AWS History and Timeline regarding Amazon VPC - Overview, Functions, Features, Summary of Updates, and Introduction
First Published:
Last Updated:
This time, I have created a historical timeline for Amazon Virtual Private Cloud (Amazon VPC), the service that lets you provision a logically isolated section of the AWS Cloud where you launch AWS resources in a virtual network that you define. Amazon VPC was announced as a limited beta on August 25, 2009, and it has since become the foundational networking layer of AWS — the virtual network inside which Amazon EC2 instances, Amazon RDS databases, Amazon ECS and Amazon EKS workloads, AWS Lambda functions (when VPC-attached), and most other AWS resources actually run.
Just like before, I am summarizing the main features while following the birth of Amazon VPC and tracking its feature additions and updates as a Current Overview, Functions, Features of Amazon VPC.
This article focuses on the major service-level releases of Amazon VPC and its closely related networking primitives (endpoints, peering, IPv6, IPAM, analysis tooling), not on every minor regional expansion or SDK change.
I hope these will provide clues as to what has remained the same and what has changed, in addition to the features and concepts of Amazon VPC.
Background and Method of Creating Amazon VPC Historical Timeline
The reason for creating a historical timeline of Amazon VPC this time is that Amazon VPC, although it is the network foundation on which almost every other AWS service depends, did not yet have a dedicated history article in this series — even though Amazon EC2, Amazon ECS, Amazon EKS, and Amazon RDS already do.Amazon VPC is also one of the AWS services with the richest set of incremental milestones, having expanded along multiple axes — connectivity (peering, Transit Gateway, PrivateLink), addressing (CIDR, IPv6, IPAM), security (security groups, network ACLs, Flow Logs), and analysis (Reachability Analyzer, Network Access Analyzer). Therefore, I wanted to organize the information of Amazon VPC with the following approaches.
- Tracking the history of Amazon VPC and organizing the transition of updates
- Summarizing the feature list and characteristics of Amazon VPC
There may be slight variations in the dates on the timeline due to differences in the timing of announcements or article postings in the references used.
The content posted is limited to major features related to the current Amazon VPC and necessary for the feature list and overview description.
In other words, please note that the items on this timeline are not all updates to Amazon VPC features, but are representative updates that I have picked out.
The original announcement of Amazon VPC can be found here: Introducing Amazon Virtual Private Cloud (VPC).
Amazon VPC Historical Timeline (Updates from August 25, 2009)
2009 | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 | 2017 | 2018 | 2019 | 2020 | 2021 | 2022 | 2023 | 2024 | 2025
| Date | Summary |
|---|---|
| 2009-08-25 | Amazon VPC is announced as a limited beta. It let customers provision a logically isolated section of AWS with a private IP address range and connect it to their own data center over an IPsec VPN through a Virtual Private Gateway, with no internet-facing access in this first release. [Source] |
| 2011-03-14 | Amazon VPC adds internet connectivity, Internet Gateways, route tables, network ACLs, and Elastic IP support. This "new approach to Amazon EC2 networking" introduced public, private, and DMZ subnet patterns and the route-table and Internet Gateway model that VPC still uses today. [Source] |
| 2011-08-03 | Amazon VPC becomes generally available. VPC exited beta with multi-Availability-Zone support and production SLAs across multiple AWS Regions, making isolated virtual networks a mainstream deployment model. [Source] |
| 2011-12-21 | Elastic Network Interfaces (ENIs) launch for Amazon VPC. An ENI is a virtual network interface with its own private IP, security groups, and MAC address that has a lifecycle independent of the instance and can be attached to or detached from running instances, enabling dual-homed and management-network designs. [Source] |
| 2012-07-06 | Amazon VPC supports multiple private IP addresses per EC2 instance. Each secondary private IP can be associated with its own Elastic IP, allowing a single instance to host multiple SSL sites or act as a network appliance. [Source] |
