What is a VPC in AWS?

Question

Accepted Answer

A **VPC** (Virtual Private Cloud) is your own **isolated virtual network** within AWS — where you launch resources (like EC2 instances) with control over IP ranges, subnets, routing, and security. It's the networking foundation for AWS resources.

## What a VPC is

```text
A VPC is a logically ISOLATED virtual network in AWS that YOU control:
  → define your IP address range (CIDR block, e.g. 10.0.0.0/16)
  → divide it into SUBNETS; control ROUTING and security
  → your resources (EC2, RDS, etc.) live inside it, isolated from other networks
→ Like having your own private network in the cloud.
```

## Key components

```text
SUBNET → a segment of the VPC's IP range, placed in one Availability Zone:
  PUBLIC subnet  → has a route to the internet (via an Internet Gateway) — for
    public-facing resources (web servers, load balancers)
  PRIVATE subnet → NO direct internet route — for backend resources (databases, app
    servers) that shouldn't be publicly reachable
INTERNET GATEWAY → connects the VPC to the internet (for public subnets)
NAT GATEWAY → lets PRIVATE subnet resources reach OUT to the internet (e.g. updates)
  without being reachable FROM the internet
ROUTE TABLES → control where traffic goes
SECURITY GROUPS / NACLs → firewalls controlling traffic to resources/subnets
```

## A typical architecture

```text
VPC (10.0.0.0/16)
  ├─ PUBLIC subnet  → load balancer, bastion (internet-facing)
  └─ PRIVATE subnet → app servers, DATABASE (no direct internet access — more secure)
→ Public subnet handles incoming traffic; private subnet protects backend resources.
```

## Why it matters

Understanding VPCs is important because they're the **networking foundation** for AWS resources — almost everything runs inside a VPC — so it's essential foundational AWS knowledge for deploying resources securely.

A VPC provides your own **isolated virtual network** in AWS where you control IP ranges, subnets, routing, and security, giving you the ability to architect networking like an on-premises network but in the cloud.

Understanding the **key components** is necessary for deploying resources correctly: **subnets** (segments of the network, crucially divided into **public** subnets with internet access for public-facing resources and **private** subnets without direct internet access for backend resources), **internet gateways** (connecting to the internet), **NAT gateways** (letting private resources reach out without being reachable from outside), route tables, and security groups/NACLs (firewalls).

The **public/private subnet distinction is particularly important for security**: placing backend resources (especially databases) in **private subnets** — protected from direct internet access while public-facing resources (load balancers, web servers) handle incoming traffic in public subnets — is a fundamental security architecture that prevents direct exposure of sensitive backend systems.

Understanding this typical architecture (public subnet for internet-facing components, private subnet protecting databases and app servers) reflects sound, secure network design.

Since almost all AWS resources run within a VPC and proper network architecture (especially the public/private subnet separation) is essential for security, and since understanding VPCs, subnets, and the components is necessary for deploying AWS resources correctly and securely, understanding VPC basics is essential, foundational AWS knowledge — the networking layer underlying AWS deployments and a topic where the public/private subnet security pattern in particular is important for protecting backend resources, making it key knowledge for anyone architecting AWS infrastructure.