Amazon Virtual Private Cloud (VPC)

Define and launch AWS resources in a logically isolated virtual network

How it works

Amazon Virtual Private Cloud (VPC) gives you complete control over your virtual networking environment including resource placement, connectivity, and security. The first step is to create your VPC. Then you can add resources to it, such as Amazon Elastic Compute Cloud (EC2) and Amazon Relational Database Service (RDS) instances. Finally, you can define how your VPCs communicate with each other, across accounts, Availability Zones (AZs), or Regions. In this case network traffic is being shared between two VPCs within each region.

Use cases

Launch a simple website or blog

Gain additional layers of privacy and security, and create rules for inbound and outbound connections.

Host multi-tier web applications

Host multi-tier web applications and strictly enforce access and security restrictions between your web servers, application servers, and databases.

Create hybrid connections

Satisfy the specific requirements of all your applications—whether you’re connecting to AWS services in the cloud or on premises.

Amazon VPC features

Amazon Virtual Private Cloud provides features that you can use to increase and monitor the security for your virtual private cloud (VPC):

• Reachability Analyzer: Reachability Analyzer is a static configuration analysis tool that enables you to analyze and debug network reachability between two resources in your VPC. After you specify the source and destination resources in your VPC, Reachability Analyzer produces hop-by-hop details of the virtual path between them when they are reachable, and identifies the blocking component when they are unreachable. You can learn about how to get started with this feature here.
• VPC Flow Logs: You can monitor your VPC flow logs delivered to Amazon S3 or Amazon CloudWatch to gain operational visibility into your network dependencies and traffic patterns, detect anomalies and prevent data leakage, or troubleshoot network connectivity and configuration issues. The enriched metadata in flow logs helps you gain additional insights into who initiated your TCP connections and the actual packet-level source and destination for traffic flowing through intermediate layers such as the NAT Gateway. You can also archive your flow logs to assisst in meeting certain compliance requirements. You can learn about how to get started with this feature here.
• VPC Traffic Mirroring: VPC traffic mirroring allows you to copy network traffic from an elastic network interface of Amazon EC2 instances and then send the traffic to out-of-band security and monitoring appliances for deep packet inspection. With VPC traffic mirroring, you can detect network and security anomalies, gain operational insights, implement compliance and security controls, and troubleshoot issues. VPC Traffic Mirroring as a feature that gives you direct access to the network packets flowing through your VPC. You can learn about how to get started with this feature here.
• Ingress Routing: This allows you to route all incoming and outgoing traffic flowing to/from an Internet Gateway (IGW) or Virtual Private Gateway (VGW) to a specific instance’s Elastic Network Interface. With this feature, you can configure your virtual private cloud to send all traffic to an IGW, VGW or EC2 instance before the traffic reaches your business workloads. Learn more about this feature here.
• Security Groups: Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. When you launch an instance, you can associate it with one or more security groups that you’ve created. Each instance in your VPC could belong to a different set of security groups. If you don’t specify a security group when you launch an instance, the instance is automatically associated with the default security group for the VPC. For more information, see security groups for your VPC.
• Network Access Control List: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.to read about the specific differences between security groups and network ACLs.