A VPC is not just a private network; it’s a logically isolated section of the public cloud that you can provision and manage, acting as your own datacenter in the sky.
Let’s fire up a simple VPC and see it in action. Imagine we’re setting up a secure web server.
First, we need a VPC itself. We’ll give it a name, say my-web-vpc, and a CIDR block of 10.0.0.0/16. This 10.0.0.0/16 range means we have 65,536 IP addresses available within this VPC, from 10.0.0.1 to 10.0.255.254.
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=my-web-vpc}]'
This command returns a VpcId, let’s assume it’s vpc-0123456789abcdef0.
Next, we need subnets. These are smaller ranges within our VPC’s CIDR block, and they determine which Availability Zones (AZs) our resources can live in for high availability. We’ll create two public subnets, one in us-east-1a and another in us-east-1b, both within our 10.0.0.0/16 space.
aws ec2 create-subnet --vpc-id vpc-0123456789abcdef0 --cidr-block 10.0.1.0/24 --availability-zone us-east-1a --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-web-subnet-a}]'
aws ec2 create-subnet --vpc-id vpc-0123456789abcdef0 --cidr-block 10.0.2.0/24 --availability-zone us-east-1b --tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=my-web-subnet-b}]'
These subnets get IDs like subnet-0abcdef1234567890 and subnet-0fedcba9876543210.
For our web server to be accessible from the internet, our subnets need a route to the outside world. This is handled by an Internet Gateway (IGW) and a Route Table. First, create the IGW:
aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=my-web-igw}]'
This gives us an InternetGatewayId, say igw-0123456789abcdef0. Now, attach it to our VPC:
aws ec2 attach-internet-gateway --vpc-id vpc-0123456789abcdef0 --internet-gateway-id igw-0123456789abcdef0
Now, a route table. Every VPC comes with a default one, but let’s create a new one for our public subnets for clarity.
aws ec2 create-route-table --vpc-id vpc-0123456789abcdef0 --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=my-public-rt}]'
This gives us a RouteTableId, e.g., rtb-0123456789abcdef0. We need to associate our public subnets with this route table:
aws ec2 associate-route-table --route-table-id rtb-0123456789abcdef0 --subnet-id subnet-0abcdef1234567890
aws ec2 associate-route-table --route-table-id rtb-0123456789abcdef0 --subnet-id subnet-0fedcba9876543210
Finally, add the route that sends all traffic destined for anywhere (0.0.0.0/0) to our IGW:
aws ec2 create-route --route-table-id rtb-0123456789abcdef0 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-0123456789abcdef0
With these pieces in place, we can launch an EC2 instance into subnet-0abcdef1234567890. If we assign it a public IP address (by enabling "Auto-assign Public IP" on the subnet or instance), it will be reachable from the internet.
The real power emerges when you consider security groups and Network ACLs. Security groups act as instance-level firewalls, stateful (meaning if you allow outbound traffic, the return traffic is automatically allowed). Network ACLs, on the other hand, are subnet-level firewalls and are stateless, requiring explicit rules for both inbound and outbound traffic. This layered approach lets you precisely control traffic flow.
Consider the concept of Elastic Network Interfaces (ENIs). These are virtual network cards that you can attach to instances. You can even detach an ENI from one instance and attach it to another, effectively migrating an IP address. This is invaluable for high-availability setups where you want to failover an IP address quickly.
Most people think of VPCs as just a way to get private IP addresses, but they’re fundamentally about defining your network perimeter in the cloud. The CIDR blocks you choose, the subnets you create across AZs, and the routing tables you configure are all building blocks for network topology, security, and resilience.
The next logical step is often connecting your on-premises network to this VPC using a VPN or AWS Direct Connect, creating a hybrid cloud environment.