A Virtual Private Cloud (VPC) is a logically isolated section of a cloud provider's network where you launch resources inside a virtual network you fully control. You define the IP address range using CIDR notation (e.g., 10.0.0.0/16), divide it into public and private subnets across multiple Availability Zones, configure route tables to direct traffic, attach Internet Gateways for public access, and use NAT Gateways to let private resources reach the internet without being directly exposed. Security Groups act as stateful firewalls at the instance level, while Network ACLs provide stateless filtering at the subnet level. VPCs are available on every major cloud provider under different names: AWS calls it VPC, Azure calls it Virtual Network (VNet), Google Cloud calls it VPC Network, and OCI calls it Virtual Cloud Network (VCN). When would you use a VPC? Almost always — any production workload should run inside a VPC. VPCs are mandatory when you need network-level isolation between environments (dev/staging/prod), when you must keep databases or internal services off the public internet, when connecting your on-premises network to the cloud via VPN or Direct Connect, or when you need to meet compliance requirements around network segmentation. Common mistakes: allocating VPC CIDR blocks that are too small (hard to expand later — use at least /16 for flexibility), placing databases or internal APIs in public subnets (they should always be in private subnets with no internet route), overlapping CIDR blocks between VPCs that you later need to peer together, and not planning subnet allocation across Availability Zones from the start — retrofitting multi-AZ into a single-AZ VPC design is painful.
Example: A financial services company builds a VPC with a 10.0.0.0/16 CIDR block, creates public subnets (10.0.1.0/24, 10.0.2.0/24) for load balancers, private subnets (10.0.3.0/24, 10.0.4.0/24) for application servers, and isolated subnets (10.0.5.0/24) for databases — all spread across two Availability Zones for high availability. Architecture use case: a three-tier web application places its Application Load Balancer in public subnets, EC2 web servers in private application subnets, and RDS PostgreSQL in isolated database subnets — with NAT Gateways allowing the EC2 instances to download patches without being directly reachable from the internet.
Category: networking
Difficulty: intermediate