Several PaaS services use the compute platform (compute engine on GCP and EC2 on AWS). These services ARE actually part of your VPC – even though it may seem like they are not (due to the misconception that PaaS means global…)

On GCP, these would include:

App Engine, App Engine Flex, Cloud SQL, DataProc among others.

On AWS, these would include

  • AWS Elastic Beanstalk
  • Amazon RDS
  • Amazon EMR
  • Amazon Redshift

So, which PaaS Services DO NOT belong in a VPC?

  •  Cloud Storage on GCP , S3 on AWS are storage services that are always accessible from the Internet (there IS a way to block off the public IP).
  • You never have to spin up an S3 instance – like you do an RDS instance.  It does not belong on the VPC.  Compute Instances and EC2 instances need to be able to access the internet – or access VPC endpoints for the S3 / Cloud Storage.
  • Serverless Functions (lambda on AWS) / Cloud functions on GCP – CAN be connected to a VPC (by default, they are not). If connected to a VPC, then they can only access resources within the VPC (or use a NAT Gateway for access to the Internet).  If not connected to a VPC, Internet access is direct.

Summary