Compliance

Move resources into private networks (VPC isolation)

One capability across databases, search, serverless and EC2: put workloads inside private VPC subnets and reach AWS services privately, so nothing depends on a route to the public internet.

14 min·10 sections·AWS

Last reviewed 16 June 2026

Remediates AWS Security Hub: EC2.10 EC2.17 EC2.55 EC2.56 EC2.57 EC2.58 EC2.60 EC2.180 ES.2 Lambda.3 Opensearch.2 RDS.18 Redshift.7

VPC isolation: the basics

What does "inside a private network" actually mean across AWS services?

Network isolation is one capability that AWS expresses in several different shapes. A Lambda function with no VPC config runs on an AWS-managed network with a default route to the internet (Lambda.3). An OpenSearch or Elasticsearch domain can be created with a public endpoint or with VPC placement, and the choice is permanent (Opensearch.2, ES.2). An RDS instance can sit in a subnet whose route table points at an internet gateway (RDS.18). A Redshift cluster can route its bulk COPY and UNLOAD traffic over the public AWS network instead of through your VPC (Redshift.7). And a fleet of EC2 instances can reach Systems Manager, EC2, ECR and other control planes either over the public internet or through interface VPC endpoints (EC2.10, EC2.17, EC2.55, EC2.56, EC2.57, EC2.58, EC2.60).

AWS Security Hub turns each of these into its own control, so one estate can fail a scatter of network-placement checks at once. They look like separate problems on the report, but they are one capability: keep workloads inside private subnets you govern, and give them a private path to the AWS services they call rather than a route out to the internet. The shared goal is that your security groups, network ACLs and VPC flow logs actually see and govern the traffic, instead of it slipping out over a default route nobody is watching.

Some of these are a single setting (Redshift enhanced VPC routing, an SSM endpoint trio), some are a one-off migration (a public OpenSearch domain has to be rebuilt inside a VPC and the data moved across), and some need supporting plumbing so the workload can still reach what it needs (a VPC-attached Lambda loses its default internet egress). The job is to inventory what runs on, or routes to, the public internet, decide which placements are deliberate, and move the rest into private networks with a private path to AWS services.

In this lesson you will learn how AWS expresses network placement across serverless, search, databases, data warehousing and EC2, how to find every workload that runs on or routes to the public internet, and how to move them into private subnets with a private path to AWS services without breaking the few that legitimately need public access. The Controls this lesson covers section lists every Security Hub control in this capability, each linking to a deep page with the exact check and a copy-and-paste fix.

Fun fact

The endpoint you cannot un-publish

Most network-placement controls remediate in place with a single setting flip, but one does not. An OpenSearch or Elasticsearch domain's network mode, public endpoint versus VPC, is welded on at creation: AWS's own guidance states that a domain created with a public endpoint cannot later be moved into a VPC. The only way out is to build a new domain inside private subnets and migrate the data across via snapshot or reindex. Every other isolation control in this group, Redshift enhanced VPC routing, an RDS subnet-group move, attaching a Lambda to a VPC, is reversible. The search domain is the one that teaches teams to choose private the first time.

Finding what runs on the public internet across an estate

Priya is the platform lead at a scale-up preparing for its first SOC 2 audit. Security Hub shows network-placement failures spread across Lambda, RDS, OpenSearch and Redshift in accounts that pre-date the team's current guardrails.

Rather than work the findings one by one, she starts with the resources that hold data and could be reached from the internet, separating deliberate public services from drift before changing anything.

Start with the highest-impact case: a database in a subnet whose route table points at an internet gateway is one security-group rule from public exposure.

$ aws ec2 describe-route-tables --filters Name=association.subnet-id,Values=subnet-0a1b2c3d4e5f6a7b8 --query 'RouteTables[0].Routes[*].{Dest:DestinationCidrBlock,Target:GatewayId}' --output table

-------------------------------------

| Dest | Target |

-------------------------------------

| 10.0.0.0/16 | local |

| 0.0.0.0/0 | igw-0abc123def |

-------------------------------------

# A default route to an IGW makes the subnet public. The database in it fails RDS.18.

Walk the route table, not the resource flag. An IGW default route is what makes a subnet public, regardless of PubliclyAccessible.