| 2013-03-11 | AWS makes a default VPC available so that EC2 instances launch into a VPC automatically. New accounts, and existing accounts in newly entered Regions, receive a pre-configured default VPC with a subnet per Availability Zone, an Internet Gateway, and a default route table, making VPC the universal launch platform without code changes. [Source] |
| 2014-03-24 | Amazon VPC Peering launches for VPCs within the same Region. A peering connection is a one-to-one relationship that lets two VPCs (in the same or different accounts) route traffic using private IPv4 addresses with no gateway or VPN; peering is non-transitive. [Source] |
| 2015-01-08 | Amazon VPC ClassicLink becomes available. ClassicLink links a running EC2-Classic instance to a VPC in the same Region and account and applies VPC security groups to it, enabling private-IP communication during migrations from EC2-Classic to VPC. [Source] |
| 2015-05-11 | Amazon VPC introduces Gateway VPC Endpoints for Amazon S3. This first-ever VPC endpoint type let instances in private subnets reach Amazon S3 over the AWS network without an Internet Gateway or NAT device, with endpoint policies and S3 bucket policies controlling access. [Source] |
| 2015-06-10 | Amazon VPC Flow Logs launch. Flow Logs capture metadata about accepted and rejected IP traffic for a VPC, subnet, or ENI and deliver it to Amazon CloudWatch Logs for troubleshooting, security analysis, and compliance. [Source] |
| 2015-12-17 | AWS launches the managed NAT Gateway for Amazon VPC. The managed NAT Gateway provides highly available outbound internet access for private subnets without operating self-managed NAT instances on EC2. [Source] |
| 2016-03-01 | Amazon VPC adds security group references across peered VPCs. Inbound and outbound rules can reference the peer VPC's security group ID instead of a CIDR block (same-Region peering, including cross-account), reducing CIDR maintenance as workloads scale. [Source] |
| 2016-07-28 | Amazon VPC supports DNS resolution across VPC peering connections. Either side of a peering connection can be enabled to resolve the peer's public DNS hostnames to private IP addresses, including for cross-account peering. [Source] |
| 2016-12-01 | Amazon VPC adds native IPv6 support and the Egress-Only Internet Gateway. VPCs and EC2 instances could now run dual-stack with IPv6 addresses (a /56 per VPC, /64 per subnet), and the Egress-Only Internet Gateway provided stateful outbound-only IPv6 internet access analogous to a NAT device. [Source] |
| 2017-01-25 | Amazon VPC IPv6 support expands to additional AWS Regions. Dual-stack IPv6 for EC2 instances in VPC moved beyond the initial Region to broad regional availability, with IPv6 carried through Internet Gateways, peering, and Flow Logs. [Source] |
| 2017-08-16 | Amazon VPC adds a Gateway VPC Endpoint for Amazon DynamoDB. DynamoDB became the second service reachable through a gateway endpoint, letting instances access it privately with no Internet Gateway or NAT device. [Source] |
| 2017-08-29 | Amazon VPC allows secondary IPv4 CIDR blocks on an existing VPC. Customers can add additional CIDR ranges to a VPC after creation, expanding usable address space without re-creating the VPC. [Source] |
| 2017-08-31 | Amazon VPC adds descriptions for security group rules. Each inbound or outbound rule can carry a free-text description, making large rule sets easier to audit and maintain. [Source] |
| 2017-11-08 | AWS PrivateLink and Interface VPC Endpoints launch for AWS services. Interface endpoints appear as ENIs with private IPs inside the VPC, enabling private access to AWS service APIs (initially Amazon EC2, ELB, Kinesis, Service Catalog, and Systems Manager) without an Internet Gateway and over AWS Direct Connect. [Source] |
| 2017-11-28 | AWS PrivateLink extends to customer and partner endpoint services. Providers front their applications with a Network Load Balancer and publish a VPC endpoint service that consumers in any account reach through interface endpoints, establishing the provider/consumer SaaS connectivity model. [Source] |
| 2017-11-29 | Amazon VPC adds Inter-Region VPC Peering. VPCs in different AWS Regions can peer and exchange traffic over the encrypted AWS global backbone using private IP addresses, never traversing the public internet. [Source] |
