What Is a VPC in AWS? Simple Explanation, Core Components, and Example

A Virtual Private Cloud (VPC) is a logically isolated private network inside AWS where your resources run. You define the IP address ranges, control what can reach the internet, and decide how internal traffic flows. After reading this page you will understand what a VPC is, what it contains, how traffic moves through it, and how to lay out a simple production-ready architecture.

Simple explanation

Before AWS, you built networks in physical data centers: routers, switches, and firewalls managed by hand. A VPC replaces that physical infrastructure with software-defined networking. You get a private IP address space, and AWS gives you the tools to control every traffic path inside it.

Analogy

Think of AWS as a large office building with many floors. When you create a VPC, you are renting one of those floors entirely to yourself. You decide how to lay out the rooms (subnets), which doors connect to the outside world (internet gateway), which rooms are accessible to visitors (public subnets), and which are interior-only (private subnets). Other tenants in the building have their own floors and cannot walk into yours.

When you create a VPC, you assign it a CIDR block like 10.0.0.0/16. That range is the address space for everything that runs inside it. You divide that range into subnets, each tied to a specific Availability Zone, and place your resources (EC2 instances, databases, containers) into those subnets.

The VPC itself does not route traffic to the internet by default. You attach an internet gateway for public access, add a NAT gateway for private outbound access, and write route tables to direct packets where they need to go. Security groups act as instance-level firewalls on top of all that. That combination of isolated address space, controlled routing, and layered firewall rules is what makes a VPC the foundation of nearly everything you build in AWS.

Why this matters

Without network isolation, any resource in AWS could potentially receive traffic from any other resource. A VPC creates a hard boundary around your infrastructure. Resources inside communicate over private IPs, and traffic crossing the boundary passes through gateways, route tables, and firewall rules you control.

Understanding VPCs is not optional knowledge. It underpins almost everything in AWS. Every EC2 instance, load balancer, RDS database, EKS cluster, and Lambda function running inside a VPC inherits this networking foundation. Getting it wrong creates security gaps and connectivity problems that are painful to diagnose later.

How a VPC works

Here is how traffic moves through a typical VPC when a user accesses a web application:

  1. Request arrives. A user’s browser sends a request to your application’s public IP or domain name.
  2. Internet gateway receives it. The internet gateway (IGW) attached to your VPC accepts the inbound connection. Without an IGW, no public internet traffic can enter the VPC at all.
  3. Route table directs the packet. The route table for the public subnet has an entry sending internet-bound traffic to the IGW and local VPC traffic directly to the target. Route tables decide the path; they do not filter.
  4. Security group evaluates the connection. Before the packet reaches your application, the security group attached to the resource checks whether the source IP and port are allowed. If no rule matches, the packet is dropped.
  5. Private resources stay off the internet. Your database or app tier sits in a private subnet with no route to the IGW. It is only reachable from other resources inside the VPC, not from the public internet.
  6. Private outbound traffic uses a NAT gateway. If a resource in a private subnet needs to call an external API or download a package, the request goes through a NAT gateway in a public subnet. The NAT gateway forwards the request and returns the response without exposing the private resource’s IP address.

Core components inside a VPC

ComponentWhat it isWhen it matters
SubnetsA sub-range of the VPC CIDR, tied to one Availability ZoneAlways. Resources launch into subnets, not directly into the VPC
Route tablesRules that decide where traffic from a subnet is forwardedAlways. Every subnet uses a route table
Internet gateway (IGW)A managed gateway that connects the VPC to the public internetRequired for any public-facing resource
NAT gatewayAllows private subnet resources to reach the internet without being directly reachable from itWhen private resources need outbound internet access
Security groupsStateful, instance-level firewall rulesAlways. Every resource needs at least one
Network ACLsStateless firewall rules applied at the subnet boundaryOptional. Useful for layered defense or blocking specific IPs broadly
Public vs private IPsPrivate IPs are always assigned; public IPs are optional and only usable in public subnetsRequired understanding before routing or exposing any resource
VPC DNS resolverAWS provides an internal DNS resolver at the VPC base CIDR + 2 (e.g., 10.0.0.2)Used when resources resolve each other by name; required for private hosted zones

CIDR blocks: defining your IP space

When you create a VPC, you assign it a CIDR block. A notation like 10.0.0.0/16 defines the pool of private IP addresses available inside it. The number after the slash is the prefix length; a shorter prefix means more addresses.

