Something that runs within the VPC, so that only things within or connected to that VPC can access the service.