What Is an AWS VPC (Amazon Virtual Private Cloud)?
8 min read
Table of Contents
An AWS VPC (Amazon Virtual Private Cloud) is a logically isolated section of the AWS cloud where you run resources inside a virtual network that you control. VPC stands for Virtual Private Cloud. You set the IP address range, split the network into subnets and decide how traffic moves in and out.
Think of it as your own data center network, rebuilt in software on AWS. Every EC2 instance, database and load balancer you launch lives inside a VPC, whether you configured one or AWS handed you a default. The VPC keeps your workloads separated from other AWS customers and from the public internet until you open a path on purpose.
What Is an AWS VPC?
Amazon VPC is the networking service that gives you a private, customizable network on AWS. It closely resembles a traditional on-premises network, with one practical difference: you build it in software in minutes instead of racking hardware.
Inside a VPC you control four things:
The IP address space, written as a CIDR block such as 10.0.0.0/16.
Subnets, which divide that address space into smaller zones.
Routing, which decides where traffic can travel.
Access, controlled by firewalls at the instance and subnet level.
A VPC lives in a single AWS Region and can stretch across multiple Availability Zones, which is how you design for high availability. Your account already includes a default VPC in each Region, so resources can launch right away, but most teams build their own for production control. Resources inside a VPC reach each other over private IP addresses and reach the internet only through a gateway you attach.
How an AWS VPC Works
Traffic in a VPC follows a short path. A resource sends a packet, a route table picks the next hop and a gateway or endpoint carries it to the destination.
Here is the flow in practice:
You create a VPC and assign it a CIDR block.
You add subnets, placing internet-facing resources in public subnets and protected resources such as databases in private subnets.
Each subnet attaches to a route table that lists where its traffic may go.
A public subnet routes internet-bound traffic to an internet gateway. A private subnet sends outbound traffic through a NAT gateway, so instances can reach the internet without being reachable from it.
Security groups and network ACLs check the traffic at each step.
A simple web app shows the pattern: the web tier sits in a public subnet and answers users, while the database sits in a private subnet and only ever talks to the web tier. You decide what is reachable, from where and on which ports.
Core Components of an AWS VPC
Every AWS VPC is assembled from the same parts:
Subnet: a slice of your VPC IP range inside one Availability Zone. Public subnets reach the internet and private subnets stay internal.
Route table: a set of rules that direct traffic from a subnet or gateway toward its target.
Internet gateway: connects your VPC to the public internet.
NAT gateway: lets private-subnet instances make outbound connections while staying hidden from inbound traffic.
Security group: a stateful firewall at the instance level that allows return traffic automatically.
Network ACL (NACL): a stateless firewall at the subnet level that can allow or deny traffic.
CIDR block: the notation that sets your IP address range, for example 10.0.0.0/16.
VPC endpoint: a private link to AWS services such as S3 that skips the public internet.
You watch all of it with VPC Flow Logs, which record the traffic going to and from every network interface.
Security Groups vs Network ACLs
Two firewalls protect a VPC and they behave differently:
Security group | Network ACL | |
|---|---|---|
Scope | Instance level | Subnet level |
State | Stateful | Stateless |
Rules | Allow only | Allow and deny |
Evaluation | All rules apply | Rules run in number order |
Most production setups use both: NACLs for broad subnet rules and security groups for fine-grained control on each resource.
AWS VPC vs Private Cloud vs VPS
Three terms get mixed up constantly and they are not the same thing.
Term | What it is | Where it runs |
|---|---|---|
AWS VPC | An isolated virtual network inside AWS | Public cloud (AWS) |
Private cloud | Cloud infrastructure dedicated to one organization | On-premises or hosted |
VPS | A single rented virtual server | A provider's shared hardware |
AWS is a public cloud, not a private one. A VPC gives you a private, isolated network on that public cloud, which is where the word private comes from. It is not a private cloud, which is dedicated infrastructure your organization owns or rents in full.
A VPS is a far smaller unit: one virtual machine, not a configurable network. The same isolation pattern appears on every major provider, so if you want the provider-neutral view, see how a virtual private cloud works on any cloud before you commit to one.
What Does an AWS VPC Cost?
Creating a VPC costs nothing. AWS applies no extra charge for the VPC itself. The bill comes from the components you run inside it. These rank among the most misread charges on an AWS invoice because they hide under line items such as EC2-Other.