How AWS decides a resource is privately networkeddeep dive

Most of these controls resolve to one of three mechanisms. The first is placement: does the resource have a VPC configuration at all? Lambda.3 checks for a VpcConfig with at least one subnet; Opensearch.2 and ES.2 check for VPCOptions; the EC2 endpoint controls (EC2.10 SSM, EC2.55 ECR, EC2.56 ECR DKR, EC2.57 SSM, EC2.58 SSM messages and EC2.60 EC2) check whether interface VPC endpoints exist so instances reach those control planes without an internet path. The second is routing: RDS.18 walks the subnet's route table for a 0.0.0.0/0 entry pointing at an internet gateway, and Redshift.7 checks the EnhancedVpcRouting boolean that forces COPY and UNLOAD through your VPC. The third is interface hygiene, where EC2.17 and EC2.180 cover redundant ENIs and source/destination checks that affect how an instance routes.

These are coarse gates, not deep inspections. Lambda.3 does not evaluate whether the subnets are genuinely private; a VPC OpenSearch domain in a misconfigured public subnet still passes Opensearch.2. So passing the control is necessary but not sufficient: sound subnet, route-table and NACL design is still on you. Security Hub evaluates these through AWS Config, typically on a several-hour cycle, so a fix does not flip the finding to PASSED instantly even though the configuration change itself takes effect immediately.

Once a workload is in a private subnet it loses any default internet route. To keep reaching AWS services it needs a private path: a gateway VPC endpoint for S3 or DynamoDB (free, route-table based), an interface VPC endpoint for other services (per-AZ hourly plus per-GB), or a NAT gateway for general egress (hourly plus per-GB). Provisioning that path before you move the workload is what separates a clean migration from a broken nightly job, and choosing endpoints over NAT for narrow egress is what keeps the bill flat.

What is the impact of leaving workloads on the public network?

The direct impact is exposure and lost governance. A database in a public subnet, a search domain on a public endpoint, or a function on the AWS-managed network sits outside the security groups, route tables and flow logs that govern the rest of your estate. Its traffic is invisible to the tooling your security team relies on, and a single misconfiguration of the access policy or security group in front of it converts "controlled" into "reachable from anywhere." Internet-facing data services are found quickly by automated scanners, which is exactly why exposed databases and search clusters have been behind some of the largest data exposures on record.

The second-order impact is blast radius. A workload with a route to the internet can reach command-and-control endpoints and exfiltrate data if it is ever compromised, and after an incident the first question, "what could this resource reach?", has the worst possible answer. Moving workloads into private subnets with a scoped egress path bounds that blast radius to the handful of services they actually call.

On the compliance side, every modern framework, SOC 2, ISO 27001, HIPAA, PCI DSS and FedRAMP, maps these controls to network-segmentation and boundary-protection requirements (NIST SC-7 chief among them). A passing set of VPC-placement controls across every account is concrete, screenshot-able evidence that data-bearing workloads sit behind a network boundary you can observe and govern.

How do you move workloads into private networks safely?

Work the capability as one loop rather than chasing individual findings. The order matters: understand each workload's egress and decide which placements are deliberate before you move anything, so you do not take a live service offline.

1. Inventory everything on, or routing to, the public internet

Across services, list the resources that are not privately networked: Lambda functions with no VpcConfig, OpenSearch and Elasticsearch domains with no VPCOptions, RDS instances in subnets with an IGW route, Redshift clusters with enhanced VPC routing off, and VPCs with managed instances but no SSM, ECR or EC2 interface endpoints. Treat this inventory as the source of truth, not the Security Hub finding count, because one workload can trigger several controls.

2. Separate deliberate public services from drift, and map each workload's egress

Decide which placements are on purpose. A genuinely public web tier belongs behind CloudFront or a load balancer, never directly exposed. Everything else is drift. For each workload you will move, map what it actually calls before you touch its networking, because a workload in a private subnet loses its default internet route and any unprovisioned dependency will break.

3. Provision the private path, then move the workload

Give each workload a private route to the AWS services it needs: a free gateway endpoint for S3 and DynamoDB, an interface VPC endpoint for narrow egress, or a NAT gateway for broad egress. Then make the placement change: attach the Lambda to multi-AZ private subnets, move the RDS instance to a private subnet group, flip Redshift enhanced VPC routing, or stand up a new VPC OpenSearch domain and migrate the data via snapshot. Do data-store migrations in a maintenance window and verify connectivity before declaring it done.

4. Enforce private-by-default so it cannot drift back

Pin the setting in your Terraform or CloudFormation modules so new resources are born private, and back it with AWS Config rules and Service Control Policies that block public creation, for example denying an OpenSearch domain without VPC options. Prevention is what turns this from a recurring remediation into a one-time fix.

