VPC – Virtual Private Cloud – is the virtual network in AWS where you launch your EC2 instances. VPC is a powerful yet easy to use concept. This post gives you a heads up with basic VPC concepts. For more information refer the VPC user guide.
You can create a VPC in simple clicks and its not chargeable. You have to specify an IP address range in CIDR format for the VPC. Inside the VPC you can create multiple subnets with a subset of the IP address range given to the VPC. You can configure different security settings both at VPC and Subnet level.
Case 1: Private subnet. Following picture shows a simple VPC with two subnets.
In this EC2 instances are launched inside a private subnet which means it will have only private IP addresses and will not have internet access. You can neither access these instances nor they can access anything outside the VPC. Subnets are connected with a Router which enables instances across subnets can connect each other.
Case 2: Public subnet
In this case you attach an Internet gateway to the VPC and configure the route table to route all internet traffic from one subnet to IGW. We call it public subnet because instances inside this will have a public IP address and it can be accessed publicly, through internet.
Internal traffic in the VPC follows the black line and internet traffic follow the red line.
Case 3: Private subnet with NAT
If you want to allow your EC2 instances to access internet but block any incoming traffic from internet you can use NAT. In AWS cloud NAT can also be set-up by launching a NAT EC2 instance for which an AMI is available. You should launch a NAT instance in your public subnet and configure the route table to route all internet traffic from private subnet to this NAT instance inside the public subnet.
Internet connections from the private subnet follows the green line in the above diagram to reach router and then to NAT. Since NAT instance is running in public subnet it can forward the request to internet following the red line.
Case 4: Private subnet with VPN connection
VPC supports VPN also where in you can create a virtual private network between your on premise network and VPC network in AWS cloud. For this add a VPG into the VPC and configure the route table to route all traffic to your datacenter IP range to the VPG. It follows the blue route.