What are VPCs?
If you’ve ever launched an EC2 instance, then do you remember picking a VPC for it?
Or maybe you’ve launched an RDS instance, and had to choose a VPC?
If you work in the corporate world then you’ve probably been told which VPC to use and you didn’t need to worry about it.
If you’ve just started using Amazon Web Services at home then perhaps you’re just using the default VPCs provided for you.
But, what is a VPC? And why do we need to pick one?
A home network
If you’ve got a home network then it might look something like this:
Whether your devices connect via Wi-Fi or cables, they’re all part of your network and can talk to each other. Your Smart TV can stream video from your laptop. Your laptop can control your lamp.
It’s your infrastructure, and it’s up to you how traffic from the Internet comes and goes. For example:
- You might want to host a web application on your laptop and allow random strangers on the Internet to connect to it – but your console and your lamp must remain private.
- You might also decide to block any connections from your network to websites you don’t trust, to stop sites sharing information about you.
Your routing rules would look something like this:
On the other side of the wall, your neighbour probably has a network too:
The two networks are isolated from each other, and the only way that a device on one network could talk to a device on the other network would be via the Internet – but remember:
- There’s no guarantee that traffic will be routed from the Internet to your device. Maybe your router blocks traffic trying to get to your lamp.
- There’s no guarantee that traffic will be routed to the Internet from your device. Maybe your router blocks traffic to websites that you don’t trust.
Everything above is connected to a network, but to two different, isolated networks. In broad strokes, devices on the networks are separated between public on the Internet and private to just me. Some things should be public and – as always – some things are best kept private.
“Stuff” in “the cloud”
When folks think about “servers in the cloud”, they sometimes imagine something like this:
At a very high level, it’s a fine idea of “the cloud”. Apps run “in the cloud”. Data is stored “in the cloud”.
But the diagram implies that everything you see is equally accessible. The diagram certainly implies that everything is public.
And you might look and wonder, should you be able to see those credit card databases? It makes sense that you should see a website in the cloud, but should you see a credit card database?
That’s always a great question to ask!
Credit card databases shouldn’t be connected to the public Internet, just like1 your lamp and your neighbour’s printer shouldn’t be either.
Making everything equally accessible on the same network would be about the same as sharing a network with your neighbour, and losing the routing rules that protect you both.
There’s a good reason why we don’t do this; we need to control access to our resources.
And the best way to control access to something is to isolate it.
Virtual Private Clouds
Amazon Web Services allows you to create VPCs, or Virtual Private Clouds. These are separate, isolated networks that you control and configure as you need:
Let’s zoom into one of those VPCs:
This is a simplified view to demonstrate the concept, but the concept isn’t much more complex than this. Hopefully, you can see some parallels to the home network we already looked at.
- The VPC has an Internet Gateway, which directs traffic to and from the VPC and the Internet.
- A website has been deployed, and it’s publicly accessible so that folks can visit it.
- An app server has been deployed, and it’s publicly accessible so that mobile apps and the website can use the API.
- There are two databases, and they remain private within the VPC. Only the app server can communicate with them.
Are you interested in learning more about how to set up routing rules, and how to block unwanted traffic? This is an introductory post, and I’m planning more detailed posts soon. Subscribe to the newsletter and get notified when new articles are published!
Why the name “Virtual Private Cloud”?
- Virtual, because you don’t need to buy or set up any new physical hardware. You can set up a new VPC with just a few clicks. You can also have as many VPCs as you need, to – for example – host many isolated applications in just one cloud platform account.
- Private, because VPCs are isolated from each other. Unless you go out of your way to set it up, resources in one VPC don’t even know what resources exist in another VPC, let alone be able to connect to them.
- Cloud, because… well, “Virtual Private Network” might feel like a more appropriate name, but that already means something else. So, “Cloud” will have to do.
So, that’s why you need to choose one
Now that you know what a VPC is, it should make sense why you need to choose one when you’re creating virtual machines.
The cloud – or, the Internet – is one big public space. VPCs allow you to create private networks where you can isolate resources and configure their accessibility.
Well, maybe not just like. Having some weirdo turn your lights on and off isn’t quite the same as enduring a lifetime of debt and court judgements after having your bank account obliterated. ↩