Amazon Virtual Private Cloud (VPC) is your own private, isolated section of the AWS network. All AWS resources you create (EC2, RDS, Lambda in VPC, etc.) live inside a VPC.
In Azure terms: AWS VPC = Azure Virtual Network (VNet)
Concept Description VPC Isolated virtual network with a CIDR block (e.g., 10.0.0.0/16) Subnet A sub-range of the VPC CIDR, tied to a specific AZ Route Table Rules that determine where network traffic is directed Internet Gateway (IGW) Connects public subnets to the internet NAT Gateway Lets private subnet resources make outbound internet calls Security Group Stateful firewall at the instance/ENI level Network ACL (NACL) Stateless firewall at the subnet level VPC Peering Private connection between two VPCs (same or different accounts) Transit Gateway Hub for connecting many VPCs and on-prem networks
Public Subnet Private Subnet Route to internet Via Internet Gateway Via NAT Gateway (outbound only) Resources Load balancers, bastion hosts EC2 app servers, RDS databases Receives inbound internet Yes No Has public IPs Typically yes No
Every AWS account has a default VPC per region with:
CIDR 172.31.0.0/16
A public subnet in each AZ
An attached Internet Gateway
Default route table routing all traffic to the IGW
Avoid using the default VPC for production. Create a custom VPC with proper subnet isolation.
├── Public Subnet (10.0.1.0/24) — Load Balancers, Bastion
├── Private Subnet (10.0.2.0/24) — Application Servers (EC2)
│ └── NAT Gateway → Internet (outbound only)
└── Database Subnet (10.0.3.0/24) — RDS, ElastiCache
Feature Security Group Network ACL Operates at Instance (ENI) level Subnet level State Stateful — return traffic auto-allowedStateless — must allow inbound AND outboundDefault Deny all inbound, allow all outbound Allow all inbound and outbound Rules Allow only (no explicit deny) Allow and Deny Evaluation All rules evaluated Rules evaluated in order by rule number
Option Description Internet Gateway Public internet access for the VPC NAT Gateway Outbound internet for private subnets (AWS-managed, highly available) VPC Peering Private, non-transitive connection between two VPCs Transit Gateway Hub-and-spoke model for connecting 100s of VPCs + on-prem AWS Direct Connect Dedicated private line from your data center to AWS VPN Gateway IPsec VPN tunnel over public internet AWS PrivateLink Securely access AWS services or your services from a VPC without public IPs
Feature AWS VPC Azure VNet Core unit VPC Virtual Network (VNet) Subnets Must be in a single AZ Span the region (not AZ-specific) Peering VPC Peering VNet Peering Hub-and-spoke Transit Gateway Azure Virtual WAN / Hub VNet Private endpoints VPC Endpoint (PrivateLink) Private Endpoint On-prem connection Direct Connect ExpressRoute VPN AWS VPN Gateway VPN Gateway DNS Route 53 Resolver / VPC DNS Azure Private DNS Security at subnet Network ACL (stateless) Network Security Group (stateful) Security at resource Security Group (stateful) Network Security Group
aws ec2 create-vpc --cidr-block 10.0.0.0/16 \
--tag-specifications ' ResourceType=vpc,Tags=[{Key=Name,Value=my-vpc}] '
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a
# Create an Internet Gateway and attach
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-0abc123
# Create a security group
aws ec2 create-security-group \
--description " Web server security group " \
aws ec2 authorize-security-group-ingress \