# Move the highest-impact case first: an RDS instance in a public subnet group.
aws rds create-db-subnet-group \
  --db-subnet-group-name prod-db-subnets-private \
  --db-subnet-group-description "Private subnets only - no IGW route" \
  --subnet-ids subnet-0aa11bb22cc33dd44 subnet-0ee55ff66aa77bb88

aws rds modify-db-instance \
  --db-instance-identifier prod-payments-db \
  --db-subnet-group-name prod-db-subnets-private \
  --apply-immediately

# Provide a private path before moving compute, so it can still reach AWS services.
# A free S3 gateway endpoint, or a narrow interface endpoint instead of a NAT gateway.
aws ec2 create-vpc-endpoint --vpc-id vpc-0a1b2c3d \
  --vpc-endpoint-type Interface \
  --service-name com.amazonaws.us-east-1.ssm \
  --subnet-ids subnet-0aa11 subnet-0bb22 \
  --security-group-ids sg-0ccfn33 --private-dns-enabled

# Force Redshift bulk traffic through the VPC (confirm an S3 gateway endpoint exists first).
aws redshift modify-cluster \
  --cluster-identifier analytics-prod --enhanced-vpc-routing

Quick quiz

Question 1 of 5

Security Hub shows network-placement failures across Lambda, RDS, OpenSearch and Redshift. What is the most efficient way to think about them?

Keep learning

Go deeper on how private network placement and private connectivity work across the services in this capability.

You can now treat network isolation as one capability rather than a scatter of findings: inventory everything on or routing to the public internet, separate the deliberate public services and route them through a controlled front door, provision the cheaper private egress path, and move the rest into private subnets, leaving the one OpenSearch case to a planned migration. The Controls this lesson covers section below links every control in this group to its deep page and fix.

Back to the library

VPC isolation: the cost and risk view

Mostly free configuration with a few bounded migration and egress costs to scope

Most of this capability is free in AWS terms. Turning on Redshift enhanced VPC routing, placing a new domain inside a VPC, or moving an RDS instance to a private subnet group does not change instance, storage or compute charges. The cost sits in a small number of exceptions: rebuilding a public OpenSearch domain is a one-time migration with a brief double-running window, and a Lambda or EC2 fleet that moves into private subnets needs a private egress path, which is either a free S3 or DynamoDB gateway endpoint, a paid interface VPC endpoint, or a NAT gateway with per-GB charges.

The right framing is to scope remediation by data sensitivity and pick the cheaper egress path. Interface VPC endpoints are roughly $7 per month each per Availability Zone and keep traffic inside AWS; a NAT gateway is a flat hourly charge plus a per-GB data-processing fee. For a workload calling one or two AWS services, endpoints are usually far cheaper than routing everything through NAT, and a gateway endpoint for S3 is free outright.

Map each failing control to the data behind it and prioritise by exposure. A publicly reachable database or search domain holding customer records carries a far higher expected loss than a utility Lambda that only posts to Slack. The insurance maths is one-sided: the remediation is engineering time plus a small, bounded egress cost for the few legitimate exceptions, against the documented cost of a data-exposure breach.

This lesson is for the finance partner who sees a cluster of VPC-placement findings on the security report and wants to know what the right response is and what it costs. It covers why most of these controls are free to fix, which exceptions carry a real migration or egress cost, how to choose the cheaper of VPC endpoints versus NAT, and how to turn a list of red findings into a risk-ordered remediation plan.

Fun fact

The endpoint you cannot un-publish

How a finance partner risk-orders a scatter of network-placement findings

Priya is the finance partner working alongside the platform team on the SOC 2 programme. Security Hub returns a wall of network-placement failures: a handful of public Lambda functions, two RDS instances in subnets with an internet gateway route, a public OpenSearch domain, and a Redshift cluster with enhanced VPC routing off. Her instinct is not to ask how much it all costs, because most of it costs nothing; it is to ask which of these resources actually hold data that would hurt the business if it leaked.

The team annotates the list. The OpenSearch domain indexes customer support tickets and the two RDS instances hold orders and billing records, so those three carry real expected loss. The Lambda functions only post to a Slack webhook, and Redshift is internal analytics behind a private VPN. Priya re-orders the work by data sensitivity rather than by the report's order, funds the one item with a genuine cost (the OpenSearch rebuild, a one-time migration with a short double-running window), and notes that the rest is free configuration plus a few interface VPC endpoints at roughly seven dollars per month per Availability Zone. Her output for the finance pack is a single line: the data-bearing exposures close this quarter at a bounded egress cost, the cosmetic findings close as routine hygiene.

