What is a virtual private cloud?

A VPC allows an enterprise to define and control a virtual network that is logically isolated from all other public cloud tenants, creating a private, secure space on the public cloud.

Imagine that a cloud provider's infrastructure is a residential apartment building with multiple families living inside. Being a public cloud tenant is akin to sharing an apartment with a few roommates. In contrast, having a VPC is like having your own private condominium—no one else has the key, and no one can enter the space without your permission.

A VPC's logical isolation is implemented by using virtual network functions and security features that give an enterprise customer granular control over which IP addresses or cloud applications can access particular resources. This function is analogous to the "friends-only" or "public/private" controls on social media accounts that restrict who can or can't see your otherwise public posts.

VPC falls under the infrastructure as a service (IaaS) category, one of the four most popular cloud service offerings, along with platform as a service (PaaS), software as a service (SaaS) and serverless. All top cloud service providers offer VPC solutions, including Amazon Web Services (AWS), Microsoft Azure, Google Cloud, IBM Cloud®, Oracle Cloud Platform, VMware and more.

Industries that require high levels of security, privacy and control over their data, including healthcare, finance and government, often favor VPCs. According to a Future Market Insights, Inc. report, the virtual private cloud (VPC) market share is predicted to grow from USD 38.8 billion in 2022 to USD 129.6 billion in 2032.¹ The drivers behind this growth include the rising demand for simple installation and low-cost disaster recovery (DR) solutions and the growing adoption of virtual private cloud among small and medium businesses.²

Check out this video with Ryan Sumner from IBM Cloud for a deeper dive into VPC, its architecture and its benefits.

VPCs are a "best of both worlds" approach to cloud computing. They give customers many advantages of private clouds while using public cloud resources and savings. The following are some key features of the VPC model.

Each VPC's main features readily translate into benefits that help your business achieve agility, increased innovation and faster growth:

• Flexible business growth: Because cloud infrastructure resources—including virtual servers, cloud storage and networking—can be deployed dynamically, VPC customers can quickly adapt to changes in business needs.

• Satisfied customers: In today's "always-on" digital business environments, customers expect uptime ratios of nearly 100%. The high availability of VPC environments enables reliable online experiences that build customer loyalty and increase trust in your brand.

• Reduced risk across the entire data lifecycle: VPCs enjoy high levels of security at the instance or subnet level (or both). This feature gives you peace of mind and further increases your customers' trust.

• More resources to channel toward business innovation: With reduced costs and fewer demands on your internal IT team, you can focus on achieving key business goals and exercising core competencies.

A virtual private network (VPN) makes a connection to the public Internet as secure as a connection to a private network by creating an encrypted tunnel through which the information travels. You can deploy a VPN as a Service (VPNaaS) on your VPC to establish a secure site-to-site communication channel between your VPC and on-premises environment or other location. By using a VPN, you can connect subnets in multiple VPCs so that they function as if they were on a single network.

Private cloud and virtual private cloud are sometimes—and mistakenly—used interchangeably. A VPC is actually a public cloud offering. A private cloud is a single-tenant cloud environment owned, operated and managed by the enterprise. It is hosted most commonly on premises or in a dedicated space or facility. By contrast, a VPC is hosted on multi-tenant architecture, but each customer's data and workloads are logically separate from those of all other tenants. The cloud provider is responsible for ensuring this logical isolation.

A VPC is a single-tenant concept that allows you to create a private space within the public cloud's architecture. A VPC offers greater security than traditional multi-tenant public cloud offerings but still lets customers take advantage of the public cloud's high availability, flexibility and cost-effectiveness. Sometimes, there might be different ways to scale a VPC and a public cloud account. For instance, extra storage volumes might only be available in blocks of a specific size for VPCs. Not all public cloud features are supported in all VPC offerings.

In a VPC, you can deploy cloud resources—referred to as logical instances—into your own isolated virtual network. These cloud resources fall into three categories:

• Compute: Virtual server instances (VSIs, also known as virtual servers) are presented to the user as CPUs (vCPUs) with a predetermined amount of computing power, memory and so on.

• Storage: VPC customers are typically allocated a certain block storage quota per account, with the ability to purchase more. This pricing model is akin to purchasing extra hard disk space. Storage recommendations are based on the nature of your workload.

• Networking: You can deploy virtual versions of various networking functions into your virtual private cloud account to enable or restrict access to its resources, including:
  • Public gateways: Public gateways are deployed so that all or some areas of your VPC environment can be made available on the public-facing Internet.
  • Load balancers: Load balancers distribute network traffic across multiple VSIs to optimize availability and performance.
  • Routers: Routers direct traffic and enable communication between network segments.
  • Direct or dedicated links: Direct or dedicated network connections enable rapid and secure communications between your on-premises enterprise IT environment or your private cloud and your VPC resources on public cloud.

• Regions: Providers host VPCs across regions. A region is a specific geographical location where apps, services and other resources can be deployed. Regions consist of one or more zones, which are physical data centers that house the compute, network and storage resources, with related cooling and power, for host services and applications. Zones are isolated from each other, which ensures that no shared single point of failure within a region occurs.

• Availability zones: An availability zone is a logically and physically isolated location within a VPC region with independent power, cooling and network infrastructures.

