VPC Design Patterns for AWS Production Workloads: QuickInfra's Recommended Architectures

A poorly designed VPC is painful to fix once workloads are running in it. CIDR ranges that don't have room to grow, subnets in only one availability zone, databases in public subnets — these architectural mistakes get compounded over time. QuickInfra's VPC templates encode three production-tested patterns for common workload types.

Pattern 1: Simple Public/Private Split

For single-application deployments, the minimal correct VPC has:

• A /16 VPC CIDR (65,536 addresses — plenty of room to grow)
• Two public subnets across two AZs for the load balancer and NAT gateways
• Two private subnets across two AZs for application servers
• Two isolated subnets across two AZs for databases

The internet gateway is attached to the public subnets. Private subnets route outbound internet traffic through NAT gateways in the public subnets. Isolated subnets have no route to the internet — they can only communicate with resources in other subnets via VPC-internal routing.

Pattern 2: Three-Tier With Transit Gateway Connectivity

For multi-account architectures where multiple VPCs need to communicate, Transit Gateway provides a hub-and-spoke routing model. Each workload VPC attaches to the central Transit Gateway instead of using VPC Peering (which doesn't scale to many accounts). The central VPC (typically in a shared services account) hosts DNS, internal tooling, and egress inspection.

Pattern 3: Shared VPC (Resource Access Manager)

AWS Resource Access Manager allows subnets from one account's VPC to be shared with other accounts. Workload accounts attach resources directly to the shared subnets without owning their own VPC. This simplifies network management for large organisations — you manage one set of VPCs in a central account rather than one per workload account.

CIDR Planning

Plan your CIDR ranges before deploying anything. VPC CIDR ranges cannot overlap with each other if you want to use VPC Peering or Transit Gateway. QuickInfra's CIDR planning view shows all existing VPC CIDRs across your connected accounts and validates that a new VPC's CIDR doesn't conflict with existing ones.

Flow Logs

VPC Flow Logs capture metadata about the IP traffic flowing through your network interfaces. This data is essential for security investigations, compliance evidence, and network troubleshooting. QuickInfra enables Flow Logs on every provisioned VPC by default, with logs stored in a dedicated S3 bucket in your account.