AWS Advanced VPC Architecture Labs (LocalStack Pro)

This repository contains a comprehensive set of hands-on labs demonstrating advanced Amazon Virtual Private Cloud (VPC) concepts. It bridges the gap between AWS theoretical knowledge (SAA-C03) and practical implementation using LocalStack Pro to simulate a complete AWS cloud environment locally.

🎯 Architecture Goals & Use Cases Covered

Based on AWS documentation and best practices, these labs walk through the deployment of:

• Foundational Networking: Amazon VPC provides an isolated network environment. You have complete control over networking, including IP ranges, subnets, route tables, and gateways. A /24 subnet provides 256 total IP addresses, but AWS reserves 5 IP addresses, leaving 251 available.
• Routing & Internet Access: Internet Gateways provide access to the internet, while a NAT Gateway enables outbound internet access for private subnets. Instances in the private subnet remain private with no inbound access from the internet.
• Private Connectivity: VPC Endpoints provide private connectivity to AWS services like S3 and DynamoDB without traversing the internet.
• Layered Security: Security Groups are stateful, meaning if inbound is allowed, return traffic is automatically allowed. Network ACLs are stateless, support Deny rules, and evaluate traffic at the subnet level. Network ACLs do not support rate limiting.
• Multi-VPC Topologies: VPC Peering connects two VPCs privately but is not transitive. AWS Transit Gateway acts as a central hub for VPCs and is highly scalable.
• Shared Services: AWS PrivateLink provides private connectivity to services exposed via VPC Endpoint Services without requiring VPC peering or an Internet Gateway.

⚙️ Prerequisites

• Docker & Docker Compose
• LocalStack Pro account and Auth Token
• awslocal CLI (a wrapper around the AWS CLI for LocalStack)

🚀 Environment Setup

1. Clone this repository:

   git clone https://github.com/awslabs/vpc.git
   cd vpc

2. Configure your LocalStack Auth Token:

   echo "YOUR_TOKEN=your_auth_token_here" > .env

3. Start LocalStack Pro:

   docker-compose up -d

Important

Cumulative Architecture: These labs are designed as a cumulative, end-to-end scenario rather than isolated tasks. You are building one evolving architecture as you progress.

Session Persistence: You must run all commands sequentially within the same terminal session. The labs rely on bash variables (like $VPC_ID, $PRIV_RT, etc.) created in earlier steps. If you close your terminal, these variables will be lost and subsequent labs will fail.

📚 Labs Index

1. Lab 1: Foundational VPC & Subnet Isolation
2. Lab 2: Internet & NAT Gateways
3. Lab 3: Secure AWS Access via VPC Endpoints
4. Lab 4: Defense in Depth (Security Groups vs. NACLs)
5. Lab 5: 1-to-1 Multi-VPC Architecture (VPC Peering)
6. Lab 6: Hub-and-Spoke Topology (AWS Transit Gateway)
7. Lab 7: Unidirectional Service Sharing (AWS PrivateLink)