Skip to content

AWS Networking — Trivia & Interesting Facts

Surprising, historical, and little-known facts about AWS networking.

VPCs did not exist until 2009

When EC2 launched in 2006, all instances ran in a shared flat network called EC2-Classic. There were no private subnets, no route tables, and no network isolation between customers beyond security groups. Virtual Private Cloud (VPC) launched in 2009, and EC2-Classic was not fully retired until August 2022.

AWS owns more IPv4 addresses than most countries

As of 2023, Amazon holds over 100 million IPv4 addresses, making it one of the largest IPv4 address holders in the world. AWS began charging $0.005/hour per public IPv4 address in February 2024 — a move that incentivizes IPv6 adoption and reflects the genuine scarcity of IPv4 space.

Security Groups are stateful, NACLs are stateless — and the difference matters enormously

Security Groups automatically allow return traffic for established connections. NACLs (Network Access Control Lists) do not — you must explicitly allow both inbound and outbound rules, including ephemeral port ranges for return traffic. This distinction trips up engineers so often that AWS documentation has an entire section dedicated to comparing them.

Transit Gateway replaced a spaghetti of VPC peering connections

Before Transit Gateway launched in 2018, connecting N VPCs required N*(N-1)/2 peering connections — 45 connections for just 10 VPCs. Transit Gateway acts as a hub-and-spoke router, supporting up to 5,000 VPC attachments per gateway and simplifying network topology from O(N^2) to O(N).

AWS Global Accelerator uses anycast IP addresses

Global Accelerator assigns two static anycast IPv4 addresses that route traffic to the nearest AWS edge location using BGP anycast. From the edge, traffic travels over the AWS private backbone network instead of the public internet, reducing latency and jitter by 60% on average according to AWS benchmarks.

AWS PrivateLink, introduced in 2017, allows services in one VPC to be accessed from another VPC via private IP addresses without traversing the internet, VPC peering, or NAT. The traffic never leaves the Amazon network. This is implemented using interface VPC endpoints backed by Network Load Balancers.

The default VPC CIDR block is 172.31.0.0/16 — and it causes problems

Every AWS account in every region gets a default VPC with the CIDR 172.31.0.0/16. When companies start connecting multiple accounts or VPCs via peering or Transit Gateway, they discover that overlapping CIDRs cannot be peered. Many organizations have spent significant effort migrating away from default VPCs to avoid this collision.

Elastic Network Interfaces can be moved between instances

ENIs (Elastic Network Interfaces) are first-class objects that can be detached from one instance and attached to another, carrying their private IP address, Elastic IP, security groups, and MAC address. This enables failover patterns where a "virtual IP" follows the active instance without requiring a load balancer.

VPC Flow Logs capture every network decision, not just traffic

VPC Flow Logs, introduced in 2015, record the accept/reject decision for every network flow at the ENI, subnet, or VPC level. They capture source/destination IPs, ports, protocol, packet count, byte count, and the action taken. The logs go to CloudWatch Logs, S3, or Kinesis Data Firehose and are invaluable for troubleshooting security group misconfigurations.

AWS built its own custom network hardware

AWS designs its own network switches, routers, and NICs through Annapurna Labs (acquired in 2015). The Nitro Card for networking offloads VPC encapsulation, security group enforcement, and EBS traffic to dedicated hardware, freeing the host CPU entirely. This is why newer instance types deliver significantly better network performance.