| 2018-07-17 | AWS announces Bring Your Own IP (BYOIP) for Amazon VPC in preview. Customers can bring their own publicly routable IPv4 ranges to AWS for use with EC2, NAT Gateways, and Network Load Balancers, preserving IP reputation and allow-list entries. [Source] |
| 2018-08-08 | Amazon VPC Flow Logs can be delivered directly to Amazon S3. Publishing flow logs to S3 enabled cost-effective archiving and direct querying with Amazon Athena, in addition to the existing CloudWatch Logs destination. [Source] |
| 2018-10-24 | Bring Your Own IP (BYOIP) for Amazon VPC reaches general availability. Customers can provision their own IPv4 address ranges as Elastic IP pools in their accounts and advertise them from AWS. [Source] |
| 2018-11-19 | Amazon Route 53 Resolver launches hybrid DNS for VPCs. Inbound and outbound Resolver endpoints provide bi-directional DNS resolution between VPCs and on-premises networks over AWS Direct Connect or VPN, replacing self-managed forwarder instances. [Source] |
| 2018-11-26 | AWS Transit Gateway launches as a hub for connecting VPCs and on-premises networks. Transit Gateway replaces complex meshes of VPC peering and per-VPC gateways with a single managed transit hub that VPCs, VPN connections, and Direct Connect gateways attach to, with central route tables. [Source] |
| 2019-01-11 | Amazon VPC sharing becomes available through AWS Resource Access Manager (RAM). A VPC owner can share subnets with other accounts in the same AWS Organization so that participant accounts deploy resources into centrally managed subnets while the owner controls routing and gateways. [Source] |
| 2019-06-17 | Amazon VPC adds endpoint policies for interface endpoints. Resource-style policies attached to interface endpoints let administrators control which principals and actions are allowed through a given AWS PrivateLink endpoint. [Source] |
| 2019-06-25 | Amazon VPC Traffic Mirroring launches. Traffic Mirroring copies packets from an ENI to monitoring and security appliances at the Nitro layer, supporting filters and truncation and fan-out to an appliance fleet behind a Network Load Balancer. [Source] |
| 2019-09-11 | Amazon VPC Flow Logs add custom metadata fields. New fields such as vpc-id, subnet-id, instance-id, tcp-flags, pkt-srcaddr, and pkt-dstaddr enrich each record, including the true source and destination behind NAT and Transit Gateway. [Source] |
| 2019-12-03 | Amazon VPC Ingress Routing launches. Ingress routing lets all traffic entering through an Internet Gateway or Virtual Private Gateway be steered to a specific ENI — typically a virtual security appliance — before reaching its destination. [Source] |
| 2019-12-03 | AWS launches Accelerated Site-to-Site VPN. Accelerated VPN routes Site-to-Site VPN traffic through AWS Global Accelerator edge locations for more consistent performance, for connections attached to a Transit Gateway. [Source] |
| 2020-05-05 | Amazon VPC Flow Logs add location metadata and custom format to CloudWatch Logs. Region, Availability Zone ID, and sublocation fields, plus custom-format delivery to CloudWatch Logs, simplified analysis of multi-AZ and edge workloads. [Source] |
| 2020-05-21 | Amazon VPC supports Bring Your Own IPv6 (BYOIPv6) addresses. Customers can bring their own IPv6 ranges to AWS, associate them with subnets and ENIs, and advertise them via the Internet Gateway or privately over Direct Connect. [Source] |
| 2020-06-29 | Amazon VPC launches customer-managed prefix lists. A prefix list is a named, versioned set of CIDR blocks that can be referenced in security group rules and route tables and shared via AWS RAM, simplifying large-scale network configuration. [Source] |
| 2020-11-11 | AWS launches Gateway Load Balancer and the Gateway Load Balancer Endpoint. The GWLB endpoint is a third VPC endpoint type, powered by AWS PrivateLink, that acts as a route-table next hop to transparently send traffic through fleets of third-party virtual appliances using GENEVE encapsulation. [Source] |
| 2020-11-19 | AWS Network Firewall launches for deployment inside Amazon VPC. Network Firewall provides managed, stateful inspection and IDS/IPS with Suricata-compatible rules, scaling automatically and integrating with AWS Firewall Manager for organization-wide policy. [Source] |
