Amazon VPC
VPC is the foundational network layer that defines the private address space and communication boundaries where AWS resources live. You combine subnets, routing, gateways, and security rules to decide which resources can talk to which destinations.
▶Architecture Diagram
🔍 StructureDashed line animations indicate the flow direction of data or requests
Your web tier needs to be reachable from outside, but your database should not be, and putting both on the same public network makes it hard to explain what is exposed to whom. Without separating subnets and routes, the line between external exposure and internal communication quickly becomes blurry.
On-premises, VLANs, firewalls, and routers segmented the network, but in the cloud these boundaries needed to be recreated through APIs. That made VPC, a virtual network layer managed like code alongside infrastructure, essential.
VPC divides a network by combining the IP ranges you choose with subnets, route tables, internet gateways, NAT Gateway, security groups, and network ACLs. It can use both IPv4 and IPv6, separates public and private resources, and lets you control inbound and outbound paths at each layer.
VPC and IAM both deal with security, but at different layers. IAM controls who can perform which AWS operations, while VPC controls which network boundaries resources communicate within. If the problem is permissions and credentials, look at IAM; if the problem is public and private separation plus traffic paths, look at VPC.
Well-suited to nearly every AWS architecture that needs network boundaries, including private databases, internet-facing web tiers, and internal-only workers. It is also common in hybrid setups that extend on-premises environments into AWS through VPN. It is not the layer that decides who is allowed to perform which action.