With Amazon Virtual Private Cloud (Amazon VPC), you can launch AWS resources in a logically isolated virtual network that you've defined. This virtual network closely resembles a traditional network that you'd operate in your own data center, with the benefits of using the scalable infrastructure of AWS.

The following is a visual representation of a VPC and its resources from thePreview pane shown when you create a VPC using the AWS Management Console. Foran existing VPC, you can access this visualization on theResource maptab. This example shows the resources that are initially selected on theCreateVPC page when you choose to create the VPC plus other networking resources.This VPC is configured with an IPv4 CIDR and an Amazon-provided IPv6CIDR, subnets in two Availability Zones, three route tables, an internet gateway, and a gatewayendpoint. Because we've selected the internet gateway, the visualization indicates thattraffic from the public subnets is routed to the internet because the corresponding routetable sends the traffic to the internet gateway.

VPCs and subnets

Avirtual private cloud (VPC) is a virtual network dedicated to yourAWS account. It is logically isolated from other virtual networks in the AWS Cloud.You can specify an IP address range for the VPC, add subnets, add gateways, andassociate security groups.

Asubnet is a range of IP addresses in your VPC. You launch AWSresources, such as Amazon EC2 instances, into your subnets. You can connect a subnet to theinternet, other VPCs, and your own data centers, and route traffic to and from yoursubnets using route tables.

Default and nondefault VPCs

If your account was created after December 4, 2013, it comes with adefault VPC in each Region. A default VPC isconfigured and ready for you to use. For example, it has adefaultsubnet in each Availability Zone in the Region, an attached internetgateway, a route in the main route table that sends all traffic to the internet gateway,and DNS settings that automatically assign public DNS hostnames to instances with publicIP addresses and enable DNS resolution through the Amazon-provided DNS server (seeDNS attributes for your VPC). Therefore, an EC2instance that is launched in a default subnet automatically has access to the internet.If you have a default VPC in a Region and you don't specify a subnet when you launch anEC2 instance into that Region, we choose one of the default subnets and launch theinstance into that subnet.

You can also create your own VPC, and configure it as you need. This is known as anondefault VPC. Subnets that you create in your nondefault VPC and additional subnets that you create in your default VPC are callednondefault subnets.

Route tables

Aroute table contains a set of rules, called routes, that are used to determine where network traffic from your VPC is directed. You can explicitly associate a subnet with a particular route table. Otherwise, the subnet is implicitly associated with the main route table.

Each route in a route table specifies the range of IP addresses where you want the traffic to go (the destination) and the gateway, network interface, or connection through which to send the traffic (the target).

Access the internet

You control how the instances that you launch into a VPC access resources outsidethe VPC.

A default VPC includes an internet gateway, and each default subnet is a public subnet.Each instance that you launch into a default subnet has a private IPv4 address and apublic IPv4 address. These instances can communicate with the internet through theinternet gateway. An internet gateway enables your instances to connect to the internetthrough the Amazon EC2 network edge.

By default, each instance that you launch into a nondefault subnet has a private IPv4address, but no public IPv4 address, unless you specifically assign one at launch,or you modify the subnet's public IP address attribute. These instances cancommunicate with each other, but can't access the internet.

You can enable internet access for an instance launched into a nondefault subnet byattaching an internet gateway to its VPC (if its VPC is not a default VPC) andassociating an Elastic IP address with the instance.

Alternatively, to allow an instance in your VPC to initiate outbound connections to theinternet but prevent unsolicited inbound connections from the internet, you can use anetwork address translation (NAT) device. NAT maps multiple private IPv4 addresses to asingle public IPv4 address. You can configure the NAT device with an Elastic IP addressand connect it to the internet through an internet gateway. This makes it possible foran instance in a private subnet to connect to the internet through the NAT device,routing traffic from the instance to the internet gateway and any responses to theinstance.

If you associate an IPv6 CIDR block with your VPC and assign IPv6 addresses to your instances, instances can connect to the internet over IPv6 through an internet gateway. Alternatively, instances can initiate outbound connections to the internet over IPv6 using an egress-only internet gateway. IPv6 traffic is separate from IPv4 traffic; your route tables must include separate routes for IPv6 traffic.

Access a corporate or home network

You can optionally connect your VPC to your own corporate data center using an IPsecAWS Site-to-Site VPN connection, making the AWS Cloud an extension of your data center.

A Site-to-Site VPN connection consists of two VPN tunnels between a virtual private gateway or transit gateway on the AWS side, and a customer gateway device located in your data center. A customer gateway device is a physical device or software appliance that you configure on your side of the Site-to-Site VPN connection.

Connect VPCs and networks

You can create aVPC peering connection between two VPCs thatenables you to route traffic between them privately. Instances in either VPC cancommunicate with each other as if they are within the same network.

You can also create atransit gateway and use it to interconnectyour VPCs and on-premises networks. The transit gateway acts as a Regional virtualrouter for traffic flowing between its attachments, which can include VPCs, VPNconnections, AWS Direct Connect gateways, and transit gateway peering connections.

AWS private global network

AWS provides a high-performance, and low-latency private global network thatdelivers a secure cloud computing environment to support your networking needs. AWSRegions are connected to multiple Internet Service Providers (ISPs) as well as to aprivate global network backbone, which provides improved network performance forcross-Region traffic sent by customers.

Packets that originate in the private global network with a destination in the privateglobal network stay in the private global network and do not traverse the publicinternet. This is true whether the destination is a private IP address or a public IPaddress. For example, if EC2 instances in two VPCs communicate using public IPaddresses, the traffic stays in the private global network. The destination can be inthe same Availability Zone, a different Availability Zone in the same Region, or adifferent Region, except for the China Regions.

Network packet loss can be caused by a number of factors, including network flowcollisions, lower level (Layer 2) errors, and other network failures. We engineerand operate our networks to minimize packet loss. We measure packet-loss rate (PLR)across the global backbone that connects the AWS Regions. We operate our backbonenetwork to target a p99 of the hourly PLR of less than 0.0001%.

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of it.

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.