  • A /16 provides 65,536 addresses. This is the most common starting size for a production VPC.
  • A /24 provides 256 addresses. Too small for most VPCs.
  • A /28 provides 16 addresses. The smallest block AWS allows.

Use addresses from the RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. The 10.x.x.x space is the most common choice for AWS VPCs.

AWS reserves 5 IP addresses in every subnet: the first four and the last. A /24 subnet gives you 251 usable IPs, not 256. A /28 gives you 11 usable IPs, not 16.

Plan before you build

If you plan to connect VPCs via VPC Peering, or connect on-premises networks via Site-to-Site VPN or Direct Connect, each network must use non-overlapping CIDR blocks. Changing a VPC CIDR after creation is disruptive. Plan your IP ranges across the whole environment before you start.

Minimal example architecture

Here is a simple two-tier layout for a production web application: one VPC, two Availability Zones, public and private subnets separated by purpose.

VPC: 10.0.0.0/16

Public subnets (one per AZ):

  • 10.0.0.0/24 in AZ-1, 10.0.1.0/24 in AZ-2
  • Route table sends 0.0.0.0/0 to the internet gateway
  • Hosts the load balancer, the only internet-facing component

Private subnets (one per AZ):

  • 10.0.2.0/24 in AZ-1, 10.0.3.0/24 in AZ-2
  • Route table sends 0.0.0.0/0 to the NAT gateway for outbound access
  • No route to the internet gateway. These subnets are not publicly reachable.
  • Hosts application servers and databases

Gateways:

  • One internet gateway attached to the VPC
  • One NAT gateway placed in a public subnet, with an Elastic IP assigned

Security groups:

  • Load balancer SG: allow inbound 80/443 from anywhere (0.0.0.0/0)
  • App server SG: allow inbound only from the load balancer SG, not from the internet directly
  • Database SG: allow inbound only from the app server SG

This keeps your app and database off the public internet while allowing outbound access from private resources. It is the standard baseline for most applications and a good mental model before you explore more advanced patterns like shared VPC architectures.

Default VPC vs custom VPC

AWS automatically creates a default VPC in every region when you open an account. It is convenient for learning because you can launch an EC2 instance with zero networking setup. For production, create your own. See the full comparison on the Default vs Custom VPCs page.

Default VPCCustom VPC
Created byAWS automaticallyYou
SubnetsOne public subnet per AZ, pre-builtYou create and control all subnets
Internet accessAll subnets publicly routable by defaultYou decide what is public and what is private
CIDR block172.31.0.0/16 (fixed)You choose
DNS hostnamesEnabled by defaultOff by default; you enable it
Good forLearning, quick experimentsAny production workload

When to use a custom VPC

You almost always want a custom VPC for anything beyond quick experiments. Here are the specific situations where the design decisions matter most:

  • Public web applications. Put your load balancer in a public subnet, your application servers in private subnets, and your database in an isolated subnet with no outbound internet route.
  • Private backends. Internal APIs or processing services that should never be directly reachable from the internet. Place them in private subnets and restrict them with security groups.
  • Databases. RDS, Aurora, and ElastiCache should almost always live in private subnets with no public IP. Restrict inbound access to the application tier only.
  • Hybrid connectivity. When connecting AWS to on-premises infrastructure via Site-to-Site VPN or Direct Connect, your VPC CIDR must not overlap with on-premises IP ranges. See the hybrid connectivity overview for the full picture.
  • Multi-VPC architectures. When multiple VPCs need to communicate via VPC Peering or Transit Gateway, each VPC must have a unique, non-overlapping CIDR. Plan the full IP allocation strategy before you create any VPC.
  • Container workloads. EKS clusters running inside a VPC use the VPC CNI plugin, which allocates pod IP addresses directly from subnet CIDR blocks. VPC sizing and subnet design have a direct impact on cluster capacity in ways that do not apply to most EC2 workloads.

Common beginner mistakes

The most common misconception

A resource in a private subnet is not automatically secure. “Private” means there is no route to the internet gateway. Other resources inside the VPC can still reach it freely. Security groups are what control which resources can actually connect. Private placement and firewall rules serve different purposes and you need both.

