Isolating Your Cloud Infrastructure with VPC: Virtual Private Cloud Guide
VPC (Virtual Private Cloud) lets you create an isolated network segment in the cloud that belongs exclusively to you. Even on shared infrastructure, your traffic is completely separated from other customers. A properly configured VPC blocks unauthorized access, controls network traffic, and helps yo
Can Kaya
Security Specialist
VPC (Virtual Private Cloud) lets you create an isolated network segment in the cloud that belongs exclusively to you. Even on shared infrastructure, your traffic is completely separated from other customers. A properly configured VPC blocks unauthorized access, controls network traffic, and helps you meet compliance requirements (PCI DSS, HIPAA). This guide covers VPC architecture from subnet design to security groups.
What Is VPC and Why Is It Necessary?
In traditional hosting environments, your server is directly exposed to the internet and all ports are accessible by default. VPC reverses this model: nothing is accessible by default, only traffic you explicitly allow passes through. This "deny-all" approach dramatically reduces the attack surface.
| Feature | Traditional Hosting | VPC Isolation |
|---|---|---|
| Network Access | All ports open (default) | Deny-all, only allowed traffic |
| Traffic Isolation | Shared network segment | Fully isolated private network |
| Subnet Control | None | Public/Private subnet separation |
| Compliance | PCI DSS difficult | PCI DSS, HIPAA compliant |
Subnet Design: Public and Private Separation
The foundation of VPC architecture is subnet design. Public subnets are directly accessible via an internet gateway, while private subnets are only accessible from within the VPC. Databases, cache servers, and application backends should always reside in private subnets.
# VPC CIDR: 10.0.0.0/16 (65,536 IPs)
Public Subnet A : 10.0.1.0/24 # Load Balancer, Bastion Host
Public Subnet B : 10.0.2.0/24 # Load Balancer (HA)
Private Subnet A : 10.0.10.0/24 # Application servers
Private Subnet B : 10.0.11.0/24 # Application servers (HA)
DB Subnet A : 10.0.20.0/24 # Database (Primary)
DB Subnet B : 10.0.21.0/24 # Database (Replica)💡 Tip: When planning your CIDR block, account for future growth. A /16 block provides 65,536 IP addresses and is sufficient for most projects. For smaller projects, you can use /20 (4,096 IPs). Expanding the CIDR block later may not be possible.
Security Groups and Network ACLs
VPC has a two-layer security mechanism: security groups operate at the instance level, while Network ACLs operate at the subnet level. Security groups are stateful - if you allow outbound traffic, return traffic is automatically accepted. Network ACLs are stateless and require separate rules for each direction.
# Web Server Security Group
web-sg:
inbound:
- port: 443 source: 0.0.0.0/0 # HTTPS - public
- port: 80 source: 0.0.0.0/0 # HTTP - for redirect
- port: 22 source: 10.0.1.0/24 # SSH - bastion only
# Application Server Security Group
app-sg:
inbound:
- port: 3000 source: web-sg # From web server only
- port: 22 source: 10.0.1.0/24 # SSH - bastion only
# Database Security Group
db-sg:
inbound:
- port: 5432 source: app-sg # PostgreSQL - app only
- port: 6379 source: app-sg # Redis - app only⚠️ Warning: Never use 0.0.0.0/0 (all internet) as a source in database security groups. Open database ports only to the application server security group. This single rule significantly reduces the risk of data breaches.
Internet Access for Private Subnets with NAT Gateway
Servers in private subnets need a NAT Gateway to perform software updates or API calls. The NAT Gateway routes outbound traffic from the private subnet through its own public IP, but does not accept incoming connections. This way your servers can access the internet but cannot be directly reached from the internet.
After completing your VPC configuration, add server-level protection with our iptables firewall guide. Also check our Zero Trust architecture guide to strengthen your network security. Build your isolated network infrastructure with Hosted Cloud cloud servers.
Frequently Asked Questions
What is the difference between VPC and VLAN?
VLAN provides Layer 2 isolation on physical network hardware. VPC provides Layer 3 isolation through software-defined networking (SDN) in the cloud. VPC is more flexible, scalable, and manageable via API.
I have a single server, do I need a VPC?
VPC is beneficial even for a single server. Instead of closing the database port to the internet and allowing only localhost access, you can implement subnet-level isolation with VPC. Your infrastructure will be ready when you scale in the future.
What is VPC peering?
VPC peering connects two different VPCs over a private network. Traffic does not pass through the internet, providing low latency and high security. It is used to connect different environments (staging/production) or different regions.
What is a bastion host and why is it used?
A bastion host (jump box) is a hardened server in the public subnet that provides SSH access to servers in private subnets. Instead of giving direct internet access to private servers, all SSH traffic passes through the bastion.
Is NAT Gateway expensive?
NAT Gateway includes hourly charges and data transfer fees. For cost optimization, you can use VPC endpoints to access cloud services without a NAT Gateway. For small projects, a NAT instance (t3.micro) may be more economical.
Conclusion
VPC forms the security foundation of your cloud infrastructure. Minimize your attack surface with public and private subnet separation, layered security groups, and NAT Gateway configuration. Always keep databases in private subnets and apply the principle of least privilege in security groups.
Isolated Cloud Infrastructure
Build your fully isolated network infrastructure with VPC-supported Hosted Cloud cloud servers.
Explore Cloud Server Plans →Can Kaya
Security Specialist
CISSP-certified security expert creating content on cybersecurity, DDoS protection, and server hardening.
Comments coming soon