Four components account for most VPC spend:
NAT gateways: A NAT gateway runs about $0.045 per hour, roughly $33 a month before any traffic, plus $0.045 for every GB it processes. Deploy one per Availability Zone and the base charge alone multiplies.
Public IPv4 addresses: AWS charges $0.005 per hour for every public IPv4 address, about $3.65 a month each, whether it is attached to a resource or sitting idle.
Data transfer: Sending data out to the internet starts at $0.09 per GB. Traffic between Availability Zones inside the VPC carries its own per-GB charge.
VPC endpoints: Interface endpoints bill per hour and per GB, but gateway endpoints for S3 and DynamoDB are free and pull that traffic off the NAT gateway completely.
The fix is visibility first, then design. Route S3 and DynamoDB through free gateway endpoints, consolidate NAT gateways where availability allows and keep a close watch on cross-zone traffic. That visibility is what let one team cut NAT and CloudWatch costs by 30% once the spend was no longer buried in a catch-all line item.
Real-World Use Cases
Teams reach for AWS VPC whenever isolation, control or compliance matters:
Multi-tier applications: Web servers sit in public subnets while databases stay in private subnets, so the data layer never faces the internet.
Workload isolation: Each environment, team or customer gets its own VPC or subnet, so trouble in one cannot spread to another.
Hybrid connectivity: A Site-to-Site VPN or AWS Direct Connect links a VPC to your on-premises data center and runs one network across both.
Private service access: AWS PrivateLink and VPC endpoints reach AWS or partner services without crossing the public internet.
Growth across Regions: VPC peering or a Transit Gateway connects many VPCs as your footprint expands.
Why an AWS VPC Matters
A VPC is the security boundary for almost everything you run on AWS. Security groups, network ACLs and private subnets let you apply defense in depth, so one misconfiguration does not expose the whole stack. The same controls back your compliance work, because you can show exactly how traffic is segmented.
It is also where a large share of avoidable cloud spend hides. Networking charges are quick to switch on and easy to forget, so VPC design sits at the center of any serious AWS cost effort. When you can see every VPC charge by component and account, you fix security and the bill at the same time.
Conclusion
An AWS VPC gives you a private, controllable network on top of AWS's public cloud. Learn the components, place your subnets with intent and keep a close watch on the NAT gateways, IP addresses and data transfer that quietly shape the cost. Strong network design is where security and savings meet. It underpins any mature FinOps practice.
Frequently Asked Questions
What does VPC stand for in AWS?
VPC stands for Virtual Private Cloud. It is a logically isolated virtual network inside AWS where you launch resources, set your own IP address range, create subnets and control how traffic flows in and out.
Is AWS a private cloud or a public cloud?
AWS is a public cloud. A VPC does not change that. It gives you a private, isolated network inside the public cloud, so your resources stay separated from other tenants and from the internet until you allow access.
What is the difference between a VPC and a VPS?
A VPC is a full virtual network where you run many resources with your own subnets, routing and firewalls. A VPS is a single rented virtual server. A VPC is about the network and a VPS is about one machine.
Is an AWS VPC free?
Creating a VPC is free. You pay for what runs inside it: NAT gateways, public IPv4 addresses, data transfer and interface endpoints. Gateway endpoints for S3 and DynamoDB carry no charge.
What are the main components of an AWS VPC?
The core components are subnets, route tables, internet gateways, NAT gateways, security groups, network ACLs, CIDR blocks and VPC endpoints. Together they set your IP space, direct traffic and enforce security.
What is the difference between a security group and a NACL?
A security group is a stateful firewall at the instance level and allows traffic only. A network ACL is a stateless firewall at the subnet level and can allow or deny traffic. Most setups use both together.
FinOps OS powered by context-aware AI agents.
Start with a 30-day no-cost trial.
Read-only.
No credit card.
No commitment.
Want to assess how your FinOps journey can scale?
Benchmark maturity, close governance gaps, and drive ROI in under 20 minutes
Recommended Articles
7 Best OpenCost Alternatives for Kubernetes Cost (2026)
Read More
6 Best CloudHealth Alternatives for FinOps Teams (2026)
Read More
AWS Fargate vs EC2: Cost, Control & When to Use Each
Read More
What is Karpenter? Kubernetes Node Autoscaler Explained
Read More
AWS API Gateway Pricing: REST vs HTTP vs WebSocket Cost Breakdown
Read More
AWS vs Azure: A Buyer's Comparison for Architects and FinOps Teams
Read More
