VPC (Virtual Private Cloud)
Definition
A VPC is an isolated, logically segmented section of a cloud provider’s network where resources (VMs, containers, databases) are launched. It provides private IP addressing, subnets, routing tables, gateways, and security controls — replicating a traditional data center within the cloud.
Each cloud provider has its own VPC implementation with slightly different terminology.
VPC Components
| Component | Purpose |
|---|---|
| CIDR Block | IP range for the VPC (e.g., 10.0.0.0/16) |
| Subnet | IP range within a VPC, tied to an Availability Zone |
| Route Table | Defines where network traffic is directed |
| Internet Gateway | Connects VPC to the public internet |
| NAT Gateway | Allows outbound internet from private subnets |
| Security Group | Stateful firewall at the instance level |
| NACL | Stateless firewall at the subnet level |
| VPC Peering | Connect two VPCs privately |
| VPC Endpoint | Connect to AWS services without internet |
Public vs Private Subnets
VPC (10.0.0.0/16)
├── Public Subnet (10.0.1.0/24) — has route to Internet Gateway
│ ├── Web servers (load balancer)
│ └── Bastion host
├── Private Subnet A (10.0.2.0/24) — no direct internet
│ ├── Application servers
│ └── NAT Gateway (for outbound)
└── Private Subnet B (10.0.3.0/24)
├── Database servers
└── Cache servers
Cloud VPC Comparison
| Provider | Name | Key Features |
|---|---|---|
| AWS | VPC | Most mature, 200+ service integrations |
| Azure | VNet | Hybrid connectivity, ExpressRoute |
| GCP | VPC | Global default VPC, two-tier networking |
| OpenStack | Neutron | Open-source VPC implementation |
VPC Best Practices
- Use private subnets for databases and backend services
- No direct internet access to private subnets
- Use NAT Gateway for outbound-only private subnet access
- Security groups as primary defense (stateful)
- NACLs as secondary defense (stateless)
- VPC peering for inter-VPC communication
- Flow logs for network traffic monitoring
Related Terms
- Subnet — subdivisions within a VPC
- VPN — site-to-site VPN connects on-prem to VPC
- Firewall — security groups and NACLs act as firewalls
- Bastion Host — jump server for accessing private VPC resources
- SDN — software-defined networking underlies VPC
References
- AWS VPC docs: https://docs.aws.amazon.com/vpc/
- Azure VNet docs: https://docs.microsoft.com/azure/virtual-network/
- GCP VPC docs: https://cloud.google.com/vpc