Why network placement belongs on the risk register

The cost model here is asymmetric. Most of these controls cost nothing in AWS spend to fix, and leaving them open creates an unbounded tail risk. The few that do carry a cost are bounded and knowable: a one-time OpenSearch migration with a day or two of double-running, and a small recurring egress charge for workloads moved into private subnets, which is minimised by preferring a free gateway endpoint or a narrow interface endpoint over a NAT gateway.

The documented cost of a data-exposure breach includes mandatory notification within tight regulatory windows, forensics and legal fees that routinely run into six and seven figures, and customer churn. Against that, the remediation is engineering time plus a bounded egress cost for the legitimate exceptions. The finance role is to attach expected loss to each failing resource so the work is prioritised by the sensitivity of the data behind it, not by the order the report lists it, and to insist the cheaper egress path is chosen for every workload that moves into a private subnet.

What finance can do about the network-placement gap

Finance cannot move a workload into a VPC, but it can set the framing that turns a scatter of red findings into a risk-ordered plan with a bounded, knowable cost. Three levers, used at the monthly risk-and-cost review.

1. Separate the free fixes from the few that carry a real cost

Most of these controls (Redshift enhanced VPC routing, an RDS subnet-group move, attaching a Lambda to a VPC) are free configuration changes with no AWS spend attached. Only two patterns cost money: the one-time OpenSearch rebuild with a brief double-running window, and the recurring egress charge for workloads moved into private subnets. Insist the cheaper egress path is chosen every time: a free S3 or DynamoDB gateway endpoint where it fits, a narrow interface VPC endpoint at roughly seven dollars per month per Availability Zone for one or two services, and a NAT gateway with per-GB charges only where broad egress is genuinely needed.

2. Risk-weight each failing resource by the data behind it

The report lists findings by control, not by exposure. Re-order them by the sensitivity of the data each resource holds: a publicly reachable database or search domain full of customer records carries a far higher expected loss than a utility Lambda that only posts to a webhook. Attach an expected-loss estimate to each data-bearing resource so the migration effort and the egress spend go where the exposure actually is, not where the report happens to start.

3. Require a documented exception for anything left public on purpose

A genuinely public web tier belongs behind CloudFront or a load balancer and should never be a directly exposed resource. Any resource left reachable from the internet needs a recorded, finance-visible reason, not a silently suppressed finding. The distinction between we reviewed this and routed it through a controlled front door and we never looked at it is exactly what makes the network-placement picture defensible at audit.

Quick quiz

Question 1 of 5

A network-isolation report lists a public OpenSearch domain holding customer tickets, two public RDS databases, three Slack-only Lambda functions and a Redshift cluster with enhanced VPC routing off. As the finance partner, what is the right ordering?

Keep learning

Go deeper on how private network placement and private connectivity work across the services in this capability.

You have finished the finance view of network isolation. You know that most of these controls cost nothing to fix, that the only real spend is a one-time OpenSearch migration plus a small, choosable egress cost (free gateway endpoint, narrow interface endpoint, or NAT gateway), and that the right move is to risk-order failing resources by the sensitivity of the data behind them. Next time a wall of network-placement findings lands, you will fund the data-bearing exposures on a committed timeline and treat the rest as routine hygiene.

Back to the library

VPC isolation: the headline

Whether workloads that hold data run inside a private network or out where the internet can reach them

Network isolation is the discipline of running workloads inside a private network the security team controls, and giving them a private path to the AWS services they depend on, rather than a route out to the open internet. The report shows this as a scatter of findings across databases, search, serverless and compute, but it is one governance question.

The leadership question is not "are we compliant today?" It is "do the systems that hold our data sit inside a network we observe and control, or out where a misconfiguration could expose them?" The defensible end state is that data-bearing workloads are private by default, enforced by policy, with the few legitimately public services routed through a controlled front door.

Most of this is free to fix. The exceptions are bounded: a one-time migration for a public search domain, and a small recurring egress cost for workloads moved into private subnets. It is a governance decision about whether isolation is built in by design or left to everyone remembering to set it.

A short read for the leader who needs to know what network isolation protects, why moving workloads into private networks is mostly a governance decision rather than a budget one, and what a defensible end state looks like across the estate.

Fun fact

The endpoint you cannot un-publish

What it looks like when private-by-default is policy rather than memory

After a peer company made headlines for a customer database that turned out to be reachable from the open internet, the board asked the CTO a direct question: could that happen to us? The honest answer at the time was that nobody could say for certain, because workloads were placed on the network by whoever provisioned them, and there was no enforced default keeping data-bearing services private.