| 2020-12-10 | Amazon VPC Reachability Analyzer launches. Reachability Analyzer uses automated reasoning over security groups, NACLs, route tables, and gateways to verify or diagnose connectivity between two endpoints without sending live traffic, returning a hop-by-hop path or the blocking component. [Source] |
| 2021-02-02 | AWS PrivateLink for Amazon S3 launches Interface VPC Endpoints for Amazon S3. Interface endpoints complement the original 2015 gateway endpoint by exposing Amazon S3 as private IPs inside the VPC, so on-premises clients can reach S3 privately over AWS Direct Connect or VPN; gateway and interface endpoints can be used together in the same VPC. [Source] |
| 2021-03-03 | Amazon VPC Flow Logs add AWS service, traffic path, and flow direction fields. The new pkt-src-aws-service, pkt-dst-aws-service, flow-direction, and traffic-path fields reveal which AWS services workloads talk to and the next hop for egress flows. [Source] |
| 2021-04-07 | Amazon Route 53 Resolver DNS Firewall becomes generally available. DNS Firewall controls outbound DNS from a VPC with domain block-lists and allow-lists (including a "walled-garden" model), ships managed malware and botnet command-and-control domain lists, and can be deployed organization-wide through AWS Firewall Manager. [Source] |
| 2021-07-07 | Amazon VPC adds unique IDs and tagging for individual security group rules. A stable SecurityGroupRuleId simplifies rule management via the CLI and API and enables tag-based governance across large fleets. [Source] |
| 2021-07-28 | AWS announces the retirement of EC2-Classic with an August 15, 2022 deadline. Accounts created after December 4, 2013 were already VPC-only; remaining EC2-Classic customers were directed to migrate instances, Elastic IPs, and security groups to VPC. [Source] |
| 2021-11-23 | Amazon VPC introduces IPv6-only subnets and EC2 instances. Nitro-based instances can launch into IPv6-only subnets and receive only IPv6 addresses, eliminating IPv4 consumption for large-scale container and serverless workloads. [Source] |
| 2021-11-24 | AWS adds NAT64 on NAT Gateway and DNS64 on Route 53 Resolver. IPv6-only workloads can reach IPv4-only destinations: DNS64 synthesizes IPv6 addresses and the NAT Gateway performs NAT64 translation. [Source] |
| 2021-12-01 | Amazon VPC IP Address Manager (IPAM) launches. IPAM automates IP allocation across accounts and Regions, enforces governance rules, tracks utilization with audit history, and integrates with AWS Organizations and RAM for a unified view of address space. [Source] |
| 2021-12-01 | Amazon VPC Network Access Analyzer launches. Network Access Analyzer evaluates network access against customer-defined Network Access Scopes and surfaces all paths that fall outside those scopes, complementing point-to-point Reachability Analyzer. [Source] |
| 2022-07-12 | AWS Cloud WAN becomes generally available. Cloud WAN builds and manages a unified global network from a central policy, connecting Amazon VPCs, AWS Transit Gateways, and on-premises locations (over AWS Site-to-Site VPN, AWS Direct Connect, or SD-WAN) and exchanging routes worldwide with BGP, complementing per-Region Transit Gateways for large multi-Region networks. [Source] |
| 2022-07-14 | Amazon VPC Flow Logs add support for AWS Transit Gateway. A single central collection point captures flows traversing a Transit Gateway, removing the need to correlate per-VPC ENI logs to understand inter-VPC traffic. [Source] |
| 2022-08-15 | Amazon EC2-Classic is fully retired, leaving Amazon VPC as the sole EC2 networking model. The retirement removed the last remnants of the original flat network that predated VPC; all accounts are now VPC-only. [Source] |
| 2022-11-29 | AWS announces Amazon VPC Lattice in preview at re:Invent 2022. VPC Lattice is a managed application networking service for service-to-service connectivity across VPCs and accounts, with request-level routing, IAM-based authorization, and observability, without sidecar proxies. [Source] |
| 2023-03-31 | Amazon VPC Lattice reaches general availability. GA added custom domain names with TLS, Application Load Balancer and Network Load Balancer targets, IPv6 targets, and an open-source AWS Gateway API Controller for Kubernetes. [Source] |
| 2023-07-28 | Amazon VPC IPAM adds Public IP Insights. Public IP Insights inventories every AWS resource carrying a public IPv4 address and flags idle or inefficiently used addresses, helping reduce public IPv4 footprint. [Source] |