• Subnets: A subnet is a logical partition of an IP network that's divided into smaller network segments. These fundamental mechanisms within a VPC allocate IP addresses to individual resources (like virtual server instances) and enable various controls to these resources through network access control lists (ACLs), routing tables and resource groups. In a VPC environment, subnets act like private IP addresses that cannot be accessed publicly through the Internet.

• Route tables: Each subnet in a VPC must be associated with a route table, a collection of rules or routes that control network traffic for the subnet or gateway.

• Flow logs: Flow Logs enable the collection, storage and presentation of information about the IP traffic going to and from network interfaces within your VPC.

• Domain name system (DNS) services: DNS services associated with VPCs allow users to create their own private DNS zones and DNS resource records. Private DNS can improve online privacy and security by encrypting DNS queries and preventing third parties from monitoring online activity.

Most of today's software applications are designed with a three-tier architecture composed of the following interconnected tiers.

In a three-tier application, all communication goes through the application tier. The presentation and data tiers cannot communicate directly with one another. The application tier communicates with the presentation and data tiers using application programming interface (API) calls.

To create a three-tier application architecture on a VPC, you assign each tier its own subnet, giving it its own IP address range. Each layer is automatically assigned its own unique ACL.

In a virtual private cloud (VPC) model, the VPC provider ensures that each customer's data remains isolated and secure. They accomplish this through cloud security procedures and technologies, including network isolation—subnets, virtual private networks (VPNs), virtual local area networks (VLANs) and so on—that help improve security and control network traffic.

Also, VPCs achieve high levels of security by creating virtualized replicas of the security features used to control access to resources housed in traditional data centers. These security features enable customers to define virtual networks in logically isolated parts of the public cloud and control which IP addresses can access which resources.

Two types of network access controls comprise the layers of VPC security:

• Access control lists (ACLs): An ACL is a list of rules that limit who can access a particular subnet within your VPC. As previously discussed, a subnet is a portion or subdivision of your VPC; the ACL defines the set of IP addresses or applications granted access to it.

• Security group: With a security group, you can create groups of resources (which can be situated in more than one subnet) and assign uniform access rules to them. For example, if you have three applications in three different subnets and want them all to be public Internet-facing, you can place them in the same security group. Security groups act like virtual firewalls, controlling the flow of traffic to your virtual servers, no matter which subnet they are in.

The various cloud providers can offer different pricing models in their VPC offerings. It is common for individual VPC resources—such as load balancers, VSIs or storage—to be priced separately. Data transfer charges are also common based on volume, but some cloud providers do not charge for data transfers over private networks.

Determining the best VPC and pricing model to meet your business needs starts with considering the requirements of the applications you are planning to deploy. Are they compute-intensive? Will they require large amounts of memory and CPU? Or are they more balanced regarding their CPU, storage and memory requirements? Answering these questions will help predict your usage needs, allowing you to estimate the potential costs when comparing options.

• Host web applications: Securely host web applications and exercise better control over how network traffic can reach your VPC resources from the Internet.

• Cloud migration: VPC provides a cost-efficient way to move sensitive on-prem assets to an isolated private cloud within a public cloud environment, ensuring low latency, minimal downtime and robust cloud security.

• Hybrid cloud strategy: A VPC supports today's hybrid cloud strategy. Developers can connect VPCs to a public cloud or on-premises infrastructure with a VPN, integrating on-prem, private and public cloud resources to create a single, flexible and unified IT infrastructure.

• Multicloud deployment: VPCs also support multicloud deployments by allowing private connections between VPCs across cloud providers. Multicloud solutions include open-source, cloud-native technologies like Kubernetes. They also typically include capabilities for managing workloads across multiple clouds with a central console or single pane of glass.

• DevOps practices: VPC environments support DevOps practices, accelerating the delivery of higher-quality applications and services. DevOps automation uses cloud-native tools and technologies to perform routine tasks, thus speeding up workflows and the entire software development lifecycle.

• High-performance computing (HPC): VPC environments offer fast-provisioning compute capacity with the highest networking speeds and the most secure, software-defined networking resources to support high-performance computing (HPC) needs of highly regulated industries like finance, healthcare and more.

• Regulatory compliance and data governance: Adhering to strict regulatory and data governance requirements is critical, especially for global industries like oil and gas. Today's managed service providers for cloud VPCs offer built-in security and regulatory compliance tools and hardware and software solutions for confidential computing. Standard features include encryption options and data residency controls.

• Industry-specific clouds: VPCs are an ideal component of industry-specific cloud platforms, a growing trend among industries like finance and healthcare that are looking for sector-specific capabilities that are secure and can deliver business outcomes faster

• Business continuity disaster recovery (BCDR): Like other cloud-based services, business continuity disaster recovery (BCDR) with VPCs involves mechanisms to protect data and restore service functions. These include various tools, policies and procedures to restore a system, application or data center after a disruption. By replicating crucial infrastructure in a VPC across different regions, organizations can ensure BCDR in the event of a disaster (for example, equipment failures, cyberattacks, natural disasters).

• Edge computing and the Internet of Things (IoT): As more industries like manufacturing and retail use IoT and edge devices connect to the cloud, there is a need for secure and scalable cloud environments like VPCs.