What’s a VPC (Virtual Private Cloud)?
A VPC is your own private data center in the cloud:
- You control the IP range, subnets, routing, firewalls (Security Groups & NACLs).
- You can run Elastic Beanstalk inside your VPC, so your app isn’t publicly exposed (unless you want it to be).
- Useful for private APIs, secure database access (RDS), or hybrid cloud setups.
How to Deploy Elastic Beanstalk into a Custom VPC
Step 1: Create Your VPC
Use VPC wizard or manual setup:
- 1 VPC (e.g.,
10.0.0.0/16) - 2 Public subnets (for load balancer)
- 2 Private subnets (for EC2 instances)
- Internet Gateway (for public access)
- NAT Gateway (for internet from private subnets)
- Route Tables for each
Tip: Keep EC2 instances in private subnets for security, expose only the ALB in public subnet.
Step 2: Tag Your Subnets
Tag your subnets so Beanstalk can find them:
Key: elasticbeanstalk:environment-type
Value: LoadBalancedStep 3: Create Elastic Beanstalk App in the VPC
eb init -p python-3.8 my-secure-app
eb create my-secure-env \
--vpc \
--vpc.id vpc-xxxxxxxx \
--vpc.publicip \
--vpc.elbpublic \
--vpc.ec2subnets subnet-private-a,subnet-private-b \
--vpc.elbsubnets subnet-public-a,subnet-public-b-
--vpc.elbpublic: Makes load balancer public -
--vpc.publicip: Assigns public IP to EC2 (optional) -
--vpc.ec2subnets: List your private subnets -
--vpc.elbsubnets: List your public subnets
Step 4: Confirm Security Group Access
- Your EC2 security group must allow:
- Inbound HTTP/HTTPS from ELB
- Outbound to internet (via NAT)
- If using RDS, allow inbound from the Beanstalk SG
Sample eb config Output
You can verify your settings:
eb configUse Case Scenarios
| Use Case | Why VPC Matters? |
|---|---|
| RDS database | Private subnet access only |
| Internal APIs | Block external exposure |
| Custom routing/NAT | Control egress traffic |
| Hybrid architecture | Connect on-prem to cloud |