Amazon VPC

Amazon Virtual Private Cloud (VPC)

Amazon VPC is your private network fabric in AWS—CIDRs, subnets, routes, gateways, endpoints, and security controls that stitch services together. It’s powerful, but it’s also easy to overspend on NAT Gateways, Interface endpoints (PrivateLink), inter-AZ data transfer, and Transit Gateway if the architecture isn’t intentional. This page blends Grok’s outline with a pragmatic, FinOps-oriented playbook: what you’re using, what you’re paying for, what to change, and which native tools help you do it quickly.

🚀 What is VPC?

Amazon Virtual Private Cloud (Amazon VPC) lets you launch resources in a logically isolated network you define. You control IP address ranges (IPv4/IPv6), subnets, route tables, and gateways; connect privately to AWS services and to the internet/on-prem; and govern traffic with Security Groups and Network ACLs.

Core building blocks

CIDRs & subnets (public/private/isolated; dual-stack IPv4/IPv6)
Routing & edge: Internet Gateway (IGW), NAT Gateway, egress-only IGW (IPv6)
Security: Security Groups (stateful), NACLs (stateless)
Endpoints: Gateway (S3/DynamoDB), Interface (PrivateLink) for many services
Connectivity: VPC Peering, Transit Gateway (TGW), Site-to-Site VPN, Direct Connect, VPC Lattice (service-to-service)
Observability: VPC Flow Logs, Reachability Analyzer, Network Access Analyzer

⚙️ Subnet types — pick the right isolation

Type

Use cases

Notes

Public

Internet-facing ALB/NLB, bastion, public apps

Route table to IGW; resources usually have public IPs.

Private

App tiers, worker nodes

No direct internet; outbound via NAT (IPv4) or egress-only IGW (IPv6); prefer Gateway Endpoints for S3/DynamoDB.

Isolated

Highly sensitive workloads

No IGW/NAT; only VPC-internal traffic or PrivateLink/TGW.

Use multi-AZ subnets for HA; keep data paths zonal to avoid cross-AZ charges.

🧬 Connectivity options

Option

Architecture

Use when

Caveats

VPC Peering

Direct VPC-to-VPC

Simple, few VPCs; same or cross-Region

Non-transitive; no overlapping CIDRs; cross-Region transfer billed.

Transit Gateway (TGW)

Hub-and-spoke

Many VPCs/sites; centralized routing

Attachment-hours + per-GB; avoid hairpins (VPC→TGW→same VPC).

VPC Endpoints

Private AWS access

Gateway: S3/DynamoDB (no hourly); Interface: most other services

Interface endpoints bill per-AZ + data; attach tight endpoint policies.

NAT Gateway

IPv4 outbound from private subnets

Simple, managed

Hourly + per-GB; deploy per AZ with zonal routes.

VPN / Direct Connect

Hybrid connectivity

Quick IPsec / deterministic DX bandwidth

Ongoing charges; plan HA pairs.

VPC Lattice

App-to-app across VPCs/accts

Built-in auth, routing policies

Request/data processing fees; evaluate versus PrivateLink/TGW.

Rule of thumb: Peering for simple meshes, TGW when the graph gets dense, Endpoints to avoid NAT for S3/DynamoDB, PrivateLink for producer/consumer isolation.

🏛️ Configuration options

Option

When to use

Notes

Default VPC

Quick starts, dev/test

Pre-made public subnets; good for experiments, not prod standards.

Custom VPC

Production & compliance

Define CIDR (e.g., /16), split per-AZ subnets; add endpoints.

IPv6 (dual-stack)

Global apps, future-proofing

Outbound over egress-only IGW reduces NAT reliance; plan SG/NACL rules.

Secondary CIDRs

Growth without rebuild

Attach additional IPv4/IPv6 blocks later via VPC IPAM.

💸 Cost levers — where the money goes

Area

Why it costs

How to keep it sane

NAT Gateway

Hourly + per-GB processed

Deploy per-AZ; keep routes zonal; offload S3/DynamoDB to Gateway endpoints; consider IPv6 egress-only IGW for dual-stack.

Interface endpoints (PrivateLink)

Per-AZ hourly + data processing

Only for services that truly need private access; share centrally via RAM; prune unused endpoints; prefer Gateway endpoints where possible.

Inter-AZ data transfer

Cross-AZ bytes billed inside a Region

Keep producers/consumers in the same AZ; disable cross-zone LB where appropriate; use local caches.

Transit Gateway

Attachment-hours + per-GB

Use TGW for ≥3-way topologies; otherwise peering/PrivateLink; avoid double-hops.

Public IPv4 / EIP

Scarcity & idle EIP charges

Prefer IPv6; release unattached EIPs; terminate public IPs on LBs instead of instances.

Flow Logs / Traffic Mirroring

Ingestion/storage/bandwidth

Scope to problem subnets; sample; send to S3 with lifecycle (7–30d).

Route 53 Resolver endpoints

ENI-hours + queries

Centralize outbound resolvers; avoid per-VPC duplication.

🧠 VPC optimization strategy (FinOps + reliability)

Quick wins

Add Gateway endpoints (S3/DynamoDB) to cut NAT GBs immediately.
Make NAT zonal (one per AZ) to remove cross-AZ hairpins.
Right-size Pricey endpoints: enumerate Interface endpoints; consolidate or remove.

