AWSGlossary

Amazon VPC: What It Is and When to Use It

Definition

Amazon Virtual Private Cloud (Amazon VPC) is a service that lets you launch AWS resources inside a logically isolated virtual network that you define and control. A VPC closely resembles a traditional data-center network — you pick the IP range, carve it into subnets, attach gateways, and apply security rules — but it runs on AWS's scalable global infrastructure and can stretch across multiple Availability Zones in a Region.

How It Works

A VPC is scoped to a single AWS Region. Inside it, you build up your network by combining a small number of primitives:

  • CIDR block — the IP range for the VPC (up to five IPv4 blocks, plus optional IPv6). AWS recommends private RFC 1918 ranges such as 10.0.0.0/16.
  • Subnets — a CIDR subset of the VPC, pinned to one Availability Zone. A subnet is public if its route table points 0.0.0.0/0 at an Internet Gateway; otherwise it is private.
  • Route tables — routes determine where traffic goes (to an IGW, NAT Gateway, VPC Endpoint, peering connection, Transit Gateway, Virtual Private Gateway, etc.).
  • Internet Gateway (IGW) — horizontally scaled, highly available component that enables traffic to and from the internet for resources with public IPs.
  • NAT Gateway — managed service that allows resources in private subnets to reach the internet for outbound requests (software updates, external APIs) while remaining unreachable from the internet. Billed per hour and per GB.
  • Security Group — stateful, instance-level firewall. Allow rules only; return traffic is automatic. Supports references to other security groups as sources.
  • Network ACL (NACL) — stateless, subnet-level firewall. Allow and deny rules, evaluated in order. Useful as a broad deny layer on top of SGs.
  • VPC Endpoints — private connectivity to AWS services without traversing the internet. Gateway endpoints (free) exist only for S3 and DynamoDB; Interface endpoints (powered by PrivateLink, billed per hour + per GB) support most other AWS services and your own services shared across accounts.
  • VPC Peering — 1-to-1, non-transitive private link between two VPCs (same or different accounts, same or different Regions).
  • AWS Transit Gateway — a regional hub that transitively connects many VPCs, VPN connections, and Direct Connect gateways. Scales far better than many pairwise peerings.
  • Site-to-Site VPN / AWS Client VPN / Direct Connect — for hybrid connectivity to on-premises networks.
  • VPC Flow Logs — captures metadata about IP traffic to and from network interfaces. Written to CloudWatch Logs, S3, or Kinesis Data Firehose.

Every AWS account has a default VPC in each Region — pre-configured with public subnets in every AZ, an IGW, and automatic public-IPv4 assignment — useful for quick tests but not recommended for production.

Key Features and Limits

  • CIDR blocks: the VPC CIDR must be between /16 and /28. Five CIDRs can be attached to one VPC (1 primary + 4 secondary). Reserved ranges include the first 4 and last 1 IP in each subnet.
  • Subnets per VPC: 200 (soft limit, raisable).
  • VPCs per Region: 5 by default (soft limit, raisable).
  • Security Groups: 5 SGs per network interface, 60 inbound + 60 outbound rules per SG by default.
  • NAT Gateway: up to 45 Gbps per gateway; supports 55,000 concurrent connections per unique destination.
  • VPC Endpoint limits: 255 Interface endpoints per VPC; 20 Gateway endpoints.
  • Peering: non-transitive (A–B and B–C does not mean A–C) and must have non-overlapping CIDRs.
  • IPv6 support: assign /56 IPv6 CIDR to the VPC and /64s to subnets; use Egress-Only Internet Gateway for outbound-only IPv6.
  • No charge for the VPC itself — you pay for NAT Gateways, Transit Gateway attachments, Interface Endpoints, public IPv4 addresses (since Feb 2024), data transfer, and VPN/DX.

Common Use Cases

  1. Three-tier web applications — public ALB in public subnets, app servers in private subnets, databases in isolated private subnets with no outbound internet access.
  2. Hybrid networks — connect on-premises data centers to AWS via Site-to-Site VPN (quick start) or Direct Connect (high throughput, low latency) through a Virtual Private Gateway or Transit Gateway.
  3. Multi-VPC landing zones — separate VPCs per environment (prod, stage, dev) or per business unit, stitched together by Transit Gateway and governed with AWS Organizations SCPs.
  4. Service exposure via PrivateLink — expose a SaaS service to customers through Interface Endpoints with no VPC peering or IP overlap issues.
  5. Regulated workloads — isolated VPCs with no internet egress; data flows only through VPC Endpoints to approved AWS services and audited via VPC Flow Logs.
  6. Gaming and real-time services — custom routing, accelerated networking via Elastic Fabric Adapter, and placement groups inside a VPC.

Pricing Model

The VPC itself is free. You pay for:

  • NAT Gateway — per hour per gateway + per GB processed.
  • Interface VPC Endpoints — per hour per AZ + per GB processed.
  • Transit Gateway — per hour per attachment + per GB processed.
  • Site-to-Site VPN / Client VPN — per-tunnel or per-connection hourly + data transfer.
  • Direct Connect — port hours + outbound data transfer.
  • Public IPv4 addresses — per-hour charge, whether attached or idle (since Feb 2024).
  • Data transfer — inter-AZ, inter-Region, and out-to-internet all incur charges.

NAT Gateway costs and cross-AZ data-transfer fees are two of the most common "hidden" line items on AWS bills — auditing them early in design saves money.

