Amazon Virtual Private Cloud (VPC)

Source: Dev.to

Why VPC?

Creating resources directly on the public cloud without a VPC is like leaving your laptop on a public sidewalk with no password and a “Free Access” sign—technically possible but extremely risky.

• Security and Isolation – Without a VPC, resources receive public IP addresses by default, making them visible and targetable from the internet.
• Connectivity between Services – In a VPC, resources communicate using private IPs, which also reduces costs compared to public IP data transfers.
• Network Customization – You define your own IP address range (e.g., 10.0.0.0/16).
• Traffic Routing and Filtering – VPCs let you set routing rules through Route Tables.

Core Components

• IPv4 and IPv6 Address Blocks – Define a private IP address range using CIDR notation (e.g., 10.0.0.0/16).
• Subnets – Ranges of IP addresses within your VPC where you launch resources.
  • Public Subnets – Connected to the internet via an Internet Gateway (the “door” to the outside world).
  • Private Subnets – Not reachable from the public internet; ideal for databases or application servers.
• Route Tables – Sets of rules that determine where network traffic from a subnet or gateway is directed.
• Internet Gateway (IGW) – A horizontally scaled, redundant, highly available component that enables communication between your VPC and the internet.
• NAT Gateway – Allows instances in a private subnet to initiate outbound internet connections (e.g., for software updates) while preventing inbound connections.

Security Layers

Network Access Control Lists (NACL)

An optional, stateless firewall that controls inbound and outbound traffic at the subnet level.

Security Groups

Stateful virtual firewalls applied to individual EC2 instances, controlling inbound and outbound traffic.

Connectivity Options

• VPC Peering – Private networking connection between two VPCs, enabling traffic routing using private IPv4 or IPv6 addresses.
• AWS VPN – Securely connects your on‑premises network to your Amazon VPC.
• AWS Direct Connect – Dedicated network connection from your premises to AWS, bypassing the public internet.

Watch a VPC setup tutorial

Pricing

Creating a VPC is free—no charges for defining the network, creating subnets, or setting up Route Tables, Internet Gateways, or Security Groups. You only pay for traffic that moves through the VPC and any managed services you attach.

Components That Are Free

• VPC creation – no setup or monthly fee.
• Subnets & Route Tables – unlimited creation at no cost.
• Internet Gateway (IGW) – attaching and using an IGW costs $0.
• Network ACLs & Security Groups – provided at no cost.

Components That Cost Money (2026 Jan – may be outdated)

• Public IPv4 Address – $0.005 / hour (~$3.60 / mo).
• NAT Gateway – $0.045 / hour (~$32 / mo) plus $0.045 per GB processed.
• VPC Interface Endpoint – $0.01 / hour (~$7 / mo) plus $0.01 per GB processed.
• Transit Gateway – $0.05 / hour per attachment plus $0.02 per GB processed.
• Site‑to‑Site VPN – $0.05 / hour; standard data transfer rates apply.

Data Transfer Costs

• Inbound Data – Always free.
• Outbound to Internet – Approximately $0.09 / GB after the first 100 GB/month (free).
• Inter‑Availability Zone (AZ) – $0.01 / GB in each direction when data moves between EC2 instances in different AZs.
• Intra‑Availability Zone – Data transfer between instances in the same AZ using private IPs is free.

Pro tip: Using a public IP to communicate between instances in the same AZ incurs the $0.01 / GB charge. Always use private IPs for internal traffic.