nerdexam
GlossaryVPC
Concept

VPC

Also known as: Virtual Private Cloud, VNet, Virtual Network

A VPC (Virtual Private Cloud) is a logically isolated network within a cloud provider, where you define IP address ranges, subnets, route tables, and gateways. It's the cloud equivalent of a traditional on-premises network.

VPC (Virtual Private Cloud)

A VPC (Virtual Private Cloud) is a logically isolated network within a cloud provider, where you define IP address ranges, subnets, route tables, and gateways. It is the cloud equivalent of a traditional on-premises network, with the addition of programmable infrastructure and elastic scaling.

Why VPCs exist

Before VPCs, multi-tenant cloud meant all customers shared the same flat network. Security boundaries were weak. Tenants could potentially see each other's traffic. VPCs solve this by creating logically isolated networks per customer, enforced by software-defined networking at the hypervisor level.

In a typical VPC you control:

  • IP address ranges (CIDR blocks): usually a private range like 10.0.0.0/16, giving you 65,536 addresses to subdivide.
  • Subnets: logical partitions of the VPC, often split into public (internet-routable) and private (internal-only) tiers.
  • Route tables: which destinations go through which gateways.
  • Gateways: internet gateway for public subnets, NAT gateway for outbound-only traffic from private subnets, VPN gateway for hybrid connectivity.
  • Security groups and network ACLs: stateful and stateless firewall rules at the instance and subnet level.

VPC naming across the clouds

The concept is the same; the names differ:

  • AWS: VPC. Subnets are tagged public or private based on route table configuration.
  • Azure: Virtual Network (VNet). Subnets configured with NSGs and service endpoints.
  • GCP: VPC network. Subnets are global by default in auto mode, regional in custom mode.

VPC exam topics

  • AWS SAA-C03: VPC peering vs Transit Gateway, NAT Gateway vs NAT instance, VPC endpoints (gateway vs interface), flow logs, security group vs NACL evaluation order.
  • AZ-104 / AZ-700: VNet peering, hub-and-spoke topology, Azure Bastion, Private Link, ExpressRoute vs VPN Gateway.
  • CCNA: the underlying networking - subnetting, CIDR, IPv4/IPv6 addressing, BGP for routing between VPCs and on-prem.

Common VPC design patterns

  • Three-tier architecture: public subnet for load balancers, private subnets for application servers, isolated subnets for databases.
  • Hub-and-spoke: one central VPC for shared services (DNS, AD, monitoring) connected to multiple workload VPCs via peering or transit gateway.
  • Multi-region: separate VPCs per region with VPC peering or transit gateway for cross-region traffic. Required for disaster recovery.

The most common VPC mistake: deploying a workload to a public subnet that didn't need internet access. Default to private subnets; use public only for load balancers, bastion hosts, or NAT gateways.