Skip to main content
IMHCloud Logo
Back to glossary

VPN

A VPN (Virtual Private Network) is an encrypted network connection that creates a secure tunnel between endpoints over the public internet, protecting data in transit and allowing private resources to communicate as if on the same local network.

Networking

What is a VPN in cloud hosting?

A VPN (Virtual Private Network) is an encrypted network connection that creates a secure tunnel between two or more endpoints over the public internet. It allows your local network to connect privately to cloud resources as though they were on the same physical network, protecting data from interception during transmission.

In cloud hosting, a VPN typically connects your office network, remote workers, or another cloud region to your cloud infrastructure. All traffic passing through the VPN tunnel is encrypted end-to-end. This prevents anyone monitoring the public internet from reading, modifying, or intercepting the data flowing between endpoints.

Why VPNs Exist

Without a VPN, connecting to cloud resources over the public internet exposes your traffic to interception. Credentials, application data, and configuration details travel unencrypted unless each application implements its own encryption. Managing security application-by-application becomes complex and error-prone.

A VPN solves this by encrypting all traffic at the network level before it leaves your premises. This means every packet between your network and the cloud is protected without requiring changes to individual applications. It also allows cloud resources with private IP addresses to be accessed securely from remote locations without exposing them to the public internet.

What Do VPNs Actually Do?

  • Encrypts all network traffic between connected endpoints using protocols such as IPsec or OpenVPN
  • Creates a virtual network interface on each endpoint that routes traffic through the encrypted tunnel
  • Assigns private IP addresses to remote endpoints so they can access cloud resources with private addresses
  • Authenticates endpoints before establishing the connection using pre-shared keys, certificates, or credentials
  • Prevents packet inspection or modification by encrypting headers and payloads
  • Routes specific subnets through the tunnel while allowing other traffic to use the normal internet connection

When would I use a VPN?

You would use a VPN when your office network needs to access cloud instances that only have private IP addresses. This allows administrators to connect to management interfaces and applications without exposing those services publicly.

You would use a VPN to connect multiple cloud regions together so instances in different geographic locations can communicate privately over encrypted channels instead of routing through the public internet.

You would use a VPN when remote employees need to access internal cloud resources that are not exposed to the internet. The VPN extends your private network to their devices securely.

You would use a VPN to connect a hybrid cloud setup where some infrastructure remains on-premises and other resources run in the cloud. The VPN creates a bridge between the two environments.

When would I NOT use a VPN?

You would not use a VPN for public-facing web services that are designed to be accessed by customers over HTTPS. Those services handle encryption at the application layer and are meant to be publicly accessible.

You would not use a VPN if all your workloads are entirely within one cloud region and administrators access them through bastion hosts or jump servers within that same network. The VPN adds overhead without improving security.

You would not use a VPN when the latency or bandwidth limitations of the encrypted tunnel would negatively affect application performance. Some workloads require direct internet connections for speed.

You would not use a VPN as a replacement for proper authentication and access controls. A VPN secures the network connection but does not restrict what an authenticated user can do once connected. Those permissions must be configured separately.

Real-world example

Company A runs a web application in the cloud with instances in a private subnet that do not have public IP addresses. The development team works from an office network and needs to deploy updates, review logs, and troubleshoot issues on those instances.

Company A sets up a VPN connection between their office router and their cloud VPC (Virtual Private Cloud). Once the VPN is established, developers can connect to the private instances using their internal IP addresses as if those instances were on the office network. All traffic is encrypted in transit and never exposed to the public internet.

Without the VPN, Company A would need to assign public IP addresses to instances, expose SSH or RDP ports to the internet, and rely on application-layer security alone. The VPN eliminates those risks by keeping all management traffic on a private encrypted channel.

Frequently Asked Questions

Do I need more than one VPN?

You may need multiple VPN connections if you have several physical locations (offices, data centers) that all need to access the same cloud environment. Each site requires its own VPN tunnel to the cloud. Alternatively, you can create site-to-site VPNs between locations and use one central location to connect to the cloud. If your cloud provider allows it, you can also create redundant VPN tunnels from the same location for failover, ensuring connectivity remains available if one tunnel fails.

Does creating a VPN affect existing resources?

Creating a VPN connection itself does not change the behavior of running instances or applications. It simply establishes an encrypted network path. However, you must configure routing rules to direct traffic through the VPN tunnel. If routing is misconfigured, existing traffic patterns may change unexpectedly. Ensure the VPN subnet does not overlap with any existing network ranges, or routing conflicts will occur.

What happens if I delete a VPN?

If you delete a VPN connection, all traffic that was routed through that tunnel immediately stops. Remote users lose access to private cloud resources, and any applications relying on the VPN for communication will fail. Instances in the cloud remain running and unaffected, but anything attempting to reach them via the VPN will be unable to connect. Re-creating the VPN requires reconfiguring both endpoints and re-establishing routing rules.

Can I use a VPN to connect to multiple cloud providers?

Yes, you can create separate VPN connections to different cloud providers, allowing your on-premises network or office to access resources in AWS, Google Cloud, Azure, or other environments simultaneously. Each cloud provider requires its own VPN configuration and endpoint. Your local router or VPN gateway manages routing traffic to the correct destination based on the target IP address or subnet. This setup is common in multi-cloud architectures.

Is a VPN the same as a VPC?

No, a VPN (Virtual Private Network) and VPC (Virtual Private Cloud) are different concepts. A VPC is an isolated network environment within a cloud provider where you launch instances, define subnets, and control routing. A VPN is a secure encrypted connection that links your local network to that VPC or connects two VPCs together. You use a VPN to access resources inside a VPC from outside the cloud, while the VPC itself defines the network structure where those resources exist.

Summary

  • A VPN is an encrypted network tunnel that securely connects your local network to cloud resources over the public internet
  • It protects all traffic between endpoints by encrypting data in transit and preventing interception or modification
  • VPNs are used to access private cloud instances, connect multiple regions, enable remote work, and build hybrid cloud architectures
  • They do not replace authentication, access control, or application-level security, but instead secure the network layer
  • A VPN is not the same as a VPC; a VPN connects networks while a VPC defines an isolated cloud environment

Related Terms

  • VPC (Virtual Private Cloud): An isolated network environment within a cloud provider where you define subnets, routing tables, and security rules for your instances, such as private subnets for databases or public subnets for web servers
  • Security Group: A set of firewall rules that control inbound and outbound traffic to cloud instances, such as allowing SSH from specific IP addresses or blocking all traffic except HTTPS
  • Subnet: A logically segmented portion of a VPC network with its own IP address range, such as a private subnet for application servers or a public subnet for load balancers
  • Bastion Host: A hardened instance placed in a public subnet that acts as a secure entry point for accessing private instances, such as an SSH jump server used by administrators
  • IPsec: An industry-standard protocol suite for encrypting and authenticating IP packets, commonly used in site-to-site VPN connections between networks