A virtual private cloud (VPC) is a customizable, logically isolated section of a public cloud where you can launch and control resources in a secure network. It gives you full control over your IP ranges, routing, firewalls, and access controls—similar to a traditional on-prem network, but built on cloud infrastructure. Major cloud providers offer their own VPC solutions, each with slightly different tooling and terminology, but the core concepts remain consistent.
Today, VPCs are essential for building secure, scalable, and segmented network environments in the cloud. They allow you to isolate your workloads from each other, the rest of the public cloud, and the public internet.
Use cases for VPCs include:
Building multi-tier architectures, where databases and application servers are isolated in private subnets and only the web servers are public
Connecting on-premises environments with the cloud via VPN connections (i.e., hybrid cloud)
Isolating environments by workload, team, or compliance boundary
Enabling multi-region or multi-account segmentation by isolating environments according to business unit or geography while maintaining centralized control (through VPC peering or transit gateways)
The three major cloud providers each have their own VPC implementation:
AWS: Amazon VPC with route tables, subnets, internet/NAT gateways, NACLs, and security groups
Azure: Azure Virtual Network (VNet), using Network Security Groups (NSGs), Route Tables, Virtual WAN, and hub-and-spoke topology
GCP: GCP VPCs support global routing, VPC Network Peering, Cloud Router for dynamic routes, and firewall rules at the network/instance level
While every provider has a unique name and interface, all three platforms offer similar core VPC building blocks like subnets, firewalls, and gateways, with slightly different terminology and defaults.
The Board-Ready CISO Report Deck [Template]
This editable template helps you communicate risk, impact, and priorities in language your board will understand—so you can gain buy-in and drive action.
Download PPT template
What are the core components of a VPC?
Multiple services form a VPC, each one with clear-cut responsibilities. Let’s take a closer look at these components to get a better sense of a VPC’s inner workings.
Subnets
A subnet is a range of IP addresses that can be private or publicly accessible from the internet. In AWS, a subnet is bound to one Availability Zone. In Azure and GCP, subnets span the entire region, so zone placement is handled per resource rather than per subnet.
Route tables
The path that network traffic takes between subnets or to the public internet is determined by a route table, which is a collection of rules called routes. Each subnet has a route table that controls its traffic. Default route tables ensure you can access new subnets without up-front configuration; custom route tables allow you to specify granular routes to secure the resources inside your subnets.
Internet gateways
An internet gateway (IGW) lets public subnets access the internet: A subnet connected via a route table to an IGW can receive connections outside the VPC.
NAT gateways
Allowing private subnets to communicate with the internet requires a network address translation (NAT) gateway. Private subnets cannot initiate outbound internet traffic unless a NAT gateway (AWS Cloud NAT / Azure NAT Gateway) or similar egress service is in a public subnet or edge VNet.
Network ACLs
Network access control lists (NACLs) are stateless firewalls applied at the subnet level. They independently evaluate both inbound and outbound traffic and don’t track connection state, which means you need to set rules for inbound and outbound traffic explicitly.
Azure uses Network Security Groups (NSGs) for both subnet- and NIC-level rules, covering the NACL/Security-Group split in one construct.
Security groups
Security groups are stateful virtual firewalls that work on the instance level. This contrasts with NACLs, which operate on the subnet level. Security groups evaluate traffic only when it enters or leaves an instance and keep track of the connection state.
“Transit Gateways, VNet Hub-and-Spoke, and VPC Network Peering.
With a transit gateway, you can connect multiple VPCs to route traffic between them without going through the public internet. This also works for cross-region VPC connections.
How to secure a VPC
VPCs are only as secure as their configurations. Cloud providers give you the tools—but not the guardrails—to enforce isolation and access controls. It’s easy to unintentionally expose resources or over-permission access. Below are best practices to help secure your VPCs and reduce cloud risk.
Identity and access management
Always apply the principle of least privilege to ensure that every instance has access only to the resources needed to perform its designated tasks.
Enable multi-factor authentication for all accounts to reduce the risk of phishing attacks.
Use role-based access control (RBAC) to eliminate one-off permissions, which can lead to scaling problems as your use of VPCs grows.
Layered network access controls
Define your access controls via subnet-level (e.g., NACLs) and resource-level (e.g., security groups) firewall controls.
Use subnet-level network controls as coarse-grained filters for subnets that contain sensitive data.
At the resource level, you should deny everything by default and open ports that fit the instance's use case.