The response was to make network placement a governance question rather than a per-resource engineering choice. Data-bearing workloads are now private by default, pinned in the Terraform modules and backed by a Service Control Policy that blocks creating a public search domain or a database in a subnet with an internet gateway route. The few legitimately public services sit behind CloudFront or a load balancer, never directly exposed. A quarter later the same board question had a one-line answer: every system that holds customer data sits inside a network the security team observes and controls, and the platform cannot create a new one any other way.

Why this is a board-level risk

Nearly every major cloud data breach that involved exposed storage or search came back to the same root cause: a data-bearing resource that was reachable from the internet, usually by accident. Network isolation is the capability that makes that root cause structurally difficult, and enforcing private-by-default for data infrastructure makes it close to impossible.

The cost of getting this wrong is large and well documented, while the cost of fixing it is mostly engineering time plus a small, bounded egress cost for the exceptions. This is the class of control where the risk of inaction is severe and the cost of action is modest and knowable, which is exactly the trade leadership should be quickest to approve.

The leadership move on network isolation

The executive handle is not to approve each migration individually; it is to require private-by-default for data-bearing workloads and to insist any public exception is a deliberate, recorded decision.

1. Set the deadline against the data-bearing exposures, not the raw count

Ask for the count of data-bearing workloads (databases, search domains, anything holding customer records) that are reachable from the internet, and put a committed date on closing that subset. The total finding count conflates real exposure with cosmetic drift; the number that matters is publicly reachable data infrastructure, and that number should be on a dated path to zero.

2. Ask for proof that the boundary is observed, not just configured

Passing a VPC-placement control is necessary but not sufficient: a workload can be inside a VPC and still sit in a misconfigured public subnet. Ask whether the traffic for data-bearing workloads is actually visible to the security group, route-table, NACL and flow-log tooling the rest of the estate relies on. The defensible proof is a passing set of placement controls plus evidence that the network around them is observed and governed.

3. Require a formal exception and a preventive guardrail

For anything deliberately left public, require a named owner and a recorded justification, routed through a controlled front door rather than directly exposed. Then ask the closing question: can a new public database or search domain still be created? If yes, the cleanup is temporary. The durable outcome is a Service Control Policy and Config rules that block public creation, so private-by-default holds on its own.

Quick quiz

Question 1 of 5

Your cloud security report shows network-placement findings spread across databases, search, serverless and compute. What is the single governance question worth asking?

Keep learning

Go deeper on how private network placement and private connectivity work across the services in this capability.

Two takeaways: a data-bearing workload reachable from the internet is the single root cause behind most major cloud data exposures, and the right metric is not the raw finding count but whether systems that hold data sit inside a network you observe and control. The fix is mostly free, the exceptions are bounded and knowable, and the durable outcome is private-by-default enforced by policy so a new public database cannot reintroduce the gap.

Back to the library

Controls this lesson covers

One capability, many AWS Security Hub controls. This lesson is the shared playbook; each control below keeps its own deep page with the exact check, severity and a copy-and-paste fix.

EC2

Move resources into private networks (VPC isolation)

VPC isolation: the basics

The endpoint you cannot un-publish

Finding what runs on the public internet across an estate

How AWS decides a resource is privately networkeddeep dive

What is the impact of leaving workloads on the public network?

How do you move workloads into private networks safely?

1. Inventory everything on, or routing to, the public internet

2. Separate deliberate public services from drift, and map each workload's egress

3. Provision the private path, then move the workload

4. Enforce private-by-default so it cannot drift back

Quick quiz

Keep learning

VPC isolation: the cost and risk view

The endpoint you cannot un-publish

How a finance partner risk-orders a scatter of network-placement findings

Why network placement belongs on the risk register

What finance can do about the network-placement gap

1. Separate the free fixes from the few that carry a real cost

2. Risk-weight each failing resource by the data behind it

3. Require a documented exception for anything left public on purpose

Quick quiz

Keep learning

VPC isolation: the headline

The endpoint you cannot un-publish

What it looks like when private-by-default is policy rather than memory

Why this is a board-level risk

The leadership move on network isolation

1. Set the deadline against the data-bearing exposures, not the raw count

2. Ask for proof that the boundary is observed, not just configured

3. Require a formal exception and a preventive guardrail

Quick quiz

Keep learning

Controls this lesson covers

EC2

ES

Lambda

Opensearch

RDS

Redshift

Related compliance lessons