Skip To Content

Amazon VPC and ArcGIS Enterprise

Amazon Virtual Private Cloud (VPC) allows you to create a subnet of Amazon Elastic Compute Cloud (EC2) instances that can act as your private network in the cloud. You can work with this VPC subnet independently in the cloud or use it with a virtual private network (VPN) connection to expand your organization's internal network.

You must create the VPC before you deploy ArcGIS Enterprise. You create a VPC using one of the following:

There are two Esri sample CloudFormation templates to create a VPC; each uses a different network architecture. The most common architecture is a VPC network that is directly accessible to the internet. Access to these networks can and should be controlled through security groups. The second architecture deploys ArcGIS Enterprise to a subnet that is only accessible to the internet through an Elastic Load Balancer. This type of architecture is commonly referred to as a DMZ network architecture. This architecture requires a greater understanding of networking but provides some benefits in terms of isolation and security.

You must create the DMZ network architecture type VPC before you deploy ArcGIS Enterprise. At this time, you can only create this type of VPC using a CloudFormation template. See Create a highly available base ArcGIS Enterprise deployment in a DMZ network architecture and Create a highly available ArcGIS Server site in a DMZ network architecture for more information.


When an EC2 instance is in a VPC endpoint, the instance can only read and write to Amazon Simple Storage Service (S3) buckets in the AWS region in which the instance is deployed. If you want to use the webgisdr tool to back up your ArcGIS Enterprise deployment and want to store the backup content in an S3 bucket that's in a region other than the EC2 instance region, delete the VPC endpoint associated with the EC2 instance.