Right-size topology

Use peering for a handful of VPCs; move to TGW when connections multiply.
Use PrivateLink to expose provider services to consumers without full mesh.
Consider VPC Lattice for app-to-app with auth/routing built-in.

Data-transfer discipline

Co-locate compute and data by AZ; read local, write local where possible.
Turn off cross-zone load balancing when it’s not a requirement.
Compress and batch chatty flows.

IPv6 to reduce NAT

Dual-stack subnets; send outbound IPv6 via egress-only IGW; keep IPv4 NAT only where required.

Governance & drift

Use IPAM to allocate non-overlapping CIDRs; reserve growth.
Guardrails via SCP/Config (“NAT per AZ”, “Gateway endpoints present”, “No public subnets without controls”).
Validate with Reachability Analyzer / Network Access Analyzer before rollouts.

💵 Pricing model & common gotchas

Component

Typical model (varies by Region)

Notes / Risks

Core VPC (subnets/routes/SG/NACL)

No direct hourly cost

Costs come from data transfer & attached services.

NAT Gateway

Hourly + per-GB processed

Central NAT can increase cross-AZ or TGW hairpins—prefer per-AZ.

Transit Gateway

Attachment-hours + per-GB

Model attachments carefully; avoid VPC↔TGW↔same-VPC hairpins.

Interface Endpoints

Per-AZ hourly + per-GB

Endpoint sprawl across many AZs/accounts adds up fast.

Gateway Endpoints (S3/DDB)

No hourly

Replace NAT for these services; restrict with endpoint policies.

Elastic IP (idle)

Charge for unattached/idle

Release unused; prefer LB public IPs.

Keep regional prices in a separate sheet/calculator and review Cost Explorer/CUR by usage type: NatGateway-Bytes/Hours, VpcEndpoint-Hours, TransitGateway-*, DataTransfer-Regional-Bytes, VPCPeering-Bytes.

⏱️ Automation patterns

VPC as code: Terraform/CloudFormation/CDK for VPC, subnets, routes, endpoints, SGs.
Endpoint hygiene: tag, inventory, and auto-prune unused Interface endpoints; share centrally via RAM.
Flow Logs lifecycle: enable where needed, send to S3, expire aggressively; turn on Traffic Mirroring only for short investigations.
Scheduled dev envs: create/tear down NAT/VPN endpoints and non-prod networking during business hours to trim runtime costs.

🔒 Security & compliance

Least privilege defaults: Security Groups first; NACLs for coarse boundaries.
Private access: OAC-backed S3 with CloudFront, VPC endpoints for control planes, and PrivateLink for provider services.
Endpoint policies: restrict S3/DynamoDB/Interface endpoints to specific ARNs and actions.
Inspection: AWS Network Firewall / partner appliances where mandated (mind per-GB processing).
Validation: Reachability Analyzer and Network Access Analyzer to prove intended paths and flag over-permissive routes.

📊 Monitoring & tools

CloudWatch metrics: NAT bytes/packets, TGW data/packet counters, LB cross-zone metrics, VPN tunnel status.
VPC Flow Logs: analyze top talkers & unexpected egress; query via Athena/OpenSearch.
Cost Explorer/CUR: tag networking resources; build dashboards for NAT/endpoint/TGW spend trends.
IPAM dashboards**:** track IPv4/IPv6 utilization & overlaps.

🧪 Practical selection cheat-sheet

Small multi-tier app: Public ALB → private app/data subnets per AZ → NAT per AZ → Gateway endpoints for S3/DynamoDB.
Many VPCs (multi-account): TGW hub-and-spoke; central outbound resolvers; consider VPC Lattice for service-to-service auth.
Provider/consumer isolation: PrivateLink (provider behind NLB; consumers via Interface endpoints).
Data-heavy to S3/DDB: Use Gateway endpoints; block those prefixes from 0.0.0.0/0 via NAT.
IPv6-friendly stack: Dual-stack subnets; egress-only IGW for outbound v6; fewer NATs/EIPs.

✅ Checklist

Plan CIDRs in IPAM; avoid overlaps; reserve room to grow.
NAT per AZ with zonal routing; minimize cross-AZ traffic.
Add Gateway endpoints (S3/DynamoDB); remove NAT dependency for those services.
Limit Interface endpoints; attach tight endpoint policies; tag & prune regularly.
Choose Peering vs TGW vs PrivateLink intentionally; avoid hairpins.
Prefer IPv6 where feasible; release unused EIPs.
Enable Flow Logs selectively; set S3 lifecycle; monitor top talkers.
Validate changes with Reachability/Network Access Analyzer.
Track spend in Cost Explorer/CUR; alert on NAT/endpoint/TGW spikes.

References (add your org’s canonical links)

VPC design standards (CIDR/subnetting, SG/NACL patterns)
NAT/Endpoint/TGW cost guardrails & dashboards
IPAM deployment guide and address plans
Flow Logs + Athena queries / OpenSearch dashboards
Reachability & Network Access Analyzer runbooks
PrivateLink provider/consumer patterns; VPC Lattice guidance

Features & prices evolve. Validate in your Region before production changes.

PreviousAmazon Cloudwatch NextAmazon ELB

Last updated 12 days ago