| 2023-11-17 | Amazon VPC IPAM adds Bring Your Own ASN (BYOASN). Customers can advertise their BYOIP ranges from their own Autonomous System Number, preserving BGP reputation and avoiding partner allow-list changes. [Source] |
| 2024-03-19 | Amazon DynamoDB adds an AWS PrivateLink interface endpoint. In addition to the original 2017 gateway endpoint, an interface endpoint allows private access to DynamoDB from on-premises and cross-Region clients over Direct Connect or VPN. [Source] |
| 2024-07-22 | Amazon VPC IPAM expands BYOIP to IPs from any internet registry. BYOIP previously required ARIN, RIPE, or APNIC; DNS-record validation now opens it to ranges registered with registries such as JPNIC, LACNIC, and AFRINIC. [Source] |
| 2024-09-25 | Security group referencing for AWS Transit Gateway becomes generally available. Inbound rules can reference a peer security group across Transit Gateway-connected VPCs, not just peered VPCs, easing migrations from peering to Transit Gateway. [Source] |
| 2024-10-30 | Amazon VPC launches Security Group VPC Associations and shared security groups. A single security group can be associated with multiple VPCs in the same account and Region, and shared with participant accounts via AWS RAM, with rule changes propagating automatically. [Source] |
| 2024-11-19 | Amazon VPC launches VPC Block Public Access (BPA). VPC BPA is a declarative account- or VPC-level control that authoritatively blocks inbound and/or outbound internet traffic, superseding Internet Gateway settings, with subnet exclusions and Network Access Analyzer integration. [Source] |
| 2024-11-26 | AWS PrivateLink adds cross-Region connectivity for endpoint services. Interface endpoints can reach endpoint services hosted in another Region within the same partition without VPC peering, gated by a dedicated IAM action. [Source] |
| 2024-12-01 | AWS PrivateLink introduces Resource VPC Endpoints and resource gateways. Resources such as RDS databases, IP addresses, and on-premises endpoints can be shared via AWS RAM and reached through resource endpoints or pooled into VPC Lattice service networks, without a load balancer. [Source] |
| 2024-12-02 | Amazon VPC Lattice adds TCP support and VPC resources. Service networks can now include TCP resources such as databases alongside HTTP/HTTPS services, providing unified access control and observability across thousands of VPCs via resource configurations and resource gateways. [Source] |
| 2025-03-07 | Application Load Balancer integrates with Amazon VPC IPAM for public IPv4 management. ALB can source public IPv4 addresses from a customer-managed IPAM pool (including BYOIP), bringing load-balancer addresses under the same governance as other resources. [Source] |
| 2025-04-01 | Amazon VPC Route Server becomes generally available. Route Server accepts BGP route advertisements from virtual appliances and dynamically updates VPC, subnet, and Internet Gateway route tables, with BFD-based failover — removing the custom scripts and overlay networks previously needed for dynamic routing inside a VPC. [Source] |
| 2025-04-30 | Amazon VPC Lattice adds IPv6 support for management endpoints. The Lattice control-plane API accepts IPv4, IPv6, or dual-stack connections, including through AWS PrivateLink interface endpoints, supporting gradual IPv6 migration. [Source] |
| 2025-05-01 | Amazon VPC IPAM adds cost distribution to AWS Organizations member accounts. IPAM costs can be allocated to member accounts based on actual IP usage, supporting internal chargeback and showback. [Source] |
| 2025-08-21 | Amazon VPC IPAM adds in-console CloudWatch alarm management. Administrators can create and view CloudWatch alarms for IPAM metrics directly from the IPAM console for a unified view of address-space health. [Source] |
| 2025-10-07 | Amazon VPC Lattice supports configurable IP addresses for resource gateways. Customers control the number of IPv4 addresses per resource gateway ENI, tuning the maximum number of concurrent TCP connections to shared backend resources. [Source] |
| 2025-10-31 | Amazon VPC IPAM introduces the Prefix List Resolver to automate prefix lists. Business rules in IPAM keep prefix lists synchronized with VPC, subnet, and pool ranges so route tables and security groups stay current without manual edits. [Source] |
