A virtual private cloud (VPC) is a logically isolated private network in the cloud. VPCs use Software Defined Network (SDN) and VXLAN tunnel technology to separate the data plane from the control plane. Each VPC is assigned a unique VXLAN network identifier (VNI) to isolate its virtual network.
Service architecture
The following diagram shows how the data plane and control plane work together to forward and manage network traffic within a VPC.
Data plane: packet forwarding
The data plane processes and forwards network traffic. It consists of distributed vSwitches and gateway clusters.
Network isolation
VXLAN tunnel technology provides VPC-level network isolation. Traditional VLANs support at most 4,096 virtual networks—not enough for hyperscale cloud deployments. VXLAN overcomes this by encapsulating Layer-2 Ethernet messages in Layer-3 UDP packets, enabling millions of isolated virtual networks.
Communication flow
Intra-VPC: When Elastic Compute Service (ECS) instances in the same VPC communicate, their outgoing packets are encapsulated and tagged with the VPC's unique VNI. The packets are then transmitted over the physical network, but only instances in the same VPC decapsulate and accept those packets.
Inter-VPC isolation: Instances in different VPCs have different VNIs and belong to separate logical routing planes. Packets are not forwarded between VPCs, enforcing network isolation.
Control plane: centralized network management
The control plane is the core component of a VPC and consists of an SDN controller cluster. It handles centralized network management and policy distribution.
Decoupling: SDN separates network configuration from hardware. Routes and security rules defined through the console or API are handled by the SDN controller—administrators can adjust network behavior dynamically without touching physical hardware.
Configuration delivery: The controller computes configurations, such as forwarding tables, and delivers them to vSwitches and gateways on the data plane using a proprietary protocol. This separation lets you change network behavior without operating physical hardware, improving flexibility and automation.
High availability
The VPC architecture is built with redundancy at every layer to ensure service stability.
Distributed nodes: vSwitches are distributed across nodes to eliminate single points of failure (SPOFs).
Cluster deployment: Gateways and controllers run in clusters and support failover across multiple data centers (zones).
Link redundancy: All physical links are configured with redundancy and disaster recovery.
Architecture
The following diagram shows the VPC components available for building network architectures—from traffic control and IP management to cross-VPC connectivity and network monitoring.
| Component | Description |
|---|---|
| vSwitch | A zone-level resource that segments your VPC into subnets for resource deployment. |
| Route table | Directs traffic within your VPC. Each vSwitch is bound to a route table whose entries specify the next hop for outgoing packets. |
| IP Address Manager (IPAM) | Automates IP address allocation and management to prevent address conflicts and simplify network operations. |
| IPv4 gateway / IPv6 gateway | Works with route tables to centrally control internet traffic, reducing the security risks of decentralized access. |
| VPC peering connection | Connects VPCs in the same or different accounts and in the same or different regions for private cross-VPC communication. |
| Network ACL | Attaches to a vSwitch to control inbound and outbound traffic with configurable rules. |
| Flow log | Captures inbound and outbound traffic for elastic network interfaces (ENIs) to help you monitor network performance, troubleshoot issues, and reduce traffic costs. |
| Traffic mirroring | Copies traffic matching your filters and forwards it to security analysis appliances for real-time inspection, without affecting production traffic. |