Cloud networking provides powerful abstractions over physical network infrastructure, but with great power comes complexity. Understanding how cloud providers handle networking helps you design secure, scalable applications and troubleshoot connectivity issues in cloud environments.

Prerequisites

Basic understanding of IP addressing and subnetting
Familiarity with at least one major cloud provider (AWS, Azure, or GCP)
Knowledge of firewalls and network security concepts

Virtual Private Clouds (VPCs)

A VPC is your private network in the cloud - isolated from other customers but connected to the internet when you need it.

AWS VPC (10.0.0.0/16)
┌───────────────────────────────────────────────────────────────────────┐
│                                                                       │
│  Availability Zone A              │         Availability Zone B       │
│  ┌─────────────────────────────┐  │  ┌─────────────────────────────┐  │
│  │     Public Subnet           │  │  │     Public Subnet           │  │
│  │     10.0.1.0/24             │  │  │     10.0.2.0/24             │  │
│  │  ┌─────────┐ ┌─────────┐    │  │  │  ┌─────────┐ ┌─────────┐    │  │
│  │  │   ALB   │ │   NAT   │    │  │  │  │   ALB   │ │   NAT   │    │  │
│  │  │10.0.1.10│ │10.0.1.20│    │  │  │  │10.0.2.10│ │10.0.2.20│    │  │
│  │  └─────────┘ └─────────┘    │  │  │  └─────────┘ └─────────┘    │  │
│  └─────────────────────────────┘  │  └─────────────────────────────┘  │
│  ┌─────────────────────────────┐  │  ┌─────────────────────────────┐  │
│  │     Private Subnet          │  │  │     Private Subnet          │  │
│  │     10.0.10.0/24            │  │  │     10.0.20.0/24            │  │
│  │  ┌─────────┐ ┌─────────┐    │  │  │  ┌─────────┐ ┌─────────┐    │  │
│  │  │  Web-1  │ │  API-1  │    │  │  │  │  Web-2  │ │  API-2  │    │  │
│  │  │10.0.10.1│ │10.0.10.2│    │  │  │  │10.0.20.1│ │10.0.20.2│    │  │
│  │  └─────────┘ └─────────┘    │  │  │  └─────────┘ └─────────┘    │  │
│  └─────────────────────────────┘  │  └─────────────────────────────┘  │
│  ┌─────────────────────────────┐  │  ┌─────────────────────────────┐  │
│  │     Database Subnet         │  │  │     Database Subnet         │  │
│  │     10.0.100.0/28           │  │  │     10.0.100.16/28          │  │
│  │  ┌─────────┐                │  │  │  ┌─────────┐                │  │
│  │  │  RDS    │                │  │  │  │  RDS    │                │  │
│  │  │Primary  │                │  │  │  │Replica  │                │  │
│  │  └─────────┘                │  │  │  └─────────┘                │  │
│  └─────────────────────────────┘  │  └─────────────────────────────┘  │
└───────────────────────────────────────────────────────────────────────┘
                                    │
                                    ▼
                            Internet Gateway
                                    │
                                    ▼
                                Internet

Traffic Flow:
Internet > Internet Gateway > Public Subnet (ALB) > Private Subnet (Apps) > Database Subnet (RDS)
Private Subnet > NAT Gateway > Internet Gateway > Internet (for outbound)

Let's create a basic VPC to understand the concepts:

# Create a VPC with CLI
aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications \
  'ResourceType=vpc,Tags=[{Key=Name,Value=demo-vpc}]'

# Create subnets within the VPC
aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.1.0/24 \
  --availability-zone us-east-1a --tag-specifications \
  'ResourceType=subnet,Tags=[{Key=Name,Value=public-subnet-1a}]'

aws ec2 create-subnet --vpc-id vpc-12345678 --cidr-block 10.0.2.0/24 \
  --availability-zone us-east-1b --tag-specifications \
  'ResourceType=subnet,Tags=[{Key=Name,Value=private-subnet-1b}]'

This creates a VPC with two subnets in different availability zones for high availability.

Subnet Types

Public Subnets: Have direct internet access via Internet Gateway

# Create internet gateway
aws ec2 create-internet-gateway --tag-specifications \
  'ResourceType=internet-gateway,Tags=[{Key=Name,Value=demo-igw}]'

# Attach to VPC
aws ec2 attach-internet-gateway --vpc-id vpc-12345678 --internet-gateway-id igw-87654321

# Create route table for public subnet
aws ec2 create-route-table --vpc-id vpc-12345678 --tag-specifications \
  'ResourceType=route-table,Tags=[{Key=Name,Value=public-rt}]'

# Add route to internet gateway
aws ec2 create-route --route-table-id rtb-11111111 \
  --destination-cidr-block 0.0.0.0/0 --gateway-id igw-87654321

Private Subnets: No direct internet access, use NAT for outbound traffic

# Create NAT gateway in public subnet
aws ec2 create-nat-gateway --subnet-id subnet-public --allocation-id eipalloc-12345

# Create route table for private subnet
aws ec2 create-route-table --vpc-id vpc-12345678 --tag-specifications \
  'ResourceType=route-table,Tags=[{Key=Name,Value=private-rt}]'

# Route private traffic through NAT gateway
aws ec2 create-route --route-table-id rtb-22222222 \
  --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-12345678

Security Groups vs Network ACLs

Cloud providers offer multiple layers of network security.

