Cloud Networking

Cloud Networking

  • Cloud networking enables organizations to extend their on-premises networks to cloud providers, creating hybrid connectivity that supports distributed workloads
  • Traditional networking concepts apply but require adaptation for virtualized environments, shared infrastructure, and dynamic scaling requirements
  • Cloud providers offer networking services that abstract physical hardware while maintaining familiar routing, switching, and security paradigms

Core Cloud Network Components

  • Virtual Private Cloud (VPC) - Logically isolated network segment within cloud provider’s infrastructure (similar to VLANs but at datacenter scale)
  • Subnets - Subdivisions of VPC address space, typically aligned with availability zones for redundancy
  • Internet Gateway - Provides internet access to VPC resources (equivalent to default route 0.0.0.0/0 in traditional networks)
  • NAT Gateway/Instance - Enables outbound internet access for private subnets without exposing internal resources to inbound traffic
  • Route Tables - Control traffic flow between subnets and external destinations (functions like static routing tables)

Connectivity Models

  • Site-to-Site VPN - IPsec tunnels connecting on-premises networks to cloud VPCs over internet
    • Uses BGP for dynamic routing and redundancy
    • Throughput typically limited to 1-2 Gbps per tunnel
    • Cost-effective but dependent on internet quality
  • Direct Connect/ExpressRoute - Dedicated physical circuits bypassing internet
    • Provides consistent bandwidth (1 Gbps to 100 Gbps) and lower latency
    • Supports multiple VLANs over single physical connection
    • Higher cost but predictable performance for mission-critical workloads
  • Transit Gateway - Centralized routing hub connecting multiple VPCs and on-premises networks
    • Eliminates need for complex mesh topologies
    • Supports up to 5,000 route table entries per gateway

Cloud vs Traditional Networking Comparison

Aspect Traditional Network Cloud Network
Infrastructure Physical switches/routers Virtualized/software-defined
Scalability Manual hardware addition Dynamic scaling via API
Redundancy Hardware-based (HSRP/VRRP) Built into platform services
Security Perimeter-focused firewalls Distributed security groups
Routing OSPF/EIGRP within organization BGP between autonomous systems
Cost Model CAPEX hardware investment OPEX usage-based pricing

Security and Access Control

  • Security Groups - Stateful firewalls operating at instance level (allow rules only, deny by default)
    • Rules specify protocol, port range, and source/destination
    • Changes take effect immediately without reboot
  • Network ACLs - Stateless firewalls at subnet level providing additional defense layer
    • Process rules in numerical order (lowest number first)
    • Require explicit allow rules for both inbound and outbound traffic
  • VPC Flow Logs - Capture network traffic metadata for security analysis and troubleshooting
    • Records source/destination IPs, ports, protocols, and packet counts
    • Essential for compliance and incident response

Load Balancing and High Availability

  • Application Load Balancer (Layer 7) - Routes HTTP/HTTPS traffic based on content
    • Supports path-based and host-based routing rules
    • Integrates with SSL termination and Web Application Firewall (WAF)
  • Network Load Balancer (Layer 4) - Distributes TCP/UDP traffic with ultra-low latency
    • Preserves client IP addresses for server logging
    • Handles millions of requests per second with static IP addresses
  • Auto Scaling Groups - Automatically adjust instance count based on demand
    • Works with load balancers to distribute traffic across healthy instances
    • Maintains desired capacity across multiple availability zones

Vocabulary

  • Availability Zone (AZ) - Isolated datacenter within cloud region with independent power, cooling, and networking
  • CIDR Block - IP address range assigned to VPC using Classless Inter-Domain Routing notation (e.g., 10.0.0.0/16)
  • Elastic IP - Static public IP address that can be reassigned between instances
  • Peering Connection - Direct network route between two VPCs enabling private communication
  • Bastion Host - Hardened server providing secure access to private subnet resources
  • Edge Location - Geographically distributed cache serving content closer to end users

Notes

  • Always design VPCs with non-overlapping CIDR blocks to avoid routing conflicts during peering or VPN connections
  • Cloud providers typically reserve first four and last IP addresses in each subnet (network, gateway, DNS, broadcast equivalent)
  • Security groups are additive - instance can belong to multiple groups with combined rules taking effect
  • Route table priority follows most specific match principle (longest prefix match) just like traditional routing
  • Consider data transfer costs when designing multi-region architectures - traffic between regions incurs charges while intra-region traffic is often free
  • Use infrastructure as code tools (Terraform, CloudFormation) to maintain consistent network configurations across environments
  • Cloud networking latency is generally higher than on-premises due to virtualization overhead - factor this into application design
  • BGP AS numbers in cloud environments are often assigned by provider - coordinate with cloud architect for proper configuration