS, ElastiCache, OpenSearchNone
TransitTGW attachments, VPN endpointsNone

Security Layers

  1. NACLs — Stateless subnet-level firewall (defense in depth)
  2. Security Groups — Stateful instance-level firewall (primary control)
  3. VPC Flow Logs — Traffic visibility and anomaly detection
  4. Network Firewall — Deep packet inspection for compliance

Eazy SaaS Tip: We start most SMB clients with Pattern 2 (multi-VPC) and upgrade to Pattern 3 (Transit Gateway) when they exceed 5 VPCs or add hybrid connectivity. Starting with proper CIDR planning saves painful re-IPing later.

← Back to Blog