← Lessons

quiz vs the machine

Gold1420

Security

The VPC Isolation Security

How a virtual private cloud uses subnets, routing, and gateways to isolate workloads from the public internet.

5 min read · core · beat Gold to climb

A Private Network in the Cloud

A virtual private cloud is an isolated network you control inside a provider. You choose its address range, then carve it into subnets that group resources by trust level.

Public and Private Subnets

  • A public subnet has a route to an internet gateway, so its resources can reach and be reached from the internet.
  • A private subnet has no such route, so its resources stay hidden.

Databases and internal services belong in private subnets. Only load balancers and public facing servers belong in public ones.

Controlled Outbound Access

A private subnet often still needs to download updates. A NAT gateway lets private resources start outbound connections while blocking inbound ones, preserving isolation.

Connecting Without the Public Internet

  • Private endpoints reach cloud services without leaving the provider network.
  • Peering links two VPCs so they communicate over private addresses.

Key idea

A VPC isolates workloads by placing sensitive resources in private subnets with no inbound internet route, while gateways and private endpoints provide controlled connectivity.

Check yourself

Answer to earn rating on the learn ladder.

1. What makes a subnet public rather than private?

2. What does a NAT gateway allow for private subnet resources?

3. Where should a database normally live in a VPC?