Routing allows traffic in and out of a VPC. An Internet Gateway (IGW) allows two different networks to share traffic. The networks would be your VPC and another VPC or your VPC and the Internet. After attaching an IGW to a VPC, we configure a routing table.
| Destination | Target | Description |
| 10.10.10.10/16 | local | traffic to subnet |
| 0.0.0.0/0 | igw-1 | public subnet (traffic to/from the Internet) |
A public subnet is any subnet that has direct access to the Internet. It could be considered a DMZ, which acts as a buffer between Internet and your private subnet. we can narrow access further with routing table. Permitted IPs are called whitelist IPs. Routing is our first line of security.
Network Access Control Lists (NACL) are firewalls for entire subnet. For example, NACL can open port 22 for ssh, and open port 3306 only if it is incoming from a local source.
When traffic gets past NACLs into subnet, the security groups further protects your resources. Security Group is a firewall for an instance. For example, a port needs to communicate between 2 instances in the same subnet. We don’t need to open NACL for this traffic. Simply configuring security groups is sufficient. In a security group all traffic is denied by default. You have to allow the traffic you want.