I am reading through Amazon's new Virtual Private Cloud annoucement. Definitely interesting stuff. It is a useful exercise to recognize the number of times you see the word "logical" modifying the segmentation / separation requirements for VPC.

This is not the end of the world by any stretch, but it is important to understand the difference between "logical" separation and physical separation. Seems sort of obvious when plainly stated, but it applies in many circumstances – virtualization is another technology that employs logical separation. Switches logically separate nodes.

When you logically separate elements or nodes or whatever, that means there is software providing the separation. Software that could be compromised. This is why standard recommendations for DMZs was not to hang different zones off the same switch.

Keep in mind that the risk is higher when comparing logical to physical separation. How much higher? Well, that depends on the attack surface of the software doing the separating.