| 2025-11-10 | Amazon S3 adds IPv6 for gateway and interface VPC endpoints. Customers can set an S3 VPC endpoint to IPv6 or dual-stack, removing IPv4 overlap concerns and easing IPv6-only VPC deployments. [Source] |
| 2025-11-17 | Amazon VPC IPAM automates IP assignments from Infoblox. IPAM can pull non-overlapping IPv4 allocations from an on-premises Infoblox Universal IPAM into AWS IPAM pools, replacing manual ticket-based hybrid IP governance. [Source] |
| 2025-11-19 | AWS PrivateLink extends cross-Region connectivity to select AWS managed services. Interface endpoints can reach AWS services such as Amazon S3, Route 53, and Amazon ECR in another Region within the same partition, enabling globally distributed private networks. [Source] |
| 2025-11-19 | AWS NAT Gateway adds a regional availability mode for automatic multi-AZ expansion. A single regional NAT Gateway expands and contracts across Availability Zones following workload presence, removing per-AZ provisioning and route-table updates. [Source] |
| 2025-11-21 | AWS introduces VPC Encryption Controls to monitor and enforce in-transit encryption. Security teams can require hardware-based encryption for traffic between VPC resources, generate audit logs for compliance, and detect resources allowing plaintext traffic. [Source] |
| 2025-11-30 | AWS Interconnect - multicloud enters preview to connect Amazon VPCs to other clouds. The service provides private, high-speed connections between AWS networking (Transit Gateway, AWS Cloud WAN, and VPC) and other cloud providers, launching with Google Cloud as the first partner. [Source] |
Current Overview, Functions, Features of Amazon VPC
From here, I will explain in detail the main features of the current Amazon VPC.Amazon VPC (Amazon Virtual Private Cloud) is a service that lets you provision a logically isolated section of the AWS Cloud, called a VPC, where you launch AWS resources into a virtual network that you fully control — choosing your own IP address range (IPv4 and/or IPv6), creating subnets, and configuring route tables, gateways, and security controls.
Amazon VPC is the foundational networking layer of AWS. Amazon EC2 instances, Amazon RDS and Amazon Aurora databases, Amazon ECS and Amazon EKS workloads, Amazon ElastiCache clusters, Amazon Redshift clusters, and VPC-attached AWS Lambda functions all run inside subnets of a VPC. Higher-level connectivity services such as AWS Transit Gateway, AWS PrivateLink, Amazon VPC Lattice, AWS Site-to-Site VPN, and AWS Direct Connect extend a VPC to other VPCs, to other accounts and Regions, and to on-premises networks. Amazon VPC also provides the primary network security boundary in AWS through security groups, network ACLs, and (more recently) VPC Block Public Access and VPC Encryption Controls.
Amazon VPC Use Cases
Amazon VPC is used in virtually every AWS deployment, because almost all AWS compute and data resources must run inside a VPC.The main use cases of Amazon VPC include the following:
- Isolated multi-tier applications
Place web, application, and database tiers in separate public and private subnets with route tables and security groups enforcing tier-to-tier access. - Hybrid connectivity to on-premises
Connect a VPC to a corporate data center over AWS Site-to-Site VPN or AWS Direct Connect, with Amazon Route 53 Resolver providing hybrid DNS. - Multi-VPC and multi-account networking
Interconnect many VPCs and accounts using VPC Peering, AWS Transit Gateway, or VPC sharing through AWS Resource Access Manager (RAM). - Private access to AWS services and SaaS
Reach Amazon S3, Amazon DynamoDB, and other AWS services, plus partner and internal services, privately through Gateway and Interface (AWS PrivateLink) VPC endpoints. - Service-to-service application networking
Use Amazon VPC Lattice to connect and secure communication between services across VPCs and accounts without managing peering meshes or sidecars. - Inline network security
Insert firewalls and IDS/IPS via Gateway Load Balancer endpoints, AWS Network Firewall, ingress routing, and Traffic Mirroring. - Network governance and IP management
Plan, allocate, and audit IP address space at scale with Amazon VPC IP Address Manager (IPAM), prefix lists, and BYOIP. - IPv6 and IPv4-conservation strategies
Adopt dual-stack or IPv6-only subnets, with NAT64/DNS64 for reaching IPv4-only destinations and Public IP Insights for reducing public IPv4 usage.
