Introduction
Cloud networking forms the foundation of any cloud architecture. Whether deploying simple applications or complex microservices systems, understanding cloud networking is essential for building secure, scalable, and performant solutions. Network architecture directly impacts security, latency, cost, and operational complexity.
Modern cloud networking differs significantly from traditional data center networking. Cloud providers offer managed networking services that abstract complexity while providing powerful capabilities. However, this abstraction requires understanding cloud-specific networking concepts to design effective architectures.
This comprehensive guide examines cloud networking fundamentals across major providers. We explore Virtual Private Clouds, subnet strategies, routing, NAT configurations, and interconnection options. Whether building your first cloud network or optimizing existing architectures, this guide provides the knowledge necessary for success.
Understanding Virtual Private Clouds
A Virtual Private Cloud (VPC) is the fundamental networking construct in cloud environments.
What is a VPC?
A VPC is a logically isolated virtual network within a cloud provider’s infrastructure. It provides complete control over network configuration, including IP addressing, routing, and security.
# AWS VPC Configuration
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
enable_dns_hostnames = true
enable_dns_support = true
tags = {
Name = "main-vpc"
Environment = "production"
}
}
VPC Design Considerations
IP Addressing:
Choose CIDR blocks that accommodate current and future needs:
- Minimum /28 (16 addresses) for smallest VPC
- /16 (65,536 addresses) typical for production VPCs
- Avoid overlapping ranges when using VPC peering
# Planning VPC IP ranges
def plan_vpc_cidr(environment, expected_hosts):
"""Calculate appropriate VPC CIDR"""
if expected_hosts < 16:
return "/28"
elif expected_hosts < 256:
return "/24"
elif expected_hosts < 65536:
return "/16"
# Environment-specific prefixes
prefixes = {
"production": "10.0",
"development": "10.1",
"staging": "10.2",
"sandbox": "10.3"
}
return f"{prefixes.get(environment, '10.0')}.0.0/16"
Subnet Strategies
Subnets divide VPCs into smaller network segments, enabling network segmentation and high availability.
Subnet Types
# AWS Subnet Configuration
resource "aws_subnet" "public_1a" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
availability_zone = "us-east-1a"
map_public_ip_on_launch = true
tags = {
Name = "public-subnet-1a"
Type = "public"
}
}
resource "aws_subnet" "private_1a" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.10.0/24"
availability_zone = "us-east-1a"
tags = {
Name = "private-subnet-1a"
Type = "private"
}
}
resource "aws_subnet" "database_1a" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.20.0/24"
availability_zone = "us-east-1a"
tags = {
Name = "database-subnet-1a"
Type = "database"
}
}
High Availability Design
graph TB
subgraph "VPC 10.0.0.0/16"
subgraph "Availability Zone 1"
Pub1[Public Subnet 10.0.1.0/24]
Priv1[Private Subnet 10.0.10.0/24]
DB1[Database Subnet 10.0.20.0/24]
end
subgraph "Availability Zone 2"
Pub2[Public Subnet 10.0.2.0/24]
Priv2[Private Subnet 10.0.11.0/24]
DB2[Database Subnet 10.0.21.0/24]
end
IGW[Internet Gateway]
NAT[NAT Gateway]
IGW --> Pub1
IGW --> Pub2
Pub1 --> NAT
Pub2 --> NAT
NAT --> Priv1
NAT --> Priv2
Priv1 --> DB1
Priv2 --> DB2
end
Azure Subnet Design
# Azure Virtual Network and Subnets
$vnet = @{
Name = 'prod-vnet'
ResourceGroupName = 'prod-rg'
Location = 'eastus'
AddressPrefix = '10.0.0.0/16'
}
$vnet = New-AzVirtualNetwork @vnet
# Public subnet
Add-AzVirtualNetworkSubnetConfig -Name 'PublicSubnet' `
-VirtualNetwork $vnet `
-AddressPrefix '10.0.1.0/24'
# Private subnet
Add-AzVirtualNetworkSubnetConfig -Name 'PrivateSubnet' `
-VirtualNetwork $vnet `
-AddressPrefix '10.0.10.0/24'
# Database subnet
Add-AzVirtualNetworkSubnetConfig -Name 'DatabaseSubnet' `
-VirtualNetwork $vnet `
-AddressPrefix '10.0.20.0/24'
Set-AzVirtualNetwork -VirtualNetwork $vnet
Routing and Internet Access
Understanding routing is essential for network connectivity.
