Amazon VPC
Amazon VPC (Virtual Private Cloud) is the private, isolated network within AWS. You operate your servers and services in it with full control over IP ranges, subnets and access rules.
What is Amazon VPC?
Amazon VPC (Virtual Private Cloud) is the networking foundation of every AWS environment. A VPC is a logically isolated, private network space that belongs exclusively to you. Within this VPC, you run your EC2 instances, databases and containers – isolated from the networks of other AWS customers.
The VPC gives you the same level of control you’re used to in a traditional corporate network: you define IP address ranges, divide the network into subnets and use rules to specify exactly which traffic is permitted. Unlike in a physical data centre, all of this is done via software and takes just minutes.
The building blocks of a VPC
- Subnets: Subdivisions of the VPC. Public subnets have a connection to the internet; private subnets are isolated from the outside world.
- Routing tables: These determine where network traffic from a subnet is routed.
- Internet Gateway and NAT Gateway: These enable controlled access to and from the internet.
- Security Groups and Network ACLs: Multiple layers of firewall rules that filter incoming and outgoing traffic.
Secure network architecture
A proven architecture places only the bare essentials in public subnets – such as a load balancer. Application servers and, in particular, databases belong in private subnets that are not directly accessible from the internet. A database in a private subnet cannot be attacked from the outside even if its access credentials were compromised – simply because there is no network connection to it.
Connection to the corporate network
A VPC can be connected to the existing corporate network via a VPN or AWS Direct Connect. This creates a hybrid environment in which local systems and cloud resources work together as if on a single network – a key building block for phased cloud migrations.
VPC in SMEs
The VPC is not an optional extra, but the foundation of every AWS environment – every account already comes with a standard VPC. For production workloads, however, a carefully designed network architecture with clearly separated public and private subnets is worthwhile. This network architecture is ideally described as Infrastructure as Code, ensuring it remains versioned, reproducible and traceable.
Frequently asked questions about Amazon VPC
The VPC itself is free of charge. Costs are incurred for additional components such as NAT gateways (around USD 35 per month plus data processing), VPN connections or VPC endpoints. A simple VPC without these components does not incur any direct costs.
A public subnet has a direct route to the internet via an internet gateway - suitable for load balancers. A private subnet is sealed off from the outside and cannot be accessed directly from the Internet - the right place for application servers and databases.
A security group is a virtual firewall at the level of individual resources such as EC2 instances. It determines which incoming and outgoing network traffic is permitted. Security groups are a central tool for restricting access to servers in a targeted manner.
Yes, a VPC can be linked to the local company network via a VPN connection or AWS Direct Connect. This creates a hybrid environment in which local systems and cloud resources work together - ideal for gradual migrations.
Related services
Cloud Migration
Out of the data center, into the cloud — zero downtime, zero data loss. We migrate your systems strategically and keep them running afterward.
IaC Engineering
Infrastructure that changes via git commit — reproducible, version-controlled, and recoverable in minutes. No more clicking in the AWS console.
Last updated: May 2026