Specific Examples of Use Cases
For instance, there are the following specific examples of use cases.- Three-tier web application
An Application Load Balancer sits in public subnets, EC2 Auto Scaling groups and containers run in private subnets, and an Amazon RDS Multi-AZ database runs in isolated database subnets, with a NAT Gateway providing outbound updates. - Centralized egress and inspection
A network account hosts AWS Network Firewall and a Transit Gateway; spoke VPCs route internet-bound traffic through the inspection VPC for centralized filtering and logging. - Private SaaS delivery
A software vendor publishes a VPC endpoint service backed by a Network Load Balancer so that customers connect privately through AWS PrivateLink interface endpoints in their own VPCs. - Enterprise-wide IP governance
A platform team uses Amazon VPC IPAM with AWS Organizations to allocate non-overlapping CIDR blocks per business unit and Region, with Public IP Insights and IPAM policies enforcing efficient public IPv4 usage. - IPv6-only modernization
A container platform launches Nitro-based instances into IPv6-only subnets and uses DNS64 on Amazon Route 53 Resolver and NAT64 on a NAT Gateway to reach remaining IPv4-only dependencies.
Amazon VPC Key Functions and Features
The current Amazon VPC can be understood through the following groups of functions and features.- Core building blocks
A VPC with one or more IPv4/IPv6 CIDR blocks, subnets per Availability Zone, route tables, Internet Gateways, Egress-Only Internet Gateways, NAT Gateways, and Elastic Network Interfaces (ENIs) form the basic virtual network, with Amazon VPC Route Server available for dynamic BGP route propagation into route tables when virtual appliances are used. - Connectivity between networks
- VPC Peering for one-to-one private connectivity within or across Regions and accounts.
- AWS Transit Gateway as a hub-and-spoke transit hub for many VPCs, VPNs, and Direct Connect gateways.
- AWS Cloud WAN for building and managing a unified global network across Regions from a central policy, connecting VPCs, Transit Gateways, and on-premises locations.
- AWS PrivateLink with Gateway, Interface, Gateway Load Balancer, and Resource VPC endpoints for private access to AWS services, SaaS, and individual resources.
- Amazon VPC Lattice for service-to-service application networking across VPCs and accounts.
- AWS Site-to-Site VPN and AWS Direct Connect for hybrid connectivity to on-premises networks.
- Addressing and IP management
- IPv4 and IPv6 addressing, dual-stack and IPv6-only subnets, and NAT64/DNS64 translation.
- Amazon VPC IP Address Manager (IPAM) for planning, allocating, monitoring, and auditing IP address space across accounts and Regions, with Public IP Insights, BYOIP/BYOASN, and allocation policies.
- Managed prefix lists for reusable, shareable sets of CIDR blocks in security groups and route tables.
- Security and isolation
- Security groups (stateful, instance/ENI-level) and network ACLs (stateless, subnet-level), with security group referencing and Security Group VPC Associations.
- VPC Block Public Access for authoritative account- or VPC-level blocking of internet traffic, and VPC Encryption Controls for in-transit encryption enforcement.
- AWS Network Firewall, Gateway Load Balancer endpoints, ingress routing, and Traffic Mirroring for inline and out-of-band inspection.
- Observability and analysis
- VPC Flow Logs for traffic metadata to Amazon CloudWatch Logs, Amazon S3, or Amazon Data Firehose, including Transit Gateway flow logs.
- Reachability Analyzer for point-to-point connectivity verification and Network Access Analyzer for finding unintended access paths.
- Pricing model (structure only)
There is no charge for a VPC, subnets, route tables, Internet Gateways, security groups, or network ACLs themselves; charges apply to components such as NAT Gateways, interface and Gateway Load Balancer endpoints, Traffic Mirroring, the IPAM advanced tier, public IPv4 addresses, and data processing/transfer. For current figures, see the Amazon VPC Pricing page.
Frequently Asked Questions about Amazon VPC History
- When did Amazon VPC launch?
- Amazon VPC was announced as a limited beta on August 25, 2009, initially offering an isolated private network connected to on-premises infrastructure over an IPsec VPN, with no internet-facing access. It became generally available on August 3, 2011 with multi-Availability-Zone support.
- When did the default VPC become available?
- AWS began making a default VPC available on March 11, 2013, so that new accounts (and existing accounts in newly entered Regions) launch EC2 instances into a pre-configured VPC automatically. Accounts created after December 4, 2013 are VPC-only, and EC2-Classic was fully retired on August 15, 2022.
- When did VPC Peering launch?
- Same-Region VPC Peering launched on March 24, 2014, and Inter-Region VPC Peering followed on November 29, 2017, allowing VPCs in different Regions to communicate over private IP addresses across the AWS backbone.
- When did VPC Endpoints (Gateway and Interface / PrivateLink) launch?
