What Is an Amazon VPC?
A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you launch resources inside a network you define yourself. Every VPC is scoped to a single AWS region, spans all Availability Zones in that region, and is defined by an IPv4 CIDR block (and optionally an IPv6 block) that determines the range of private IP addresses available to your resources. Unlike shared hosting environments, nothing inside your VPC is reachable from outside unless you explicitly configure routing and access, which makes the VPC the foundational security and networking boundary for almost every AWS architecture.
Cricket analogy: Think of a VPC like a franchise's home stadium built exclusively for IPL team Mumbai Indians — the boundary rope, dressing rooms, and pitch are theirs alone, and no other team's players can wander in without an explicit gate pass.
CIDR Blocks and IP Addressing
When you create a VPC, you assign it a primary IPv4 CIDR block, commonly something like 10.0.0.0/16, which provides 65,536 private IP addresses following RFC 1918 addressing. AWS reserves the first four and last one IP address in every subnet carved from that block for internal networking purposes (network address, VPC router, DNS, future use, and broadcast), so a /24 subnet actually yields 251 usable addresses rather than 256. Planning your CIDR ranges carefully up front matters enormously because VPC CIDR blocks cannot easily overlap if you later want to peer VPCs together or connect them over Transit Gateway, and resizing a VPC's primary CIDR after the fact is far more disruptive than adding secondary blocks.
Cricket analogy: Sizing a CIDR block is like deciding how many overs to allocate a bowler in a T20 match — allocate too few (a /28 subnet) and you run out mid-innings; allocate a full quota like a /16 and you have room to rotate bowlers freely.
Default VPC vs Custom VPC
Every AWS account historically received one default VPC per region, pre-configured with a 172.31.0.0/16 CIDR, a public subnet in every Availability Zone, an attached Internet Gateway, and auto-assigned public IPs, which is convenient for quickly launching an EC2 instance but poor practice for production workloads. A custom VPC, by contrast, gives you full control over CIDR sizing, subnet segmentation into public and private tiers, route tables, NAT gateways, and security boundaries, which is essential once you need to isolate a database tier, comply with network segmentation requirements, or connect to on-premises networks via VPN or Direct Connect.
Cricket analogy: The default VPC is like a club-issued starter kit bat handed to every junior player — fine for a casual net session, but a professional like Virat Kohli custom-orders a bat balanced to his exact grip and weight for international matches.
# Create a custom VPC with a /16 CIDR block
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=prod-vpc}]'
# Create a public subnet within that VPC
aws ec2 create-subnet \
--vpc-id vpc-0123456789abcdef0 \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a \
--tag-specifications 'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1a}]'
# Attach an Internet Gateway to the VPC
aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=prod-igw}]'
aws ec2 attach-internet-gateway --vpc-id vpc-0123456789abcdef0 --internet-gateway-id igw-0abc123def456VPC Peering and Endpoints
VPC peering establishes a private, non-transitive network connection between two VPCs so resources in each can communicate using private IP addresses as if they were on the same network, but traffic cannot hop through a peered VPC to reach a third VPC — each peering relationship must be established directly. For reaching AWS services like S3 or DynamoDB without traversing the public internet, VPC endpoints are the better tool: gateway endpoints (free, route-table based) support S3 and DynamoDB, while interface endpoints (powered by AWS PrivateLink, billed hourly) provide a private ENI for dozens of other services such as Secrets Manager and SNS.
Cricket analogy: Non-transitive peering is like a bilateral series agreement between India and Australia — India playing Australia doesn't automatically grant India a series against South Africa just because Australia has one with them.
Each AWS account gets a default quota of 5 VPCs per region, though this is a soft limit you can raise via a service quota increase request. VPC CIDR blocks cannot overlap with any VPC you intend to peer with, so standardize your CIDR allocation strategy across accounts before scaling out.
Deleting a VPC permanently removes its route tables, subnets, and security groups, and AWS will not silently recreate a 'default' VPC for you afterward — restoring one requires an explicit API call to create-default-vpc, and any hardcoded references to the old VPC ID in other resources will break.
- A VPC is a region-scoped, logically isolated virtual network defined by one or more CIDR blocks.
- AWS reserves 5 IP addresses per subnet for internal networking, reducing usable host count.
- Default VPCs (172.31.0.0/16, public subnets, attached IGW) are convenient but unsuitable for production.
- Custom VPCs let you control CIDR sizing, subnet tiers, routing, and connectivity end to end.
- VPC peering is non-transitive — each pairwise connection must be created explicitly.
- Gateway endpoints (free, S3/DynamoDB) and interface endpoints (PrivateLink, billed) avoid public internet routing.
- Plan CIDR ranges carefully upfront since resizing or avoiding overlap later is costly and disruptive.
Practice what you learned
1. What is the default IPv4 CIDR block used by AWS for a default VPC?
2. How many IP addresses does AWS reserve in every subnet for internal use?
3. Which statement about VPC peering is correct?
4. Which type of VPC endpoint is used to reach S3 without incurring hourly charges?
5. What is the default quota for VPCs per AWS account per region?
Was this page helpful?
You May Also Like
Subnets, Route Tables, and Internet Gateways
Understand how subnets divide a VPC, how route tables direct traffic, and how Internet Gateways and NAT Gateways enable inbound and outbound connectivity.
Security Groups vs NACLs
Compare AWS's two network-layer firewalls — stateful Security Groups and stateless Network ACLs — and learn when and how to use each for defense in depth.