AWS VPC (Virtual Private Cloud)
AWS VPC stands for Virtual Private Cloud. It is a private, isolated network inside the AWS cloud. Every AWS account gets a default VPC automatically. Resources like EC2 instances, RDS databases, and Lambda functions are launched inside a VPC, giving full control over the network environment.
Think of a VPC as a virtual version of a physical office network. Just like an office network has internal computers, printers, and servers connected through a private network — with a firewall and router controlling what comes in from the internet — a VPC works the same way, but entirely in the cloud.
Why VPC Matters
Without a VPC, all cloud resources would be exposed to the internet with no isolation. A VPC creates a boundary. Inside the VPC, resources communicate privately. External traffic is allowed in only through controlled gateways and security rules.
Core VPC Components
1. CIDR Block
When creating a VPC, an IP address range is assigned using CIDR (Classless Inter-Domain Routing) notation. Example: 10.0.0.0/16 — this means the VPC can have IP addresses from 10.0.0.0 to 10.0.255.255, giving 65,536 possible IP addresses.
2. Subnets
A subnet is a smaller section within a VPC's IP range. A VPC is divided into subnets. Subnets are created in specific Availability Zones.
There are two types of subnets:
- Public Subnet: Connected to the internet through an Internet Gateway. Resources here (like web servers) receive public IPs and are reachable from the internet.
- Private Subnet: No direct internet access. Resources here (like databases, application servers) communicate only within the VPC or through controlled gateways.
VPC: 10.0.0.0/16
+--------------------------------------------------+
| |
| Public Subnet: 10.0.1.0/24 (AZ: ap-south-1a) |
| [Web Server — EC2 with public IP] |
| |
| Private Subnet: 10.0.2.0/24 (AZ: ap-south-1b) |
| [Database — RDS with no public IP] |
| |
+--------------------------------------------------+
|
[Internet Gateway]
|
[Internet]
3. Internet Gateway (IGW)
An Internet Gateway is attached to a VPC to allow communication between public subnet resources and the internet. Without an IGW, resources inside the VPC cannot be reached from the internet and cannot reach the internet.
4. Route Tables
A route table contains rules (routes) that determine where network traffic is directed. Each subnet is associated with one route table.
A public subnet's route table includes a route like:
- Destination:
0.0.0.0/0→ Target: Internet Gateway
This means any traffic going outside the VPC is sent through the Internet Gateway.
A private subnet's route table has no route to the Internet Gateway — so resources in the private subnet cannot be directly accessed from the internet.
5. NAT Gateway
A NAT (Network Address Translation) Gateway allows resources in a private subnet to initiate outbound internet connections (like downloading software updates) without being directly accessible from the internet.
[Private Subnet — RDS Database]
|
[NAT Gateway in Public Subnet]
|
[Internet Gateway]
|
[Internet]
Direction: Private → Internet (allowed)
Direction: Internet → Private (blocked — NAT is one-way)
6. Security Groups and NACLs
Two layers of network security exist within a VPC:
| Feature | Security Group | Network ACL (NACL) |
|---|---|---|
| Applies to | Individual instances (EC2, RDS) | Entire subnets |
| State | Stateful (return traffic allowed automatically) | Stateless (must define inbound AND outbound rules) |
| Default behavior | Deny all inbound, allow all outbound | Allow all traffic (default NACL) |
| Rule type | Allow rules only | Allow and Deny rules |
| Order | All rules evaluated together | Rules evaluated in number order (lowest first) |
7. VPC Peering
VPC Peering connects two VPCs so that resources in both VPCs can communicate using private IP addresses — as if they were in the same network. Peering works across different AWS accounts and Regions.
Important limitation: VPC peering is not transitive. If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A and VPC-C cannot communicate unless they are directly peered.
8. VPC Endpoints
A VPC Endpoint allows resources inside a VPC to connect to AWS services (like S3 or DynamoDB) without going through the public internet. This improves security and reduces data transfer costs.
Example: An EC2 instance in a private subnet accesses an S3 bucket through a VPC Gateway Endpoint — the traffic never leaves the AWS network.
Full VPC Architecture Example — 3-Tier Web Application
Internet | [Internet Gateway] | +---------------------------------------+ | VPC: 10.0.0.0/16 | | | | PUBLIC SUBNET (10.0.1.0/24) | | [Load Balancer] | | | | | PRIVATE SUBNET — App (10.0.2.0/24) | | [EC2 — Application Servers] | | | | | PRIVATE SUBNET — DB (10.0.3.0/24) | | [RDS — MySQL Database] | | | +---------------------------------------+
In this setup:
- Users reach the Load Balancer through the Internet Gateway.
- The Load Balancer forwards requests to Application Servers in the private subnet.
- Application Servers connect to the RDS database in the deepest private subnet.
- The database is never directly accessible from the internet.
Default VPC vs Custom VPC
| Feature | Default VPC | Custom VPC |
|---|---|---|
| Created by | AWS automatically | Created manually |
| Subnets | One public subnet per AZ | Custom public and private subnets |
| Internet access | All subnets have internet access | Only subnets with IGW route |
| Best for | Quick testing and learning | Production applications |
Summary
- A VPC is an isolated virtual network inside AWS. All resources launch inside a VPC.
- Subnets divide the VPC — public subnets are internet-facing, private subnets are internal.
- The Internet Gateway enables internet access. NAT Gateway allows outbound-only internet access from private subnets.
- Security Groups protect individual instances. NACLs protect entire subnets.
- VPC Peering connects two VPCs. VPC Endpoints connect to AWS services without using the internet.