- Gateway VPC Endpoints launched for Amazon S3 on May 11, 2015 (with Amazon DynamoDB added in 2017). Interface VPC Endpoints powered by AWS PrivateLink launched for AWS services on November 8, 2017, and for customer and partner endpoint services on November 28, 2017. Amazon S3 itself gained interface endpoints (AWS PrivateLink for S3) on February 2, 2021, usable alongside its original gateway endpoint. The Gateway Load Balancer endpoint, a third endpoint type, arrived on November 11, 2020, and Resource VPC Endpoints in December 2024.
- When did Amazon VPC add IPv6 support?
- Native IPv6 support (dual-stack), along with the Egress-Only Internet Gateway, was introduced on December 1, 2016 and expanded to additional Regions in early 2017. IPv6-only subnets arrived on November 23, 2021, and NAT64/DNS64 for IPv6-to-IPv4 communication on November 24, 2021.
- When did VPC Flow Logs launch?
- Amazon VPC Flow Logs launched on June 10, 2015 with delivery to Amazon CloudWatch Logs. Delivery to Amazon S3 was added in August 2018, richer metadata fields in 2019 and 2021, and Transit Gateway flow logs in July 2022.
- When did AWS Transit Gateway launch and how does it relate to VPC?
- AWS Transit Gateway launched on November 26, 2018 as a managed hub that VPCs, VPN connections, and Direct Connect gateways attach to, replacing complex meshes of VPC peering connections and per-VPC gateways with centralized routing for large multi-VPC, multi-account networks.
- When did VPC IPAM launch?
- Amazon VPC IP Address Manager (IPAM) launched on December 1, 2021 to automate IP allocation, governance, and monitoring across accounts and Regions. It has since added Public IP Insights (2023), BYOASN (2023), broader BYOIP registry support (2024), cost distribution and allocation policies (2025), the Prefix List Resolver (2025), and Infoblox integration (2025).
- When did Reachability Analyzer and Network Access Analyzer launch?
- Amazon VPC Reachability Analyzer launched on December 10, 2020 for point-to-point connectivity verification using automated reasoning, and Amazon VPC Network Access Analyzer launched on December 1, 2021 to identify unintended or non-compliant network access paths against defined scopes.
Summary
In this article, I created a historical timeline of Amazon VPC and looked at the list of features and overview of Amazon VPC.Amazon Virtual Private Cloud (Amazon VPC), the service that provides a logically isolated virtual network in the AWS Cloud, was announced as a limited beta in August 2009 and became generally available in August 2011. Over the following years it grew from an isolated, VPN-only network into the universal networking foundation of AWS — adding internet connectivity, default VPCs, VPC Peering, Gateway and Interface (AWS PrivateLink) endpoints, IPv6, VPC Flow Logs, AWS Transit Gateway integration, VPC sharing, IP Address Manager (IPAM), Reachability Analyzer and Network Access Analyzer, VPC Lattice, VPC Block Public Access, and VPC Encryption Controls. Today, Amazon VPC is the network boundary inside which nearly every other AWS service runs.
For deeper dives into specific Amazon VPC topics, see the AWS PrivateLink and VPC Endpoints Complete Guide, the AWS VPC Lattice Complete Guide, and the AWS Networking Glossary. Because Amazon VPC is the network foundation for compute and traffic distribution, you may also be interested in the related timelines for Amazon EC2 and Elastic Load Balancing.
I would like to continue monitoring the trends of what kind of features Amazon VPC will provide in the future.
In addition, there is also a historical timeline of all AWS services including services other than Amazon VPC, so please have a look if you are interested.
AWS History and Timeline - Almost All AWS Services List, Announcements, General Availability(GA)
This timeline will be updated as Amazon VPC continues to evolve.
References:
AWS Documentation(Amazon VPC Documentation)
AWS Documentation(What is Amazon VPC?)
AWS Documentation(Document history for Amazon VPC)
AWS PrivateLink
Amazon VPC Lattice
Amazon VPC IP Address Manager (IPAM)
AWS PrivateLink and VPC Endpoints Complete Guide
AWS VPC Lattice Complete Guide
AWS Networking Glossary
AWS History and Timeline regarding Amazon EC2
What's New with AWS?
AWS News Blog
AWS Networking and Content Delivery Blog
References:
Tech Blog with curated related content
Written by Hidekazu Konishi