Amazon Virtual Private Cloud provides virtual networks and subnets that can be used to mimic on-premises networking.

New accounts are created with a default VPC and a default subnet in each AZ. Additional VPCs are called non-default.


  • Support for both IPv4 and IPv4 within a VPC.


  • VPCs are isolated sections of the AWS cloud associated with a CIDR block.
  • They contain Subnets, each with a non-overlapping IP address range. Optionally, they can also have their own route tables and network gateway.
  • Route tables define routing rules.
  • Internet gateways attached to VPCs allow connectivity between resources in the VPC and the Internet.
  • VPC endpoints allow private connectivity between a VPC
  • Peering and transit gateway


A subnet is a range of IP addresses within a VPC which may be assigned to AWS resources. Subnets are constrained to a single AZ.

Subnets can be either:

  • Public, where traffic is routed to an IGW.
  • Private, where traffic isn't routed to an IGW or egress-only IGW and can't reach the Internet.
  • VPN-only, where there's no route to the IGW but traffic is routed to a VPN or site-to-site VPN.


Two mechanisms are provided for securing subnets.

Security groups

Security groups control inbound and outbound traffic, acting as virtual firewalls. Up to five security groups can be associated to each instance.

There are separate rule sets for inbound and outbound rules.

Network ACLs

Network ACLs allow specifying rules at the VPC layer. They're sometimes used shadow the security group rules

Subnet groups

Subnet groups are used by some AWS services to allow assigning IP addresses to resources which can be configured for high high availability across multiple availability zones.

Flow logs

VPC flow logs capture traffic that flows to and from all network interfaces in a VPC or subnet, or an individual network interface. These logs are published to Logs or S3.

  1. PrivateLink