Beyond the default: a Multi-VPC architecture

Andreas Wittig – 14 Oct 2016

I created my first AWS account on December 23, 2012. The one thing that surprised me most was the possibility to define private networks with Virtual Private Cloud (VPC). As this allowed me creating isolated areas, a fundamental prerequisite for building a high-security infrastructure.

Default VPC

Each AWS account created after December 2013 contains a Default VPC in each region. If you have not created a custom VPC you are using the Default VPC automatically when launching EC2 instances. That’s fine for a quick start on AWS, but if you are planning to run a production workload on AWS you should read on to learn how to use isolated networks.

Isolated networks

To secure your infrastructure you need to define who is allowed to access data and services. This is typically done by creating a set of rules. For example a firewall rule.

Defining rules is easy and less prone to error if you isolate independent parts of your infrastructure.

Typical reasons to create isolated networks:

  • Separating customers.
  • Separating applications.
  • Separating environments (development, testing, and production).


Imagine the following scenario. Your company is hosting eCommerce applications for two customers: Yellow Shop and Blue Shop. Part of the deal with your customers is an agreement guaranteeing an isolation of their networking infrastructure. Your task is to design the networking architecture for the system consisting of three parts:

  • Load Balancer
  • Web Application
  • SQL Database

Multi-VPC architecture

Instead of using the Default VPC for your whole infrastructure use multiple VPCs to enable isolation between your two customers. The following figure shows two VPCs. The VPC of the Yellow Shop is highlighted yellow, the VPC of the Blue Shop is highlighted blue.

Multi VPC

Looking for a new challenge?


    Senior Lead Full Stack Developer

    DEMICON • AWS Advanced Consulting Partner • Remote (Europe)
    AWS JavaScript/TypeScript Angular React
  • tecRacer

    Cloud Consultant • AWS Serverless Development

    tecRacer • Premier AWS Consulting Partner • Germany, Austria, Portugal, and Switzerland
    Serverless Lambda Python Node.js Go

Each VPC defines a solid boundary. Network traffic from the Yellow Shop’s VPC is not able to reach the Blue Shop’s VPC.

The next figure shows the components of a VPC:

  • Public Subnet
    • Attached to an Internet Gateway enabling incoming and outgoing Internet traffic.
    • Contains the Load Balancer which forwards requests to the EC2 Instances running in the Private Subnet.
  • Private Subnet
    • Attached to a NAT Gateway enabling outgoing Internet traffic.
    • Contains the Web Application running on EC2 and the SQL Database (Amazon RDS).
    • Neither the Web Application nor the SQL database are accessible from the Internet.


Why should you use two subnets of each kind? Because a subnet is linked to an Availability Zone. To be able to distribute your infrastructure among two Availability Zones for high availability you need a subnet of each kind in each Availability Zone you want to use.

The VPC is isolating your networks. On top of that you should use Network ACLs and Security Groups to control network traffic within your VPC.

CloudFormation templates

CloudFormation is the Infrastructure as Code service offered by AWS. Using CloudFormation allows you to automate the creation of a Multi-VPC architecture. We are sharing our CloudFormation templates on GitHub. Use our CloudFormation templates for VPC to get started quickly.


Using a Multi-VPC architecture allows you to isolate different parts of your infrastructure. Following the principle of divide and conquer simplifies and improves security due to less error prone and more precise access control.

Become a cloudonaut supporter

Andreas Wittig

Andreas Wittig ( Email Twitter LinkedIn Mastodon )

We launched the cloudonaut blog in 2015. Since then, we have published 366 articles, 60 podcast episodes, and 58 videos. It's all free and means a lot of work in our spare time. We enjoy sharing our AWS knowledge with you.

Please support us

Have you learned something new by reading, listening, or watching our content? With your help, we can spend enough time to keep publishing great content in the future. Learn more

Amount must be a multriply of 5. E.g, 5, 10, 15.

Thanks to Alan Leech, Alex DeBrie, ANTHONY RAITI, Christopher Hipwell, e9e4e5f0faef, Jason Yorty, Jeff Finley, jhoadley, Johannes Grumböck, Johannes Konings, John Culkin, Jonas Mellquist, Jonathan Deamer, Juraj Martinka, Ken Snyder, Markus Ellers, Oriol Rodriguez, Ross Mohan, Ross Mohan, sam onaga, Satyendra Sharma, Simon Devlin, Thorsten Hoeger, Todd Valentine, Victor Grenu, waldensystems, and all anonymous supporters for your help! We also want to thank all supporters who purchased a cloudonaut t-shirt.