---

Amazon VPC Functionality

Amazon VPC enables you to use your own isolated resources within the AWS cloud, and then connect those resources directly to your own datacenter using industry-standard encrypted IPsec VPN connections. With Amazon VPC, you can:

• Create a Virtual Private Cloud on AWS’s scalable infrastructure, and specify its private IP address range from any block you choose.
• Divide your VPC’s private IP address range into one or more subnets in a manner convenient for managing applications and services you run in your VPC.
• Bridge together your VPC and your IT infrastructure via an encrypted VPN connection.
• Add AWS resources, such as Amazon EC2 instances, to your VPC.
• Route traffic between your VPC and the Internet over the VPN connection so that it can be examined by your existing security and networking assets before heading to the public Internet.
• Extend your existing security and management policies within your IT infrastructure to your VPC as if they were running within your infrastructure.

---

Service Highlights

Isolated Network Access – Amazon VPC provides end-to-end network isolation by utilizing an IP address range that you specify, and routing all network traffic between VPC and your datacenter through an industry-standard encrypted IPsec VPN. This allows you to leverage your preexisting security infrastructure, such as firewalls and intrusion detection systems to inspect network traffic going to and from a VPC.

Flexible – You control your VPC in much the same way that you control your datacenter, using familiar network concepts such as subnets and gateways. With Amazon VPC, you can: 1) freely create subnets to organize your resources based on the criteria you define; 2) assign an IP address range for Amazon EC2 instances within subnets; and 3) configure secure connectivity to determine who can access your AWS cloud-based resources.

Best of Both Worlds – Amazon VPC enables you to build a bridge between your existing IT resources and your isolated resources within the AWS cloud, enabling you to use both worlds in concert. Now, you can build hybrid architectures that allow you to take full advantage of the benefits of the AWS cloud – true elasticity (spin capacity up or down in a matter of minutes) without owning the capital expense of the hardware or datacenter (given AWS’s pay-as-you-go pricing)—and yet still have the network isolation and secure connectivity you’d enjoy if all the resources were in your own datacenter. With Amazon VPC, you can gradually move to the AWS cloud, replicate your entire data center, or anywhere in between.

Reliable – Amazon VPC is built using Amazon’s own world-class technology infrastructure. Like other Amazon Web Services, the service runs within Amazon’s proven global network infrastructure and datacenters.

---

Pricing

Pay only for what you use; there is no minimum fee. Estimate your monthly bill using the AWS Simple Monthly Calculator.

When you create a VPN Connection, you are charged for each “VPN Connection-hour” in which the VPN Connection is available for your use, and for the data transferred via the VPN Connection; each partial VPN Connection-hour consumed is billed as a full hour. If you no longer wish to be charged for a VPN Connection, you simply terminate your VPN Connection using the DeleteVpnConnection API.  

VPN Connection

• $0.05 per VPN Connection-hour

VPN Data Transfer

The pricing below is based on data transferred “in” and “out” of Amazon VPC.

Data Transfer In
All Data Transfer	Free until November 1, 2010 *

Data Transfer Out **
First 1 GB per Month	$0.00 per GB
Up to 10 TB per Month	$0.15 per GB
Next 40 TB per Month	$0.11 per GB
Next 100 TB per Month	$0.09 per GB
Over 150 TB per Month	$0.08 per GB

* Data Transfer In will be $0.10 per GB after November 1, 2010.

** Rate tiers take into account your aggregate Data Transfer Out usage across Amazon EC2, Amazon S3, Amazon RDS, Amazon SimpleDB, Amazon SQS, Amazon SNS, and Amazon VPC.

---

Resources

---

Detailed Description

Amazon VPC is comprised of a variety of familiar objects:

• A Virtual Private Cloud (VPC): an isolated portion of the AWS cloud. You define a VPC’s IP address space from a range you select.
• Subnet: a segment of a VPC’s IP address range where you can place groups of isolated resources.
• VPN Connection: a connection between your Amazon VPC and datacenter, home network, or co-location facility.
• VPN Gateway: the Amazon VPC side of a VPN Connection.
• Customer Gateway: your side of a VPN Connection.
• Router: routers interconnect Subnets, and direct traffic between VPN Gateways and Subnets.

Using Amazon VPC

To use Amazon VPC, you must first subscribe to Amazon EC2 & Amazon VPC by clicking on the button on this page. After signing up, use the CreateVpc API to create your VPC, within which you define the IP address space you wish to use. Next, create one or more subnets where your isolated resources, such as Amazon EC2 instances, are placed. You need at least one subnet to start, but you can always add more. To establish VPN connectivity to your VPC, you need a compatible router or VPN device. To make Amazon VPC aware of your compatible router or VPN device, use the CreateCustomerGateway API to create a Customer Gateway, providing information about your device such as its IP address and other networking-related information. Amazon VPC will then provide you with a Customer Gateway ID that you can use to represent your compatible router or VPN device when interacting with the service. Next, use the CreateVpnGateway API to create a VPN Gateway, which anchors the VPC-side of your VPN Connection and encrypts/decrypts messages to/from your Customer Gateway via the VPN connection. Last, use the CreateVpnConnection API to create a VPN Connection between the Customer Gateway and the VPN Gateway.

And that’s it – you now have a Virtual Private Cloud connected to your datacenter. When you launch Amazon EC2 instances into your VPC, they are automatically addressed from the subnet you connect them to. If you want the instance to have a specific IP address, you optionally can specify that when you launch the instance. You can then use your pre-existing security infrastructure, such as firewalls, intrusion detection systems, and management systems, to enforce policies based on these IP address ranges and control who and what has access to your resources running inside your VPC.

Today, you can use the following AWS infrastructure services within Amazon VPC: Amazon EC2 instances running Linux/UNIX or Windows, Amazon Elastic Block Store volumes for persistent block storage, and Amazon CloudWatch to monitor the resource utilization of your Amazon EC2 instances. Over the coming months, additional AWS infrastructure services will be supported within Amazon VPC.

How you can leverage Amazon VPC

Expand Corporate Applications into the Cloud: Move your corporate applications into the AWS cloud to reduce your total cost of ownership (TCO). Typical applications include e-mail systems, financial systems, trouble ticketing systems, CRM applications, and more. Corporate applications can be logically grouped by IP address range, according to your company IT deployment policies. Because your VPC can exist behind your corporate firewall, you can seamlessly move your corporate applications into the AWS cloud without changing how your users access your applications.

Elastically scale your website in the Cloud: You can use Amazon EC2 instances within Amazon VPC to add additional web servers to your website when the traffic load exceeds your on-premise capacity. The back-end of your website, database servers, authentication servers, etc. can remain within the walls of your datacenter. When demand subsides, terminate the Amazon EC2 instances that you no longer require. As the servers in your datacenter reach the end of their life cycle, transition the entire site to Amazon VPC if you wish. It is completely up to you.

Disaster Recovery: Periodically back-up your mission critical data from your datacenter to a small number of Amazon EC2 instances with Amazon Elastic Block Store (EBS) volumes. In the event of a disaster, you can quickly launch replacement compute capacity to ensure business continuity. When the disaster is over, send your mission critical data back to your datacenter and terminate the EC2 instances you no longer require. By using Amazon VPC for disaster recovery, you can have all the benefits of a Disaster Recovery site at a fraction of the normal cost.

Paying for What You Use

Each month, you pay for VPN Connection-hours and the amount of data transferred via the VPN connections. VPCs, subnets, VPN gateways, customer gateways, and data transferred between subnets within the same VPC are free. Charges for other AWS services, including Amazon EC2, are billed separately at published standard rates.

Your monthly AWS bill separates your usage and dollar amounts by service. Your Amazon VPC usage charges appear within the Amazon VPC portion of your bill. Your usage of other AWS services within your VPCs will continue to be listed in those services’ portion of your bill. For example, the Amazon EC2 portion of your bill includes EC2 instance hour charges for instances running within Amazon EC2 and Amazon VPC.

Beta Limitations

Please note the following limitations during the Amazon VPC beta:

• One (1) VPC per AWS account
• Twenty (20) subnets per VPC
• One (1) VPN gateway per AWS account
• One (1) VPN connection per VPN gateway
• One (1) customer gateway per AWS account

Should you need to exceed these limits, please complete this form.

---

Intended Usage and Restrictions

Your use of this service is subject to the Amazon Web Services Customer Agreement. Please see the Amazon Web Services Licensing Agreement for more details.