AWS provides the ability to create a virtually isolated network and launch an EC2 instance within this isolated network. Such a virtual network is called a VPC or Virtual Private Cloud. The AWS VPC resembles a traditional network that is created in the data center but provides the benefits of the AWS cloud, such as scalability, elasticity, and so on.

A new VPC can be created by specifying the IP address range, creating subnets, and configuring network properties and firewall rules.

AWS supports two VPC platforms into which you can launch your EC2 instances:

• EC2-Classic
• EC2-VPC

When a new EC2 instance is launched, you can either choose a specific VPC or let the instance launch in a default VPC. The default VPC is a combination of both the platforms. It provides the advantages of the EC2-VPC platform as well as the ease of use of the EC2-Classic platform.  

An EC2 instance launched on the default subnet in the VPC is assigned a private IP address and a public IP address. The default VPC has an internet gateway that connects the EC2 instances to the internet. The instances that are not launched in the default VPC are not assigned a public IP address, but only a private IP address. Therefore, these instances can communicate with each other, but cannot access any outside resources such as S3 storage. For enabling access to the external resources, a public IP address, also called an elastic IP address, must be explicitly assigned to the instances. An internet gateway should also be configured to allow access to the external network.  

A Network Address Translation (NAT) instance can also be configured so that instances can communicate with the internet, but prevent any unsolicited inbound connections. The NAT instance maps the private IP address of the instances in the VPC with its own single public IP address. The NAT instance is connected to an internet gateway, which can thus send the packets to the external networks.  

In a hybrid cloud configuration, the company's data center that hosts the private cloud is connected to the VPC using an IPSec VPN connection. In other words, the data center is extended to the public cloud. 

A VPN connection consists of the Virtual Private Gateway (VPG) that is attached to the VPC. There is also a customer gateway that is attached to the data center side of the VPN connection. A virtual private gateway is a VPN concentrator on the AWS side of the connection. A customer gateway is either a software or hardware device on the consumer side of the VPN connection.