Route Tables
# AWS Route Table - Public
resource "aws_route_table" "public" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
gateway_id = aws_internet_gateway.main.id
}
tags = {
Name = "public-route-table"
}
}
# AWS Route Table - Private
resource "aws_route_table" "private" {
vpc_id = aws_vpc.main.id
route {
cidr_block = "0.0.0.0/0"
nat_gateway_id = aws_nat_gateway.main.id
}
# Route to other VPC via peering
route {
cidr_block = "10.1.0.0/16"
vpc_peering_connection_id = aws_vpc_peering_connection.main.id
}
tags = {
Name = "private-route-table"
}
}
NAT Gateways
NAT Gateways enable private subnet resources to access the internet while preventing inbound connections.
# AWS NAT Gateway
resource "aws_nat_gateway" "main" {
allocation_id = aws_eip.nat.id
subnet_id = aws_subnet.public_1a.id
tags = {
Name = "main-nat-gateway"
}
depends_on = [aws_internet_gateway.main]
}
resource "aws_eip" "nat" {
domain = "vpc"
tags = {
Name = "nat-eip"
}
}
VPC Peering and Connectivity
Connecting VPCs enables communication between cloud resources.
VPC Peering
# AWS VPC Peering
resource "aws_vpc_peering_connection" "main" {
peer_vpc_id = aws_vpc.main.id
peer_vpc_id = aws_vpc.secondary.id
peer_owner_id = var.account_id
tags = {
Name = "vpc-peering"
}
}
# Accept peering connection (in peer account)
resource "aws_vpc_peering_connection_accepter" "accept" {
vpc_peering_connection_id = aws_vpc_peering_connection.main.id
auto_accept = true
tags = {
Name = "vpc-peering-accept"
}
}
Transit Gateway
For complex networks, Transit Gateway provides hub-and-spoke connectivity.
# AWS Transit Gateway
resource "aws_ec2_transit_gateway" "main" {
amazon_asn = 64512
auto_accept_shared_attachments = "enable"
default_route_table_association = "enable"
default_route_table_propagation = "enable"
tags = {
Name = "transit-gateway"
}
}
# Attach VPC to Transit Gateway
resource "aws_ec2_transit_gateway_vpc_attachment" "main" {
subnet_ids = [aws_subnet.private_1a.id, aws_subnet.private_2a.id]
transit_gateway_id = aws_ec2_transit_gateway.main.id
vpc_id = aws_vpc.main.id
}
VPN Connections
Site-to-site VPN provides encrypted connectivity between on-premises and cloud.
# AWS VPN Connection
resource "aws_vpn_gateway" "main" {
vpc_id = aws_vpc.main.id
tags = {
Name = "vpn-gateway"
}
}
resource "aws_vpn_connection" "main" {
vpn_gateway_id = aws_vpn_gateway.main.id
customer_gateway_id = aws_customer_gateway.main.id
type = "ipsec.1"
static_routes_only = false
tags = {
Name = "site-vpn"
}
}
resource "aws_customer_gateway" "main" {
bgp_asn = 65000
ip_address = "203.0.113.1"
type = "ipsec.1"
tags = {
Name = "customer-gateway"
}
}
Network Security
Securing network traffic is paramount.
Security Groups
# AWS Security Group - Web Server
resource "aws_security_group" "web" {
name = "web-sg"
description = "Security group for web servers"
vpc_id = aws_vpc.main.id
# Inbound rules
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTPS from anywhere"
}
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
description = "HTTP from anywhere"
}
# Outbound rules
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
description = "Allow all outbound"
}
tags = {
Name = "web-security-group"
}
}
Network ACLs
# AWS Network ACL
resource "aws_network_acl" "main" {
vpc_id = aws_vpc.main.id
# Allow HTTP/HTTPS inbound
ingress {
rule_no = 100
protocol = "tcp"
from_port = 80
to_port = 80
action = "allow"
cidr_block = "0.0.0.0/0"
}
ingress {
rule_no = 110
protocol = "tcp"
from_port = 443
to_port = 443
action = "allow"
cidr_block = "0.0.0.0/0"
}
# Deny all other inbound
ingress {
rule_no = 900
protocol = "-1"
from_port = 0
to_port = 0
action = "deny"
cidr_block = "0.0.0.0/0"
}
tags = {
Name = "main-nacl"
}
}
Conclusion
Cloud networking fundamentals provide the foundation for secure, scalable cloud architectures. Understanding VPCs, subnets, routing, and security constructs enables you to design networks that meet organizational requirements while leveraging cloud capabilities.
Key takeaways include designing for high availability using multiple availability zones, implementing defense in depth through security groups and network ACLs, using NAT gateways for private subnet internet access, and leveraging VPC peering or Transit Gateway for VPC interconnection.
As cloud architectures grow in complexity, network design becomes increasingly important. Invest time in planning your network architecture, and your cloud deployments will be more secure, performant, and manageable.
Comments