Provider support
The three biggest cloud providers each offer similar services for network access controls:
Azure network security groups applied to subnets
GCP firewall rules applied to networks
Services that address resource-level routing are also provided by the most popular cloud providers:
Azure network security groups applied to network interfaces (NICs)
GCP firewall rules applied to instances
Network segmentation
Don’t put everything into one public subnet. Instead, divide your VPC into logical subnets based on security requirements.
To manage network traffic between subnets and regulate access to and from the internet, you should configure route tables.
Place all resources that do not need direct internet access (e.g., databases, application servers, etc.) in private subnets and only access them from other subnets.
Secure remote access
Avoid direct SSH/RDP access to your production instances in private subnets because they can become a gateway for attackers if compromised.
To keep internal traffic from being exposed to the public internet, use site-to-site VPN connections to link your on-premises networks to VPCs in the cloud.
Network monitoring and logging
Always set up monitoring and logging for your VPCs so you can localize issues and quickly react to threats.
Each of the big cloud providers offers a logging service that can give you the insights you need:
On AWS, you can use VPC Flow Logs and AWS CloudTrail.
Azure provides you with logs via Azure Network Watcher flow logs and Azure Monitor activity logs.
Google Cloud offers GCP VPC Flow Logs and Cloud Audit Logs.
Infrastructure as code
Use infrastructure-as-code (IaC) tools like Terraform or AWS CloudFormation to define VPC configurations as reusable, version-controlled templates. This reduces misconfigurations, simplifies auditing, and supports secure-by-default deployments.
Advanced network security services
Don’t stop with the basic security services; apply more advanced offerings like DDoS protections, web application firewalls, and intrusion detection and prevention systems. These allow you to lock down the remaining gaps in your VPCs' security posture.
Audit and review configurations
Revisit how your VPC is set up, including firewall rules, network access controls, route tables, and IAM policies. Security isn't a one-and-done thing: It's always a good idea to audit and review everything regularly. You'll often find rules that aren't being used or are too open, and you'll stay up-to-date on the latest security recommendations.
Cloud-native environments move fast—and so do attackers. Security teams need continuous visibility into how VPCs are actually configured, connected, and exposed. While cloud-native controls (like security groups and firewalls) are important, they’re only part of the picture.
How Wiz Secures VPCs Across Your Multi-Cloud Environment
Static configuration checks alone can’t protect dynamic VPC environments. Wiz provides runtime-aware, context-rich visibility into your VPCs—across AWS, Azure, and GCP—so you can detect exposures, prioritize real risk, and respond faster.
Here are the vital VPC security capabilities that Wiz brings to the table:
VPC flow log ingestion and analysis
Wiz ingests and analyzes VPC flow logs to surface anomalous network activity, such as unexpected inbound traffic, lateral movement, and data exfiltration attempts. It can also correlate network flows with workload, identity, and vulnerability data to prioritize risks with real exposure.
Wiz Defend: Cloud-native threat detection in VPCs
Wiz Defend uses VPC flow logs, process telemetry, and other runtime signals to detect threats inside VPCs, such as crypto miners, command-and-control traffic, and internal scanning. And by leveraging existing telemetry, Wiz also provides agentless cloud-native intrusion detection.
Public exposure detection
Wiz automatically flags internet-exposed VMs, containers, and services—even if exposure is indirect or misconfigured—and then highlights paths from public ingress points to sensitive assets within the VPC. Wiz’s agentless scanning continuously identifies exposed services—even when indirect exposure stems from misconfigured routes, identity paths, or overly permissive rules.
VPC misconfiguration & segmentation analysis
Wiz identifies overly permissive security groups, route tables that bypass intended controls, and flat network topologies. It will also send alerts when assets are reachable across VPCs or accounts when they shouldn’t be. Wiz also highlights overly flat network topologies that increase lateral movement risk—giving you insight into whether segmentation is functioning as intended.
Unified graph view
Wiz’s industry-leading Security Graph lets you view visualizations of your subnets, workloads, and identities from a single pane of glass to help security teams quickly understand blast radius and prioritize remediation.
The Security Graph correlates VPC assets with workload, identity, and data sensitivity—making it easy to understand blast radius and remediation paths.
Ready to move beyond static checks and surface real exposure in your cloud network? Request a demo to see how Wiz secures your VPCs with context-rich analysis and agentless detection—across every cloud.
