VPN or VPC: Which One Do You Need?

When you first come across the concept of virtual private clouds (VPCs) and virtual private networks (VPNs), you might bounce back and forth trying to figure out how they differ. Too much focus on the virtual private layer can blur the line of distinction. These two networking paradigms solve very different problems.

If you need to establish a connection between your company’s corporate network and isolated resources in the cloud (or behind a firewall), a VPN is what you need. On the other hand, if you’re looking to securely isolate resources within a public cloud, a VPC is the answer. In this post, you’ll learn the distinction between a VPN and a VPC, the network security problems they address, and how they can work together in certain use cases.

VPN

A virtual private network (VPN) allows you to create a private and secure connection to another network, primarily over the internet. These private network connections are based on secure virtual tunnels between different points in a public network. They rely on a perimeter layer of security and provide businesses with a flexible approach to connect many locations. As you can imagine, VPNs are likely to rank highly among modern digital strategies as companies move towards more distributed teams.

A common modern VPN diagram

In the context of cloud computing, companies use hosted VPNs to enable secure access to their private networks and other private resources. An example of this would be granting secure access to resources such as compute instances or shared network drives with sensitive company information. These private connections are usually set up between a company’s private network and its cloud environment. By creating a VPN connection, you are setting up a secure tunnel for data protection and cloud computing activity.

So where should you look for VPN solutions? The top cloud providers (AWS, GCP and Azure) each offer a VPN-as-a-service. You can also deploy your own VPN using tools like OpenVPN or Cisco VPN.

However, VPNs are not without their shortcomings. Here are a few drawbacks to consider before opting for a VPN solution:

  • Risk of exposure: Making use of the internet to create a private tunnel makes VPNs vulnerable to potential security breaches, performance issues, and network failures.
  • Reliability: Similar to the previous point, because of the reliance on the internet, businesses don’t have direct control over the reliability and availability of the VPN connection.
  • Security model: The perimeter security model that VPN relies on makes it vulnerable to attackers.
  • Performance: VPN performance is only as fast as the slowest internet connection between two endpoints. If you have unpredictable internet performance, this will create a disruption in the network connection.

An alternative solution to VPN is the Zero Trust model. It differs from VPN in that it continually authenticates any user or device that attempts to access the relevant network. The Zero Trust model verifies each incoming request—regardless of its origin—using authentication, authorization, and encryption before granting access to a user or device.

That being said, VPNs are still a good option for secure private connections between corporate networks and cloud environments.

VPC

Woman employee accessing cloud resources through a private network

While VPNs deal with workflow security problems, VPCs deal with the workload. A virtual private cloud (VPC) is a secure, isolated network hosted within a public cloud such as AWS, GCP, or Azure. You can think of it as having your own data center in the cloud, except you don’t have to worry about provisioning the physical hardware components. The underlying infrastructure a VPC runs on is shared between customers but offers logical isolation through the use of a private IP subnet or a virtual local area network (VLAN). A public cloud service is like a hotel, but a VPC is a reserved room accessible exclusively to the person who booked the room.

Companies typically make use of VPCs to benefit from a host of the resources and services provided by a public cloud provider but launched in a private environment. When you consider the operational agility that cloud computing offers, VPCs form a foundational part of that. Many companies desire the same ring-fenced networking model that on-premises data centers offer. For example, if your priority has been to securely run VMs for your application workloads, this is achievable with more flexibility and scaling capability in a VPC.

With their on-demand configuration, you can customize your private network space and define how traffic flows between resources in your VPC—as well as how they interact with the internet, if at all.

So is there any relationship between VPCs and VPNs, apart from the names? Absolutely. It’s not uncommon for these two components to coexist in the same architecture. Naturally, VPNs are popular when companies are looking to enable secure external access to corporate computing environments on premises. However, they are not exclusive to such use cases. With the continued growth of cloud adoption and an increasingly remote working world, businesses that run applications designed to be accessed exclusively by internal staff will make use of VPN solutions to connect to their VPCs in the cloud.

In another scenario, businesses with multiple branch offices, each having an on-premises network, can have an established VPN connection to their VPCs. This allows a company to benefit from the agility, flexibility, and privacy that a VPC offers, as well as a secure tunnel for traffic between the VPC and other networks belonging to a business.

VPCs are essentially configurable private networks that can be made securely accessible to other networks or individuals through the use of VPNs.

A diagram of an AWS VPC network architecture

As long as you’re aware of the relevant subcomponents, setting up a VPC in a cloud provider can be a relatively intuitive process. You can do it using the cloud provider’s console, their command-line utility, or an infrastructure as code (IaC) tool such as Terraform.

VPC Example with AWS & Terraform

Let’s take a look at what you’ll need from a high level to set up a VPC in AWS using Terraform. First, you’ll need to understand the following core network components that will define the structure of your VPC, even if they were created with the default configuration:

  • CIDR (Classless Inter-domain Routing): This is used for VPC addressing.
  • Subnets: These are subdivisions of the VPC address range into smaller address ranges to have different kinds of resources like EC2 instances, RDS databases or load balancers to be deployed so you can control whether the instances are reachable over the internet, whether they’re public or private.
  • Route Tables: This component makes the routing decisions, how the traffic flows within the VPC, the internet and other networks. When you create a VPC, it comes with a default main Route Table, which you’ll use to control traffic.
  • Security Groups: These are virtual firewalls that operate at an instance level. You can attach one Security Group to multiple instances. By default, they allow all outbound traffic and no inbound traffic.
  • Network ACL (Access Control List): This is a layer of security (or firewall) for controlling traffic in and out of one or more subnets.

And before you set up the VPC, you must have the following prerequisites:

  • AWS Account
  • AWS CLI installed and configured with an IAM profile
  • Terraform installed

Next, you’ll create what’s commonly known as a provider file (provider.tf). In this file, you will detail the cloud provider to use for creating the resources, the IAM profile that should be assumed to run the API commands, and the region that the resources should be created in. For example, your provider file might look like this:

provider "aws" {
  region  = "us-east-1"
  profile = "infrastructure-deployer"
}

The next step is to create a resource file (resource.tf) where you will define the VPC resource to be created. This will include your private IP address block and a name for your VPC.

resource "aws_vpc" "custom_vpc" {
  cidr_block       = "10.0.0.0/16"

  tags = {
    Name = "My first VPC"
  }
}

Initialize the Terraform project with the terraform init command in the root directory where the two Terraform files exist. Finally, to create the VPC resource in your AWS account, run terraform apply. You can also use the Terraform AWS Module to specify more options and get granular control over how your VPC is configured.

Conclusion

Network security is a vital component in technical architectures. This is especially true when it comes to where resources live and how you store your data, as well as how you will access both. In the modern context, cloud computing is growing in adoption as companies look to reduce operational overhead.

VPCs offer a secure and private approach for companies to create resources in the public cloud, allowing you to create an isolated network. However, if your company needs a secure method to grant access to these isolated resources in the cloud, then VPNs help solve this issue.

You may be wondering where to begin with securing your company’s sensitive resources. This is where a platform like Sym can help. Sym is a workflow automation platform for security, risk, and governance. If you’re considering rolling out a VPC or VPN, an alternative might be to implement a just-in-time access model, with granular access to resources granted based on a set of peer-approval rules. Sym can help make this super easy; check out the sym:approval Template for more details.

Related Posts