DEV Community

Software Jutsu
Software Jutsu

Posted on

Amazon Virtual Private Cloud (VPC)

#aws #vpc

An Amazon Virtual Private Cloud (VPC) is a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define.

It gives you complete control over your virtual networking environment, including the selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

In production deployment it is always best practice to implement VPC for the AWS stacks.

Why VPC?
Creating resources directly on the public cloud without a VPC would be equivalent to placing your laptop on a public sidewalk with no password and a "Free Access" sign. While technically possible in the early days of cloud computing, it poses extreme security and operational risks.

  • Security and Isolation: Without a VPC, every resource (like a database or a web server) would be assigned a Public IP address by default. This makes them visible and targetable by anyone on the internet.

  • Connectivity between Services
    With VPC, your resource can talk to each other using Private IPs as part of the isolation, on top of that because it communicates via private IPs, it significantly save cost over expensive public IP data transfers.

  • Network Customization: If you created resources directly, you would have no control over the internal networking. In a VPC, you define your own IP address range (e.g., 10.0.0.0/16).

  • Traffic Routing and Filtering: A VPC allows you to define the "rules of the road" through Route Tables.

Core Components

  • IPv4 and IPv6 Address Blocks: You define a Private IP address range using CIDR notation (e.g., 10.0.0.0/16).

  • Subnets: A range of IP addresses in your VPC. You can launch AWS resources, like EC2 instances, into a specific subnet.

-- Public Subnets: Connected to the internet via an Internet Gateway (without gateway you can't connect, its like the physical "door" to the outside world.)

-- Private Subnets: Not reachable from the public internet; typically used for databases or application servers.

  • Route Tables: A set of rules (routes) used to determine where network traffic from your subnet or gateway is directed.

  • Internet Gateway (IGW): A horizontally scaled, redundant, and highly available VPC component that allows communication between your VPC and the internet.

  • NAT Gateway: Allows instances in a private subnet to connect to the internet (e.g., for software updates) but prevents the internet from initiating a connection with those instances.

Security Layers

AWS VPC provides two features to increase security:

Network Access Control Lists (NACL): An optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets (Stateless).

Security Groups: Act as a virtual firewall for your EC2 instances to control inbound and outbound traffic at the instance level (Stateful).

Connectivity Options

VPC Peering: A networking connection between two VPCs that enables you to route traffic between them using private IPv4 or IPv6 addresses.

AWS VPN: Establishes a secure connection between your on-premises network and your Amazon VPC.

AWS Direct Connect: A cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS, bypassing the public internet.

To setup VPC you can follow this
https://www.youtube.com/watch?v=7_NNlnH7sAg

Pricing

Creating a VPC itself is completely free. You are not charged for defining the network, creating subnets, or setting up Route Tables, Internet Gateways (IGW), or Security Groups.

However, you pay for the traffic that moves through the VPC and any managed services you attach to it.

Components That Are Free

  • VPC Creation: No setup or monthly fee.

  • Subnets & Route Tables: No limit on how many you create for free.

  • Internet Gateway (IGW): Attaching and using an IGW costs $0.

  • Network ACLs & Security Groups: Virtual firewalls are provided at no cost.

Components That Cost Money 2026 Jan (Maybe outdated)

Public IPv4 Address: $0.005 / hour (~$3.60/mo)

NAT Gateway: $0.045 / hour (~$32/mo), $0.045 per GB processed.

VPC Interface Endpoint: $0.01 / hour (~$7/mo), $0.01 per GB processed.

Transit Gateway: $0.05 / hour (per attachment), $0.02 per GB processed.

Site-to-Site VPN,$0.05 / hour,Standard data transfer rates apply.

Data Transfer Costs

This is where most VPC bills grow. AWS charges based on where the data is going.

Inbound Data: Always Free (Data coming from the internet into your VPC).

Outbound to Internet: Roughly $0.09 per GB (after the first 100GB/month which is free).

Inter-Availability Zone (AZ): If you send data between two EC2 instances in different AZs (e.g., US-East-1a to US-East-1b), you pay $0.01 per GB in each direction.

Intra-Availability Zone: Sending data between instances in the same AZ using Private IPs is Free.

Pro Tip: If you use a Public IP to talk to another instance in the same AZ, you will be charged the $0.01/GB rate even though they are in the same building. Always use Private IPs for internal talk.

Top comments (0)