Networks in AWS

When you connect an AWS account with DoubleCloud using BYOC, DoubleCloud creates a new VPC in your account where you can run Managed ClickHouse® and Apache Kafka® clusters. Within this VPC, you can create one or several subnets that correspond to a segment of the VPC's IP address range.

Network types

Subnets logically group resources and can be private and public, which determines how the resources can access the internet.

  • Public subnets have direct access to the internet through an Internet gateway. Resources in public subnets can be accessed from the internet if they have a public IP or an Elastic IP.

  • Private subnets don't have a direct route to an Internet gateway. Resources in private subnets can't access the internet because they don't have a direct route to an internet gateway. To connect to the internet or other VPCs, they need a NAT gateway. Although such gateways allow outbound traffic, resources in a private subnet still can't receive unsolicited inbound connections from the internet.


Before you create a subnetwork, make sure that you have available quota for creating NAT gateways and Elastic IP addresses. DoubleCloud creates one NAT gateway and Elastic IP address for each availability zone. It's necessary that you do it beforehand because DoubleCloud can't access the quota information and make sure that gateways and IP addresses can be created.


Gateways are services that allow instances in your AWS account to connect to the internet and instances in other VPCs. In the context of BYOC, two types of gateways are important:

  • NAT gateways allows instances to connect to the internet, while not allowing inbound internet traffic.

  • Transit gateways serve as routers between the data plane and control plane. They also allow instances to access other VPCs.

In this article: