Amazon Virtual Private Cloud

Provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a virtual network that you define

Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. You can use both IPv4 and IPv6 in your VPC for secure and easy access to resources and applications.

You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that has access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each subnet.

Access services hosted on AWS easily and securely.




Amazon VPC provides advanced security features, such as security groups and network access control lists, to enable inbound and outbound filtering at the instance level and subnet level. In addition, you can store data in Amazon S3 and restrict access so that it’s only accessible from instances in your VPC. Optionally, you can also choose to launch Dedicated Instances which run on hardware dedicated to a single customer for additional isolation.


You can create a VPC quickly and easily using the AWS Management Console. You can select one of the common network setups that best match your needs and press "Start VPC Wizard." Subnets, IP ranges, route tables, and security groups are automatically created for you so you can concentrate on creating the applications to run in your VPC.

All the Scalability and Reliability of AWS

Amazon VPC provides all of the same benefits as the rest of the AWS platform. You can instantly scale your resources up or down, select Amazon EC2 instances types and sizes that are right for your applications, and pay only for the resources you use - all within Amazon’s proven infrastructure.


Multiple Connectivity Options

A variety of connectivity options exist for your Amazon VPC. You can connect your VPC to the Internet, to your data center, or other VPCs, based on the AWS resources that you want to expose publicly and those that you want to keep private.

  • Connect directly to the Internet (public subnets)– You can launch instances into a publicly accessible subnet where they can send and receive traffic from the Internet.
  • Connect to the Internet using Network Address Translation (private subnets) – Private subnets can be used for instances that you do not want to be directly addressable from the Internet. Instances in a private subnet can access the Internet without exposing their private IP address by routing their traffic through a Network Address Translation (NAT) gateway in a public subnet.
  • Connect securely to your corporate datacenter– All traffic to and from instances in your VPC can be routed to your corporate datacenter over an industry standard, encrypted IPsec hardware VPN connection.
  • Connect privately to other VPCs- Peer VPCs together to share resources across multiple virtual networks owned by your or other AWS accounts.
  • Privately connect to AWS Services without using an Internet gateway, NAT or firewall proxy through a VPC Endpoint. Available AWS services include S3, DynamoDB, Kinesis Streams, Service Catalog, AWS Systems Manager, Elastic Load Balancing (ELB) API, Amazon Elastic Compute Cloud (EC2) API, and SNS.
  • Privately connect to SaaS solutions supported by AWS PrivateLink.
  • Privately connect your internal services across different accounts and VPCs within your own organizations, significantly simplifying your internal network architecture.
  • Use Amazon VPC traffic mirroring to capture and mirror network traffic for Amazon EC2 instances

Use cases

Host a simple, public-facing website

You can host a basic web application, such as a blog or simple website in a VPC, and gain the additional layers of privacy and security afforded by Amazon VPC. You can help secure the website by creating security group rules which allow the webserver to respond to inbound HTTP and SSL requests from the Internet while simultaneously prohibiting the webserver from initiating outbound connections to the Internet. You can create a VPC that supports this use case by selecting "VPC with a Single Public Subnet Only" from the Amazon VPC console wizard.

Host multi-tier web applications

You can use Amazon VPC to host multi-tier web applications and strictly enforce access and security restrictions between your webservers, application servers, and databases. You can launch webservers in a publicly accessible subnet and application servers and databases in non-publically accessible subnets. The application servers and databases can’t be directly accessed from the Internet, but they can still access the Internet via a NAT gateway to download patches, for example. You can control access between the servers and subnets using inbound and outbound packet filtering provided by network access control lists and security groups. To create a VPC that supports this use case, you can select "VPC with Public and Private Subnets" in the Amazon VPC console wizard.

Host scalable web applications in the AWS cloud that are connected to your datacenter

You can create a VPC where instances in one subnet, such as web servers, communicate with the Internet while instances in another subnet, such as application servers, communicate with databases on your corporate network. An IPsec VPN connection between your VPC and your corporate network helps secure all communication between the application servers in the cloud and databases in your data center. Web servers and application servers in your VPC can leverage Amazon EC2 elasticity and Auto Scaling features to grow and shrink as needed. You can create a VPC to support this use case by selecting "VPC with Public and Private Subnets and Hardware VPN Access" in the Amazon VPC console wizard.

Extend your corporate network into the cloud

You can move corporate applications to the cloud, launch additional web servers, or add more compute capacity to your network by connecting your VPC to your corporate network. Because your VPC can be hosted behind your corporate firewall, you can seamlessly move your IT resources into the cloud without changing how your users access these applications. You can select "VPC with a Private Subnet Only and Hardware VPN Access" from the Amazon VPC console wizard to create a VPC that supports this use case.

Disaster Recovery

You can periodically backup your mission critical data from your datacenter to a small number of Amazon EC2 instances with Amazon Elastic Block Store (EBS) volumes, or import your virtual machine images to Amazon EC2. In the event of a disaster in your own datacenter, you can quickly launch replacement compute capacity in AWS to ensure business continuity. When the disaster is over, you can send your mission critical data back to your datacenter and terminate the Amazon EC2 instances that you no longer need. By using Amazon VPC for disaster recovery, you can have all the benefits of a disaster recovery site at a fraction of the normal cost.


"Big Switch Networks – a Cloud-First Networking company – is a pioneer in bringing cloud innovations to enterprise networking and monitoring. Our Big Monitoring Fabric (Big Mon) solution for visibility and monitoring leverages cloud-first design principles enabling enterprises to accelerate AWS public cloud adoption for their security- and compliance-sensitive applications. Big Mon’s integration with Amazon VPC traffic mirroring APIs enables agentless monitoring, elastic visibility, and traffic filtering via single Big Mon controller dashboard. With a common operational workflows across AWS and on-prem environments, IT organizations can realize consistent monitoring for hybrid cloud, while reducing cost, enhancing security and compliance, and meeting operational SLAs."

- Prashant Gandhi, VP and Chief Product Officer, Big Switch Networks

Blue-Hexagon-Logo-Color (1)
"Our customers have greatly benefited from our deep learning-powered threat protection to stop enterprise network threats in real-time. The ability to detect threats in cloud environments is a natural extension of our security strategy. Amazon VPC traffic mirroring delivers full visibility into all VPC traffic and enables us to unleash the speed, efficacy, and coverage of our deep-learning based threat protection to all AWS traffic. Blue Hexagon customers can now enable consistent deep learning inspection on threats, across networks and cloud, delivered from a single console"

- Saumitra Das, CTO and co-founder, Blue Hexagon.

"Cisco Stealthwatch Cloud now fully supports Amazon VPC traffic mirroring, alongside Amazon VPC flow logs, as a way to access customer network telemetry. Traffic mirroring provides additional network information that Stealthwatch Cloud can now use, in combination with other AWS environment telemetry, for determining actionable security alerts."

– Ron Sterbenz, Cisco Stealthwatch Cloud.

“Corelight Sensors transform network traffic into rich logs, extracted files, and custom insights designed for security operations. With Amazon VPC traffic mirroring, Corelight can now extend this capability to the cloud and help security teams gain deep visibility into their AWS environments, accelerating security investigations and unlocking powerful new threat-hunting capabilities.”

- Brian Dye, Chief Product Officer, Corelight.

“While many of our customers are migrating workloads to the cloud, until now it happened to be a black-box for them from a performance and security perspective. The cPacket solution builds on Amazon Virtual Private Cloud (Amazon VPC) traffic mirroring to remove blind-spots, provide complete visibility, and make the cloud transition smooth for our customers.”

– Brendan O’Flaherty, CEO of cPacket Networks.

“With the integration of Amazon VPC traffic mirroring in Reveal(x) Cloud, ExtraHop is reducing the barriers to cloud adoption, by giving enterprises the same level of insight they’ve always had into their on-premises traffic. Visibility has always been key in security, combine Reveal(x) with the native security features you find in AWS, and you’re going to have more actionable visibility than ever.”

- Mike Sheward | Senior Director, Information Security

“AWS’ native Amazon VPC traffic mirroring capability makes it easy to quickly deploy Fidelis’ network traffic analysis for north-south and east-west communications of EC2 instances. We’ve worked closely with Amazon on integration-testing and being fully approved to have Fidelis Network sensors receive EC2 network traffic, providing our customers with a solution that extends deep visibility and security monitoring to cloud apps, workloads, and databases.”

- Tim Roddy, VP Product Management, Fidelis Cybersecurity

"FireEye Network Security and Forensics couples advanced threat protection and breach detection with the industry's fastest lossless network data capture and retrieval solution. Paired with centralized analysis and visualization, the solution gives organizations a truly comprehensive set of detection and visibility solution. With Amazon VPC traffic mirroring, FireEye customers can rest assured that they are viewing the same level of network detail, regardless of whether their assets are on premises, in the cloud, or a hybrid of both."

- Bill Cantrell, Vice President Network Security Product Management, FireEye

"We are excited about Amazon VPC traffic mirroring. Our customers running Flowmon Collector in AWS cloud can now turn their Virtual Public Cloud’s workloads into a transparent environment in a few clicks and start resolving performance issues, detect anomalies and threats as they were used to in on-premise world,"

- Pavel Minarik, Chief Technology Officer at Flowmon Networks.

“Packet-level visibility is the most effective approach for network-based security and performance analysis. We are thrilled with Amazon VPC traffic mirroring. With our joint solution, organizations are able to gain full visibility into network traffic and get the most out of their security and monitoring tools stack, whether deployed in AWS, or in a hybrid environment. Traffic intelligence between, and within, distributed digital applications is key to the success of modern digital applications.”

- Bassam Khan, Vice President of Product and Technical Marketing, Gigamon

"The new Amazon VPC traffic mirroring capability provides the IronDefense platform with native access to critical virtual network data that enable it to seamlessly monitor network anomalies across AWS cloud and enterprise networks to identify advanced threat actors. The ability to monitor hybrid environments and automatically share IronDefense threat insights with across cloud and non-cloud environments to industry peers through our unique IronDome collective defense capability enhances our ability to protect companies, industries, and nations at scale.”

- Dr. Michael Ehrlich, IronNet Chief Technology Officer.

New IronNet Primary Logo_web
Jask Master_Black_Horizontal_Transparent
“The modern SOC needs visibility into on-premises and cloud workload traffic. A security analyst needs to see network data throughout the OSI model to get a clear picture of the implications of a threat or ongoing attack. JASK ASOC includes network, log and Windows sensors, as well as support for cloud-to-cloud ingestion. With Amazon VPC traffic mirroring, AWS continues as the dominant innovator in the public cloud space by providing customers the value of network traffic visibility in the cloud, which makes our direct support in JASK ASOC so important."

- Rob Fry, CTO at JASK.

"As an AWS partner taking advantage of the rich data sources Amazon provides, Kentik is able to enhance and correlate network traffic data with Amazon VPC flow logs and create context leveraging AWS tags and Amazon EKS Kubernetes service mappings, giving our customers real-time visibility into AWS infrastructure performance and usage. Now, with Amazon VPC traffic mirroring, Kentik's powerful network analytics platform can provide even more ways for enterprises and service providers to deeply understand their traffic, unlocking fast, actionable insights into performance, cost, and security issues."

- Jonah Kowall, CTO of Kentik

“The innovative smart data technology of NETSCOUT makes it possible for IT and SecOps to assure application performance and improve enterprise security across on-premise data centers and AWS cloud infrastructure. Amazon VPC traffic mirroring offers agentless access to wire data and enables NETSCOUT to efficiently deliver visibility “without borders” into applications and security in AWS hybrid cloud environments. Core NETSCOUT capabilities in AWS include robust early warning and rapid problem triaging for both network and application performance and security threat management.”

- Michael Szabados, Chief Operating Officer, NETSCOUT Systems Inc.

“Nubeva Prisms complements Amazon VPC traffic mirroring for fast, secure decryption of client and server packet streams in AWS. While Amazon VPC traffic mirroring copies network traffic from the workload and sends it to the tool destination, the Nubeva Prisms TLS Decryption Solution extracts and stores keys to deliver decrypted traffic in real-time to the Amazon VPC traffic mirroring’s tool destination. Together, Amazon VPC traffic mirroring and Nubeva Prisms TLS Decryption Solution provide total TLS visibility and security throughout the entire East-West and North-South AWS public cloud.”

- Randy Chou, CEO, Nubeva

PWP_Security_Palo Alto Networks
“Enterprises require consistent security in the cloud without sacrificing deployment flexibility and choice. Along with inline threat prevention capabilities, the integration of VM-Series virtualized firewall with newly announced Amazon VPC traffic mirroring capability gives organizations a choice to deploy the firewall out-of-band for application visibility and advanced threat detection in AWS cloud.”

- Mukesh Gupta, Vice President, Product Management at Palo Alto Networks

“Riverbed’s SteelCentral AppResponse Cloud uses Amazon Virtual Private Cloud (Amazon VPC) traffic mirroring to provide deep network and application visibility into the AWS Cloud. Riverbed enables IT Operations to quickly pinpoint performance degradations and high latency in cloud and hybrid networks, automatically identify more than 2,000 applications for detailed application analysis, as well as identify and troubleshoot issues faster and easier with aggregated traffic. As an industry leader in Digital Experience and Digital Performance Management solutions and a six-time Leader in the Gartner Magic Quadrant for Network Performance Management and Diagnostics, we are proud to collaborate with AWS in bringing such a vital solution to the market.”

- Mike Sargent, Senior Vice President, General Manager - SteelCentral, Riverbed.

“RSA NetWitness Platform enables customers to obtain the visibility needed to secure critical infrastructure, and empowers any analyst to identify, understand, and mitigate advanced threats. RSA’s NetWitness Platform's integration with Amazon VPC traffic mirroring enables customers to close the visibility gap created by workloads in the cloud.”

- Mike Adler, Vice President Product, NetWitness Platform

“As enterprises move their high value data and services to the cloud, it’s imperative to reduce cyber-risks that can take down businesses. Amazon VPC traffic mirroring enables the Vectra Cognito platform to provide enterprises with visibility into attacks on their cloud footprint, empowers conclusive threat hunting and enables faster incident response.”

- Hitesh Sheth, President and CEO, Vectra


Get started with Amazon VPC

Your AWS resources are automatically provisioned in a ready-to-use default VPC that was created for you. You can configure this VPC by adding or removing subnets, attaching network gateways, changing the default route table and modifying the network ACLs.

You can choose to create additional VPCs by going to the Amazon VPC page on the AWS Management Console and selecting the "Start VPC Wizard" button. You’ll be presented with four basic network topologies. Select the one that most closely resembles the network topology that you’d like to create and choose the "Create VPC" button. Once the VPC has been created, you can begin launching Amazon EC2 instances into your VPC.

Blog posts and articles

Debugging tool for network connectivity from Amazon VPC
by Bhavin Desai
Janruary 19, 2019
VPC sharing: A new approach to multiple accounts and VPC management
by Evgeny Vaganov  
Janruary 11, 2019

Learn more about Amazon VPC

Visit the product detail page
Ready to build?
Get started with Amazon VPC
Have more questions?
Contact us