Technical Reference
AWS resources
Virtual Private Cloud

Virtual Private Cloud

A Virtual Private Cloud (VPC) is an isolated virtual network in AWS that you define and control. It provides the networking layer for your AWS resources and is the fundamental construct for defining IP addressing, routing, access control, and connectivity.

A VPC has one primary IPv4 CIDR block you assign when creating it (for example, 10.0.0.0/16). All subnets you create within the VPC draw their IP ranges from these CIDR blocks.

VPCs are confined to a single region, meaning all your AWS resources must be launched within a VPC.

A VPC is divided into one or more subnets. Each subnet maps to a single Availability Zone (AZ). Subnets are the unit for routing and for placing resources (EC2 instances, RDS, etc.).

A VPC uses route tables to determine how traffic flows between subnets, the internet, and on-premises networks. Each subnet is associated with a route table; the VPC has a main route table used by subnets that have no explicit association.

A VPC is not automatically internet-connected. To enable Internet access for resources in a subnet, that subnet must be public (have a route to an Internet Gateway) and the resource must have a public IP. Private subnets access the internet through NAT (NAT Gateway or NAT instance) using appropriate route table entries.

A VPC can connect to other VPCs (VPC peering, Transit Gateway), to on-premises networks (VPN, AWS Direct Connect), and to other AWS services using VPC endpoints. Connections are explicit constructs and do not exist by default.

A VPC controls traffic using security groups (stateful, applied to instances/ENIs) and network access control lists (NACLs) (stateless, applied to subnets). These are independent from IAM and operate at the network layer.

AWS resources such as EC2 instances, RDS databases, ECS tasks, and Lambda functions (when configured for VPC access) are launched into a specific subnet inside a specific VPC. A given instance or ENI is bound to one VPC at a time.

Recomendations

  • Create a VPC with a single IPv4 CIDR block (e.g., 10.0.0.0/16).
  • Create at least two subnets in different AZs: one public (with Internet Gateway and public-route) and one private (with NAT for outbound internet).
  • Attach an Internet Gateway to the VPC for public connectivity.
  • Configure route tables: public subnets use a route to the Internet Gateway; private subnets use a route to a NAT Gateway.
  • Use security groups to allow required inbound/outbound traffic and NACLs only for fine-grained subnet-level controls when necessary.

References:

Subnet