The most underappreciated AWS service

Three letters for you.

V. P. C.

Amazon Web Services’ Virtual Private Cloud is often the first real hurdle for developers and others looking to understand cloud systems. I know it was for me; I’d not had much networking experience when I first encountered it. To really grok VPC, you need to have at least a mild understanding of network architecture, including subnets and gateways. In my experience, such knowledge isn’t par for the course with software developers.

Most software developers can quickly understand EC2 (oh, a virtual machine) and S3 (ah, a gigantic disk drive). However, VPC’s networking abstractions are tougher. However, VPC is magic.

Let’s talk a bit more about this. AWS built a performant software defined networking layer. But they didn’t just port all the concepts from the physical world into the cloud. At least, when I read the Unix and Linux Sysadmin’s Guide, which dives deep into such things, that’s how it looks to me.

Instead, AWS followed the 80/20 rule, giving developers and architects flexibility to build real network architectures. These architectures can support real world applications, with real world security needs and compliance concerns.

Yes, you can also achieve such separation using different AWS constructs (and should!). IAM and Organizations spring to mind. But for many, making sure that they could easily port their current security posture to AWS made a cloud transition easier.

VPC simplifies the networking layer enough that even developers with little networking experience can understand it (like me!). AWS has even provided network logging so that, should you need to delve deep into your networking layer for troubleshooting or auditing, you can.

VPC is also fundamental to other services. EC2 instances are still the majority of AWS budgets, according to Corey Quinn’s 2020 Re:Invent rebuttal.

VPCs are where those “machines” exist. The fancy managed services AWS wants you to use so they can lock you in? Often they are accessed by dropping ENIs into your VPC.

If not, these services are running in VPCs managed by AWS, therefore inaccessible to you except through tightly managed interfaces. See, the security works!

To top it all off, VPC is free and ubiquitous.

AWS’s VPC is the water to cloud engineers’ fish; we don’t even see it, let alone appreciate it.

© Moore Consulting, 2003-2021