Your AWS VPC can be connected to a variety of resources, such as the internet, your on-premise data center, other VPCs in your AWS account, or VPCs in other AWS accounts; once connected, you can make your resources accessible or inaccessible in your VPC from outside of your VPC based on your requirement.

You can allow your instances in your VPC to connect with the internet directly by launching them in a subnet that is publicly accessible, also known as a public subnet. This way, your instances can send and receive traffic from the internet directly.

For instances in private subnets that are not publicly accessible, you can use a NAT device placed in a public subnet to access the internet without exposing their private IP address.

You can connect your VPC to your corporate data center by creating a secure VPN tunnel using encrypted IPsec hardware VPN connection. Once connected, all traffic between instances in your VPC and your corporate data center will be secured via this industry standard hardware VPN connection.

You can connect your VPC with other VPCs privately in the same region through the VPC peering feature. This way, you can share resources in your VPC with other virtual networks across your AWS accounts or other AWS accounts.

The VPC endpoint is used to connect to AWS services such as S3 without using internet gateway or NAT. You can also configure what users or resources are allowed to connect to these AWS services.

You can mix and match the mentioned options to support your business or application requirements. For example, you can connect VPC to your corporate data center using a hardware VPN connection, and you can allow instances in your public subnet to connect directly with the internet as well. You can configure route tables in your VPC to direct all traffic to its appropriate destination.

AWS VPC has security groups that act as an instance-level firewall and network ACLS that act as a subnet-level firewall. These advanced security features allow you to configure rules for incoming and outgoing traffic for your instances and subnets in your VPC.

With help of the VPC endpoint, you can enable access control for your data in AWS S3 so that only instances in your VPC can access that data. You can also launch dedicated instances to have isolation at the instance level; these instances have dedicated hardware for a single customer.

AWS VPC can be created using AWS Management Console in a couple of ways; you can either create it through Start VPC Wizard, or you can create it manually as well. You can also create VPC from AWS command-line interface.

VPC wizard gives you multiple options to create VPC, as shown in the following figure; you can pick one that suits your requirements and customize it later if needed. When you create a VPC using VPC wizard, all components of VPC, such as security groups, route tables, subnets and so on, are automatically created by VPC wizard:

Figure 5: AWS VPC wizard