Public cloud infrastructure runs on shared, multi-tenant physical hardware, described in What Is Cloud Computing? — which raises an obvious question: what actually keeps one customer’s network traffic logically separate from every other customer’s, and from the public internet, by default? The answer is the virtual private cloud.
What a VPC actually is
A virtual private cloud (VPC) is a logically isolated, private network you define within a public cloud provider’s infrastructure, with its own IP address range, that you control independently of any other customer’s network on the same underlying physical infrastructure. AWS’s documentation on Amazon VPC describes this directly: resources launched into a VPC are, by default, isolated from resources in any other VPC, even though they may be running on the same shared physical hardware underneath. Nothing enters or leaves a well-configured VPC without passing through networking rules you explicitly defined.
Subnets: dividing the network
A VPC is divided into subnets — smaller address ranges carved out of the VPC’s overall range, typically each tied to a specific availability zone, the geographic structure covered in Regions, Availability Zones, and Why Cloud Architecture Is Geographic. Subnets are commonly classified as public (with a route to the internet) or private (without one), which is the basic mechanism behind a common and important architecture pattern: placing a database or internal service in a private subnet, with no direct internet route at all, while only the specific components that actually need to be internet-facing — a load balancer, discussed in Load Balancing Explained, for instance — sit in a public subnet.
Route tables and gateways: what’s actually allowed to connect
A route table defines where network traffic from a subnet is allowed to go — which destinations are reachable, and through which gateway. An internet gateway is what actually connects a public subnet to the internet; without an internet gateway and a corresponding route, a subnet has no path to the internet at all, regardless of any other configuration. A NAT gateway allows resources in a private subnet to initiate outbound connections to the internet (to download a software update, for example) without being directly reachable from the internet themselves — a one-directional pattern that preserves the private subnet’s isolation from unsolicited inbound traffic while still letting it reach out when it needs to.
Security groups and network ACLs: filtering traffic further
Within this structure, security groups act as a virtual firewall attached to individual resources, controlling exactly what traffic is allowed in and out at the resource level, while network access control lists (ACLs) apply similar filtering at the subnet level. Together with the VPC and subnet structure itself, these layers implement the same underlying principle discussed in Cloud IAM and the Principle of Least Privilege: a resource should be reachable only by the specific traffic it actually needs to accept, and nothing else, by default.
Why this matters even if you never touch it directly
Many teams never configure VPC networking by hand — infrastructure-as-code templates, covered in Infrastructure as Code: How Tools Like Terraform Actually Work, or a platform’s default setup often handle it. Understanding the model still matters, because nearly every cloud security incident involving unintended public exposure — a database reachable from the open internet, an internal service with no access restriction — traces back to a gap somewhere in this exact structure: a subnet marked public that shouldn’t have been, a security group rule too broad, a route table sending traffic somewhere it shouldn’t go.
Key takeaway
A VPC is the foundational layer of network isolation in a public cloud account, built from subnets, route tables, and gateways that together determine what can reach what, and from where. Nearly every other cloud networking and security concept — public versus private subnets, load balancer placement, least-privilege access — is built directly on top of this structure, which is why understanding it is a genuine prerequisite for reasoning about cloud security, not an optional advanced topic.
This article explains general cloud networking concepts; specific configuration options and defaults vary by provider. See our disclaimer.