  1. Choosing a CIDR block that is too small. A /24 VPC has 256 addresses total. After AWS reserves 5 per subnet and you create subnets across two or three AZs, you exhaust the space quickly. Start with /16 and carve subnets from it.
  2. Using overlapping CIDR blocks. If two VPCs share the same IP range, you cannot peer them. If your VPC overlaps with an on-premises network, VPN or Direct Connect routing will not work correctly. Plan IP ranges across all connected environments before you create anything.
  3. Treating “private subnet” as a security boundary. Covered above. Private placement reduces exposure from the internet but does not protect against traffic from within the VPC.
  4. Confusing security groups with network ACLs. Security groups are stateful and attached to individual resources. Network ACLs are stateless and applied at the subnet boundary. Mixing them up leads to traffic being blocked (or allowed) in ways that are hard to trace. See the network security best practices page for guidance on when to use each.
  5. Misunderstanding DNS defaults. In a custom VPC, enable_dns_support is on by default, but enable_dns_hostnames is off. Without DNS hostnames, EC2 instances do not receive public DNS names, and some services such as EFS mount targets will not resolve correctly. Enable both when using private hosted zones or service discovery.
  6. Using the default VPC for production. Its open-by-default configuration, with all subnets publicly routable and no private subnet segmentation, is not appropriate for real applications. It is useful for learning but should not carry production workloads.
  7. Not planning for future VPC connections. Adding CIDR blocks to an existing VPC is supported but limited. If you will eventually need peering, VPN, or Transit Gateway connectivity, design your IP allocation strategy across the full environment before you start building. See troubleshooting network issues to understand what breaks when CIDR blocks conflict.

VPC vs subnet vs security group

These three concepts operate at completely different levels. Beginners often conflate them because they all relate to controlling access.

ConceptWhat it controlsScope
VPCThe entire network boundary: the IP address space and its isolation from everything outsideRegional
SubnetWhere inside the VPC a resource is placed: which AZ, and whether it has a route to the internetSingle Availability Zone
Security groupWhat traffic is allowed to reach a specific resource: port, protocol, and sourceIndividual resource

The VPC provides the address space. Subnets divide that space and determine placement and routing. Security groups control access at the resource level. All three work together and you need all three to build a functional, secure architecture.

Creating a VPC with Terraform

This creates a VPC with DNS hostnames enabled and attaches an internet gateway. DNS support is on by default; enabling dns_hostnames is almost always needed for EC2 public DNS names and service name resolution.

resource "aws_vpc" "main" {
  cidr_block           = "10.0.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true

  tags = {
    Name        = "main-vpc"
    Environment = "production"
  }
}

resource "aws_internet_gateway" "main" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name = "main-igw"
  }
}

Creating a VPC with the AWS CLI

# Create the VPC
aws ec2 create-vpc \
  --cidr-block 10.0.0.0/16 \
  --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=main-vpc}]'

# Enable DNS hostnames (DNS support is already on by default)
aws ec2 modify-vpc-attribute \
  --vpc-id vpc-0123456789abcdef0 \
  --enable-dns-hostnames

# Create and attach an internet gateway
aws ec2 create-internet-gateway \
  --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=main-igw}]'

aws ec2 attach-internet-gateway \
  --vpc-id vpc-0123456789abcdef0 \
  --internet-gateway-id igw-0123456789abcdef0

Frequently asked questions

Can an EC2 instance exist outside a VPC?

No. Every EC2 instance in modern AWS must be launched inside a VPC. The legacy EC2-Classic platform that predated VPCs was retired in August 2022.

Does a VPC span multiple Availability Zones or multiple regions?

A VPC is a regional resource. It spans all Availability Zones in its region, and you place subnets inside specific AZs within that VPC. A VPC cannot stretch across regions. For cross-region connectivity, use VPC Peering or AWS Transit Gateway.

What is the difference between a VPC and a subnet?

A VPC defines the overall network boundary and IP address space. A subnet is a smaller IP range carved out of that space and tied to a single Availability Zone. Resources like EC2 instances launch into subnets, not directly into the VPC.

Do I always need a NAT gateway?

No. You only need a NAT gateway when resources in a private subnet need to initiate outbound connections to the internet, for example to download software updates or call an external API. If your private resources never need internet access, skip it.

Should I use the default VPC in production?

For learning and quick experiments, yes. For real workloads, create a custom VPC. The default VPC treats all subnets as publicly routable by default, which is not an appropriate baseline for production applications.

Last verified: 21 April 2026 Cloud services change frequently. Verify details against official documentation before making infrastructure decisions.