In the previous example, we used the pre-existing default VPC and subnet to create our instance. That's fine for demonstration purposes, but in production, you'll want to use a dedicated VPC for your Puppet-managed resources to keep it separate from any other resources in your AWS account and from other Puppet-managed VPCs. You could, for example, have a staging VPC and a production VPC.

By default, a new VPC has no access to the Internet; we'll also need an Internet gateway (which routes Internet traffic to and from the VPC) and a route table (which tells a given subnet to send non-local traffic to the gateway). The puppetlabs/aws module provides Puppet resources to create and manage each of these entities.