What is a VPC in one sentence?

A Virtual Private Cloud is a logically isolated network you define inside a public cloud, with your own IP ranges, subnets, routing, and firewall rules, so your cloud resources behave like they live on a private network.

What is the difference between a public and private subnet?

A public subnet has a route to an internet gateway, so its resources can be reached from or reach the internet directly. A private subnet has no such route; its resources reach the internet only through a NAT gateway and cannot be reached inbound from it.

What is the difference between a security group and a NACL?

A security group is a stateful firewall attached to individual resources — return traffic is allowed automatically. A network ACL is a stateless firewall at the subnet level that evaluates each direction independently. They are complementary layers.

VPC peering is a private network connection between two VPCs so resources can communicate using private IPs without traversing the public internet. For many VPCs, a transit gateway is used instead to avoid a tangle of point-to-point peerings.

Do all cloud providers have VPCs?

Yes, though names vary. AWS and Google Cloud call it a VPC, Azure calls it a Virtual Network (VNet). The concept — a private, isolated, software-defined network inside the provider's shared infrastructure — is the same across all of them.

Glossary · Infrastructure

What is a VPC (Virtual Private Cloud)?

A Virtual Private Cloud is a logically isolated network you carve out inside a public cloud, complete with your own IP address ranges, subnets, routing tables, and firewall rules — so that even though your servers run on hardware shared with thousands of other tenants, they behave as if they sit on a private network you control.

Why it exists

Early public cloud put every instance on a flat, shared network, which made enterprises nervous: their database could, in principle, be one misconfiguration away from the open internet. The VPC, introduced by AWS in 2009 and now standard across every major provider, solved this by giving each customer a private, software-defined network. Inside it you decide what is reachable from the internet and what is not, how traffic flows, and which resources can talk to which. It is the foundational boundary almost everything else in a cloud architecture sits within.

Subnets and availability zones

A VPC is given a block of private IP addresses — say 10.0.0.0/16 — which you divide into subnets, smaller ranges each pinned to a single availability zone (a distinct data center within a region). The crucial distinction is public versus private. A public subnet has a route to an internet gateway, so a load balancer or bastion host placed there can be reached from the internet. A private subnet has no such route, which is where databases and application servers belong — they should never be directly reachable from outside. Spreading subnets across multiple zones is also how you survive the loss of a single data center.

Reaching out without being reachable: NAT

Resources in a private subnet often still need outbound internet access — to download updates or call an external API — without being exposed to inbound connections. A NAT (Network Address Translation) gateway provides exactly that asymmetry: it sits in a public subnet and lets private resources initiate outbound traffic while blocking anything trying to connect inbound. This one-way valve is a cornerstone of a secure VPC layout, and it is a frequent source of surprise cloud bills, since NAT gateways charge for every gigabyte that passes through them.

Two layers of firewall

VPCs give you two complementary firewalls. Security groups attach to individual resources and are stateful — if you allow an inbound request, the response is automatically allowed back out — which makes them the everyday tool for controlling access to a server or database. Network ACLs operate at the subnet level and are stateless, evaluating inbound and outbound rules independently; they act as a coarse guardrail around an entire subnet. Used together they implement defense in depth, and tightening them is a natural fit with zero trust thinking — never assume something is safe just because it is "inside" the network.

Connecting VPCs together

Real organizations end up with many VPCs — per environment, per team, per acquisition — and need them to talk privately. VPC peering creates a direct private link between two of them. But peering does not scale gracefully: ten VPCs that all need to reach each other would require a tangle of forty-five separate peerings. A transit gateway solves this by acting as a central hub that every VPC connects to once. For linking a cloud VPC back to an on-premises data center, a VPN tunnel or a dedicated private circuit (AWS Direct Connect, Azure ExpressRoute) does the job.

At QUANT LAB

A well-designed VPC is the quiet foundation of every system we ship under cloud infrastructure. We put databases and application servers in private subnets, expose only load balancers to the internet, and define the whole network as Terraform so the layout is reviewable and reproducible. This matters for security as much as architecture: in our penetration tests, a flat VPC with databases on public subnets and over-broad security groups is one of the most common — and most exploitable — findings.

Long-form deep-dives that use this term

All posts

Related terms

Designing a secure cloud network?

We design VPC layouts that keep databases private, expose only what must be exposed, and live in version control. Book a 30-minute call.

Cloud infrastructure