A Virtual Private Cloud (VPC) is a logically isolated section of a public cloud provider's network where you can launch and manage resources in a virtual network that you define and control.
A VPC is a software-defined network (SDN) hosted within a public cloud such as AWS, Google Cloud, or Azure. Despite living on shared physical infrastructure, it is logically isolated from other customers' networks. You control its IP address ranges, subnets, route tables, and gateways, making it behave like a traditional on-premises data center network.
VPCs are the foundational security and networking boundary for cloud workloads. They let you enforce strict access controls, segment workloads into private and public tiers, and prevent unauthorized traffic from reaching sensitive resources. Without a VPC, all cloud resources would share an undifferentiated public network with no isolation guarantees.
A VPC is composed of subnets (subdivisions mapped to availability zones), route tables (rules that control where traffic flows), internet gateways (allow public internet access), and NAT gateways (allow private subnets to reach the internet without being directly exposed). Security groups and network ACLs act as stateful and stateless firewalls respectively at the instance and subnet levels.
A public subnet has a route to an internet gateway, making resources reachable from the internet when assigned a public IP. A private subnet has no such route, so resources are shielded from direct inbound internet traffic. A common architecture places web servers in public subnets and databases or application servers in private subnets, routing outbound traffic through a NAT gateway.
VPC peering creates a private network connection between two VPCs, allowing traffic to route between them without traversing the public internet. For connecting a VPC to an on-premises data center, you use a VPN connection or AWS Direct Connect (or equivalent). Transit Gateways can act as a central hub to interconnect many VPCs at scale, avoiding complex point-to-point peering meshes.
The IP address range (CIDR block) you assign to a VPC cannot be changed after creation, and overlapping CIDR ranges between peered VPCs or on-premises networks will break routing. Always plan your IP address space carefully upfront, leaving room for growth. A common best practice is to use a /16 block for the VPC and carve out /24 subnets per availability zone per tier.
© RM Full Stack & AI Engineer · All guides · Roadmaps · Open the app