Pros and Cons

Pros

  • Strong isolation boundary that maps cleanly to security and compliance requirements.
  • Rich primitives: SGs for fine-grained allow rules, NACLs for blanket deny, flow logs for auditing.
  • Scales globally via Transit Gateway, Cloud WAN, and cross-Region peering.
  • Integration with every AWS service (IAM principals, CloudWatch metrics, Config rules, IAM Access Analyzer).

Cons

  • Many moving parts — teams commonly misconfigure route tables, NACLs, or endpoint policies during a migration.
  • NAT Gateway data processing is relatively expensive; VPC Endpoints often pay for themselves quickly for S3/DynamoDB-heavy workloads.
  • Peering does not transit — large mesh designs push you toward Transit Gateway, which has its own attachment fees.
  • Cross-AZ and cross-Region data transfer can surprise cost plans if not architected carefully.

Comparison with Alternatives

| Concept | Security Group | Network ACL | | --- | --- | --- | | Scope | Instance (ENI) | Subnet | | State | Stateful | Stateless | | Rule types | Allow only | Allow + Deny | | Evaluation | All rules evaluated; any allow wins | Rules evaluated in numerical order; first match wins | | Reference | SG IDs, prefix lists, IPs | IPs only | | Default behavior | Deny inbound / allow all outbound | Default NACL allows all; custom NACL denies all |

Compared with Google VPC and Azure Virtual Network, Amazon VPC is Region-scoped (whereas GCP VPCs are global), has stricter subnet-to-AZ mapping, and expresses routing at the subnet level rather than the VM level.

Exam Relevance

VPC knowledge is central to many AWS certifications:

  • Cloud Practitioner (CLF-C02) — concept-level awareness of VPCs, subnets, IGW, and security groups.
  • Solutions Architect Associate (SAA-C03) — one of the heaviest topics: public vs private subnets, NAT Gateway placement, security groups vs NACLs, VPC endpoints for private access to S3/DynamoDB, peering vs Transit Gateway, hybrid connectivity choices.
  • Developer Associate (DVA-C02) — Lambda-in-VPC implications, IAM conditions based on VPC endpoints, and how API Gateway private endpoints work.
  • Advanced Networking Specialty (ANS-C01) — deep dive: Cloud WAN, BGP, multicast, route preference, Direct Connect Gateway routing, IPv6 dual stack.
  • Security Specialty (SCS-C02) — using VPC Flow Logs for forensics, GuardDuty findings around VPC traffic, micro-segmentation patterns with SGs.

High-frequency exam traps: NACLs are stateless (you must allow ephemeral return ports), Security Groups cannot deny (only allow), VPC Peering is not transitive, and NAT Gateway does not enable inbound internet access (use an IGW with a public IP for that).

Frequently Asked Questions

Q: What is the difference between a Security Group and a Network ACL?

A: Security Groups are stateful, instance-level firewalls with allow-only rules — return traffic is automatically permitted. Network ACLs are stateless, subnet-level firewalls that support both allow and deny rules, evaluated in numerical order. SGs are the primary tool for day-to-day access control; NACLs are typically used as a broad deny layer (e.g., blocking known-malicious CIDRs at the subnet edge).

Q: When should I use a NAT Gateway versus a VPC Endpoint?

A: Use a NAT Gateway when private-subnet resources need to reach the internet (OS package updates, third-party APIs). Use a VPC Endpoint when those resources only need to reach AWS services like S3, DynamoDB, or Secrets Manager — endpoints keep the traffic on the AWS private network, are often cheaper than NAT data processing, and tighten your security posture by eliminating the internet path.

Q: What is VPC Peering and why isn't it transitive?

A: VPC Peering creates a private network connection between two VPCs so resources in each can communicate using private IPs. It is non-transitive by design: if VPC A peers with B and B peers with C, A cannot reach C through B. This keeps routing simple and secure. When you need many-to-many connectivity, AWS Transit Gateway acts as a hub that transitively connects attached VPCs and VPNs.

This article reflects AWS features and pricing as of 2026. AWS services evolve rapidly — always verify against the official Amazon VPC documentation before making production decisions.

Published: 4/16/2026

This article is for informational purposes only. AWS services, pricing, and features change frequently — always verify details against the official AWS documentation before making production decisions.

More in Networking

Amazon API Gateway: REST, HTTP & WebSocket APIs on AWS

Amazon API Gateway is AWS's managed API service. Learn REST vs HTTP vs WebSocket APIs, integrations with Lambda, auth (IAM, Cognito, Lambda authorizers), throttling, and pricing.

Amazon Route 53: DNS, Routing Policies & Health Checks

Amazon Route 53 is AWS's DNS service with 100% availability SLA. Learn routing policies (Simple, Weighted, Latency, Failover, Geo), health checks, alias records, and domain registration.

Amazon CloudFront: AWS CDN, Edge Locations & Pricing

Amazon CloudFront is AWS's CDN with 600+ edge locations. Learn distributions, origins, cache behaviors, OAC, signed URLs, CloudFront Functions vs Lambda@Edge, and pricing.

ALB vs NLB: When to Use Each AWS Load Balancer

Compare AWS Application Load Balancer (ALB, Layer 7) vs Network Load Balancer (NLB, Layer 4): routing, protocols, latency, static IPs, source IP preservation, and pricing.

View all Networkingterms →