What is a Virtual Private Cloud?


A virtual private cloud (VPC) is a “cloud within a cloud” configuration where an organization establishes a private virtual networking environment within a cloud service provider’s public cloud. This “private cloud in the public cloud” usually grants complete control over the private virtual space, security, and where resources are located depending on availability by the CSP. The major benefit of the VPC deployment is to offload infrastructure risk onto a CSP, with many subsequent benefits like reduced IT staff, and associated infrastructure and staffing costs, and future-proofing the organization's tech stack.

There are similar concepts that sometimes are crossed with VPCs, such as virtual private servers (VPS), and virtual private networks (VPN). Virtual private clouds are very similar to virtual private servers (VPS) but with significant differences. A VPS, like a VPC, exists in the cloud, but uses only a fixed portion of the server with fixed resources—when accessing VPS, users interface with it as if it were a local drive. A VPS lacks efficient scalability, which distinguishes it from virtual cloud models. A VPC, contrastingly, is not bound by the underlying infrastructure, but rather their architecture allows them to scale on-demand.

VPNs are not a server technology. Virtual private networks (VPN) allow users to securely access a company's intranet from outside the firewall, and can be said to make a secure line over a public network like the Internet. Likewise, a worker can use a VPN connection to securely connect to a company’s VPC from anywhere they can access the Internet. VPNs are used to secure connections and transmit and receive data privately.


Because virtual private clouds (VPC) are based in the public cloud space, VPCs have all the features expected from the public cloud—security, elasticity, scalability, and cost-planning and control. These are the key features cloud consumers expect from cloud service providers. VPCs, however, have additional security concerns, namely around how the CSP guarantees that a client’s VPC is isolated and protected from other partitions within the public cloud.

Isolating technologies include:

  • Subnet Masks — Subnet masks reserve ranges of IP addresses that are off-limits to certain groups. By setting subnet masks, VPCs can have ranges of private addresses reserved for within the network, and completely invisible to the public Internet.
  • Virtual Local Area Networks (VLAN) — A virtual local area network is a way to establish a group of computer devices that are logically segmented into VLAN that operates as a single network. Clients can be physically located anywhere.
  • Virtual Private Networks (VPN) — Virtual private networks (VPN) are not networks, but refer to the creation of a private connection to a network over the public Internet. VPNs use encryption to establish a secured “tunneled” connection and can be used to securely connect to a virtual private cloud.
  • Availability Zones — Availability zones logically and physically isolate partitions of the CSPs infrastructure within regions with their own power, cooling, and connectivity. By avoiding a single point of failure, availability zones help bolster redundancy and fault tolerance within the system.

There are significant VPC benefits for companies that are considering establishing their own private clouds. With proper goals alignment, VPCs can prove to be a superior option over owning and operating a company’s private cloud internally.

  • VPCs are Reliable, Elastic, and Scalable — These three characteristics refer to a cloud's capacity to deliver. Because VPCs are housed in the public cloud, they share the original public cloud value propositions, reliable uptime and data access, elastic capacity able to meet growing capacity demand, and scalability to meet current workload demand.
  • VPC Security — Security is dependent on the needs of the system and compliance requirements. Leading public cloud providers with streamlined security processes can offer exceptionally convenient solutions to address security requirements. Providers that proactively upgrade their security measures also effectively provide VPC consumers insurance on future security needs.
  • Cost Savings — Public clouds are lauded for their pay-for-usage plans that have allowed organizations to effectively cost plan while offloading responsibility.

Virtual private cloud architecture is built upon the same infrastructure other cloud models are. Including the technologies and practices that establish public cloud services, CSPs also use a three-tier architecture, and demilitarized zones to help organize VPC services.

  • Three-tier Architecture — As it sounds, three-tier architecture creates three interconnected layers that divide software responsibilities—web or presentation tier, application tier, and database tier. The presentation tier receives web browser requests and returns web pages and data stored within the other two layers. The application tier is what is considered the heart of the application where the business logic lives and works. The database tier houses the databases that store the data that the application tier interacts with and eventually sends that data to the presentation tier to be consumed.
  • Demilitarized Zone (DMZ) — Also called perimeter networks, DMZs are subnets established to create a buffer between the LAN, private cloud, or VPC, and the public Internet. DMZs provide access control, threat prevention, and detection of IP spoofing. The DMZ is protected from the Internet by a firewall, and then the enterprise LAN has a firewall that protects it from the DMZ. This configuration allows for resources to be exposed to the public, while also protecting the enterprise systems. If attacks do breach the DMZ, then they are stopped by the second firewall which is usually hardened against attacks.

Setting up a virtual private cloud (VPC) from a leading cloud provider is easy. After signing up for an account, the CSP will have you create a VPC with a single public subnet. From there, you’ll likely assign an IP address to access the internet, and then add an additional private subnet to your VPC. Based on the shared responsibility model and the services used, you’ll configure security features. At this point, you begin to use the VPC as you see fit, perhaps setting up a VPC peering connection that connects two VPCs that enables private traffic routing between them.


A public cloud is a shared pool of IT resources delivered to cloud consumers over the Internet by a cloud service provider (CSP). Depending on the level of service, cloud consumers and CSPs enter into a service level agreement (SLA) contract that defines the cloud service and for which parts each party is responsible (e.g. who is responsible for data, infrastructure, application, etc.).

Contrastingly, a private cloud is a cloud deployment model where a single organization owns and administers its own cloud and the underpinning networking infrastructure to support it. This model creates central access to IT resources for departments and staff across multiple locations and potential regions. Private clouds are implemented behind the organization’s firewall which is the major distinguishing factor from other cloud deployments models. In the private cloud model, the organization that owns the private cloud is both cloud consumer and cloud service provider (CSP).


Adopting a private cloud strategy demands that companies consider the worth of the network based on its business use, the necessity of private resources, and the cost of maintaining the network and supporting infrastructure, versus alternatives such as virtual private clouds (VPC), that enable private clouds in a public cloud space.

Private clouds are traditionally on-premise infrastructures secured behind enterprise firewalls. Their greatest benefit is complete control over all aspects of the cloud environment, from the choice of infrastructure to configurations, organization, and policies. However, the main drawback is the total cost of ownership and responsibility for maintaining the private cloud.

VPCs are also private and fully controlled by the cloud consumer, but they are public cloud offerings, for that reason, they also grant the cloud consumer the advantages of the public cloud—security, elasticity, scalability, and cost-planning.


Virtual private clouds (VPC) are single-tenant deployments in the public cloud. Cloud service providers can provision resources as a dedicated cloud for private use. This affords the cloud consumer the benefits of complete control while benefiting from public cloud flexibility, reliability, and scalability. In essence, VPC is no different than the public cloud except that it is isolated and secured for the use of one group.


Virtual private clouds share all the benefits of  public cloud space, reliability of services, flexibility of technologies, elasticity of capacity, and scalability of workloads, all underneath a pay-as-you-go plan. On top of those benefits, VPCs are fully controlled by the cloud consumer and have the benefits of private clouds: complete control over infrastructure and software choices, maximum control over configurations and customizations, ownership of network visibility and security measures, and ownership of compliance responsibilities.