What is a VPC?

What a VPC actually contains

A VPC is a container for network resources, scoped to a single region. The basic ingredients are the same across all three clouds:

• An address space — a CIDR block (e.g., 10.42.0.0/16) that defines the IP range usable within the VPC.
• Subnets — non-overlapping CIDR slices of the VPC's address space, each tied to one availability zone.
• Route tables — per-subnet routing decisions: what destination prefixes go to what next hop.
• Internet Gateway — the VPC's connection to the public internet. Subnets become "public" by having a default route to this gateway.
• NAT Gateway — lets private-subnet resources reach the internet outbound without being reachable inbound.
• Security groups — stateful, per-instance firewalls.
• Network ACLs (NACLs) — stateless, per-subnet packet filters.
• VPC endpoints / Private Link — keep traffic to cloud services off the public internet.

Each cloud has its own brand name for these components, but the building blocks are the same. The differences are in defaults and quotas.

AWS VPC, Azure VNet, GCP VPC — the differences that matter

The biggest conceptual difference is GCP's global VPC model. A single GCP VPC can have subnets in every region, and routing between them happens on Google's backbone with no extra configuration. AWS and Azure scope each VPC/VNet to one region; spanning regions requires peering or a transit construct. For multi-region workloads, GCP requires less network topology setup; AWS and Azure expose more knobs.

Choosing a CIDR block

The single most consequential VPC decision is the CIDR block. Once a workload is deployed, changing the range requires migrating every resource. Two principles:

Use RFC 1918 private space

• 10.0.0.0/8 — largest block, 16.7M addresses. Use this for production VPCs.
• 172.16.0.0/12 — middle option, 1M addresses. Use for staging or secondary VPCs.
• 192.168.0.0/16 — smallest, 65k addresses. Avoid for VPCs — it conflicts with default home routers and many corporate VPNs.

Avoid conflicts with other networks

A VPC's CIDR will need to be peered with other VPCs (yours and possibly partner accounts), connected to on-premises via VPN or Direct Connect, and exposed to user laptops via corporate VPN. Every connection requires non-overlapping address space. Common conflicts:

• 10.0.0.0/16 — used by countless tutorials and starter VPCs. Pick something else.
• 192.168.0.0/24, 192.168.1.0/24 — default home router ranges.
• 172.17.0.0/16 — Docker's default bridge network.
• 100.64.0.0/10 — RFC 6598 carrier-grade NAT space; reserved.

A good default for a new VPC: 10.42.0.0/16 or another /16 with a deliberately uncommon second octet. Document your address allocation policy so subsequent VPCs do not overlap.

Subnets, AZs, and high availability

A VPC subnet sits in exactly one availability zone (AWS, GCP) or is regional with zonal redundancy (Azure VNets with availability zones). High-availability designs use one subnet per AZ:

10.42.0.0/16          ← VPC
  10.42.1.0/24   us-east-1a   public subnet
  10.42.2.0/24   us-east-1b   public subnet
  10.42.3.0/24   us-east-1c   public subnet
  10.42.10.0/24  us-east-1a   private subnet
  10.42.20.0/24  us-east-1b   private subnet
  10.42.30.0/24  us-east-1c   private subnet

Application tiers (load balancers, NAT gateways) get one resource per AZ for redundancy. Database tiers (RDS, Cloud SQL) use replicas across AZs. The cost of this redundancy is the per-AZ NAT gateway and the inter-AZ traffic charges — see cloud egress costs for the gotchas.

Public vs private subnets — it is about routing, not labels

A subnet's public/private designation is informal. What makes a subnet public is its route table: if the default route (0.0.0.0/0) points at an Internet Gateway, resources in that subnet with public IPs can be reached from the internet. If the default route points at a NAT Gateway (or is absent), the subnet is private.

Common subnet layout:

• Public subnets: Load balancers, bastion hosts, NAT gateways themselves. Resources that must accept traffic from the internet.
• Private subnets: Application servers, database servers, caches. Resources that should never be reached directly from the internet.
• Isolated subnets: No route to the internet at all (not even via NAT). Used for compliance-sensitive workloads or air-gapped tiers.

Resources in private subnets reach the internet outbound via a NAT Gateway in a public subnet (covered in NAT Gateway vs Internet Gateway).

Route tables: what packets actually do

Each subnet is associated with exactly one route table. The route table is a list of (destination CIDR → next hop) pairs. When a packet leaves a resource in that subnet, the destination IP is matched against the route table; the most-specific matching prefix wins.

A typical route table for a private subnet:

10.42.0.0/16     local                  ← intra-VPC traffic, always present
10.50.0.0/16     pcx-abc123 (peering)   ← traffic to a peered VPC
192.168.5.0/24   tgw-def456 (transit)   ← traffic to on-premises via transit gateway
0.0.0.0/0        nat-gw-789             ← default route via NAT for outbound internet

The local route is implicit and cannot be removed — it covers all addresses within the VPC's CIDR. Everything else is explicit. Misconfigured route tables are the most common cause of "the network seems broken even though everything else looks right" symptoms.

Security groups vs NACLs

Both are firewalls, with critically different semantics. Understanding when to use each is a routine cloud-networking judgment call.

Security groups

• Stateful. Allowing an outbound connection automatically allows the return packets.
• Attached to instances (or specifically to network interfaces).
• Allow-only. Cannot express "deny" — only what is allowed.
• Default to deny. Empty SG = nothing allowed.
• Can reference other SGs — "allow port 5432 from members of sg-app". This makes them composable.

NACLs (AWS) / NSGs at subnet level (Azure)

• Stateless. Both inbound and outbound rules must explicitly allow each direction. Ephemeral return ports must be opened.
• Attached to subnets.
• Allow and deny rules, ordered by rule number.
• Default permits all (AWS) — opposite of security groups.
• Cannot reference resources, only CIDR ranges.

The pattern: use security groups for application-level access control (port 5432 between app and database, port 443 from load balancer to app). Use NACLs sparingly, for coarse subnet-wide rules (block a known-bad IP range, prevent any traffic between a sensitive subnet and the internet).

VPC endpoints: keeping traffic off the public internet

Cloud services (S3, DynamoDB, Storage Accounts, BigQuery, etc.) are reachable over the public internet by default. Traffic from a VPC to S3, for instance, leaves the VPC via the Internet Gateway or NAT Gateway and traverses the public internet before reaching S3. VPC endpoints (AWS) / Private Endpoints (Azure) / Private Service Connect (GCP) let that traffic stay on the cloud's backbone.

Two AWS endpoint types:

• Gateway endpoints — used for S3 and DynamoDB. Free. Modify the route table to send traffic for those services to the gateway endpoint instead of the IGW.
• Interface endpoints — used for most other services and for AWS PrivateLink. Provisioned as ENIs in your subnet. Hourly cost plus per-GB processing.

Why endpoints matter beyond security: traffic via NAT Gateway is billed at $0.045/GB processed; traffic via a gateway endpoint is free. For S3-heavy workloads, gateway endpoints pay for themselves immediately.

Frequently Asked Questions

Is a VPC the same as a VLAN?

No — they solve related problems at different scales. A VLAN is a Layer 2 broadcast domain created on physical switches; a VPC is a software-defined Layer 3 network spanning an entire cloud region. VPCs are routed (Layer 3) end to end, do not have broadcast traffic in the traditional sense, and can span multiple availability zones in a single region. The closest equivalence is that subnets within a VPC are conceptually similar to VLANs, except they are routed rather than bridged.

What CIDR range should I use for a VPC?

Use a /16 from RFC 1918 private space (10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16) — that gives 65,536 addresses, enough for most workloads. Avoid 10.0.0.0/16 specifically because it conflicts with many default home networks and corporate VPN ranges; that complicates connecting on-premises later. A /16 with a non-default second octet (10.42.0.0/16) is the safest choice for new VPCs.

What is the difference between a public and a private subnet?

The difference is in routing, not naming. A public subnet has a route table entry that sends 0.0.0.0/0 (default route) to an Internet Gateway; a private subnet does not. Resources in a public subnet with public IPs can be reached from the internet; resources in a private subnet cannot. The naming convention "public" and "private" is informal — what makes them so is the route table they are associated with.

Can a VPC span multiple regions?

No on any major cloud — a VPC is scoped to a single region. To connect VPCs in different regions, you use VPC peering, transit gateway peering, or a backbone product. The constraint exists because the cloud provider's intra-region backbone has different performance and consistency guarantees than the inter-region backbone. Multi-region applications are built from multiple region-scoped VPCs connected via peering or backbone routing.

How are security groups different from a NACL?

Security groups are stateful and operate at the instance/ENI level — outbound traffic automatically allows the return path. NACLs (Network Access Control Lists) are stateless and operate at the subnet level — both inbound and outbound rules must explicitly allow each direction. Security groups are the default tool for application-level controls; NACLs are used for coarser subnet-level blocks like blocking a specific IP range across an entire subnet.