Security Groups (Stateful)

Security groups act like firewalls attached to individual instances:

# Create security group for web servers
aws ec2 create-security-group --group-name web-servers \
  --description "Security group for web servers" --vpc-id vpc-12345678

# Allow HTTP and HTTPS traffic
aws ec2 authorize-security-group-ingress --group-id sg-web12345 \
  --protocol tcp --port 80 --cidr 0.0.0.0/0

aws ec2 authorize-security-group-ingress --group-id sg-web12345 \
  --protocol tcp --port 443 --cidr 0.0.0.0/0

# Allow SSH from management subnet only
aws ec2 authorize-security-group-ingress --group-id sg-web12345 \
  --protocol tcp --port 22 --cidr 10.0.100.0/24

Security groups are stateful - if you allow inbound traffic, the return traffic is automatically allowed.

Network ACLs (Stateless)

Network ACLs provide subnet-level filtering:

# Create custom network ACL
aws ec2 create-network-acl --vpc-id vpc-12345678

# Add rules (must specify both inbound and outbound)
aws ec2 create-network-acl-entry --network-acl-id acl-12345678 \
  --rule-number 100 --protocol tcp --port-range From=80,To=80 \
  --cidr-block 0.0.0.0/0 --rule-action allow

# Add corresponding outbound rule for stateless operation
aws ec2 create-network-acl-entry --network-acl-id acl-12345678 \
  --rule-number 100 --protocol tcp --port-range From=32768,To=65535 \
  --cidr-block 0.0.0.0/0 --rule-action allow --egress

Network ACLs are stateless - you must explicitly allow both directions of traffic.

Cloud Load Balancing

Cloud providers offer managed load balancing services.

Application Load Balancer (AWS)

Application Load Balancers operate at Layer 7 and can route based on content:

# Create application load balancer
aws elbv2 create-load-balancer --name demo-alb \
  --subnets subnet-12345678 subnet-87654321 \
  --security-groups sg-alb12345

# Create target group
aws elbv2 create-target-group --name web-targets \
  --protocol HTTP --port 80 --vpc-id vpc-12345678 \
  --health-check-path /health

# Register targets
aws elbv2 register-targets --target-group-arn arn:aws:elasticloadbalancing:... \
  --targets Id=i-instance1,Port=80 Id=i-instance2,Port=80

# Create listener
aws elbv2 create-listener --load-balancer-arn arn:aws:elasticloadbalancing:... \
  --protocol HTTP --port 80 \
  --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:...

Advanced Load Balancer Features

Route traffic based on request attributes:

{
  "Type": "forward",
  "ForwardConfig": {
    "TargetGroups": [
      {
        "TargetGroupArn": "arn:aws:elasticloadbalancing:...:targetgroup/api-v1/...",
        "Weight": 90
      },
      {
        "TargetGroupArn": "arn:aws:elasticloadbalancing:...:targetgroup/api-v2/...",
        "Weight": 10
      }
    ]
  },
  "Conditions": [
    {
      "Field": "path-pattern",
      "Values": ["/api/*"]
    }
  ]
}

This configuration sends 90% of API traffic to v1 and 10% to v2 for gradual rollouts.

Multi-Cloud Networking

Organizations often use multiple cloud providers for redundancy or specific services.

Multi-Cloud Architecture

┌───────────────────────────────────────────────────────────────┐
│                       Internet                                │
└────────────────────┬──────────────────┬───────────────────────┘
                     │                  │
┌────────────────────▼────────────────┐ │ ┌─────────────────────▼───────────┐
│        AWS (us-east-1)              │ │ │         Azure (eastus)          │
│ ┌─────────────────────────────────┐ │ │ │  ┌───────────────────────────┐  │
│ │     VPC (10.1.0.0/16)           │ │ │ │  │     VNet (10.2.0.0/16)    │  │
│ │  ┌─────────┐ ┌─────────┐        │ │ │ │  │  ┌─────────┐ ┌─────────┐  │  │
│ │  │   ALB   │ │   EC2   │        │ │ │ │  │  │   ALB   │ │   VM    │  │  │
│ │  │         │ │ Web App │        │ │ │ │  │  │         │ │ Web App │  │  │
│ │  └─────────┘ └─────────┘        │ │ │ │  │  └─────────┘ └─────────┘  │  │
│ └─────────────────────────────────┘ │ │ │  └───────────────────────────┘  │
└──────────────┬──────────────────────┘ │ └──────────────┬──────────────────┘
               │                        │                │
               │      VPN Tunnel        │                │
               │  (IPSec/Site-to-Site)  │                │
               └────────────────────────┼────────────────┘
                                        │
              ┌─────────────────────────▼──────────────────┐
              │                  GCP (us-central1)         │
              │ ┌───────────────────────────────────────┐  │
              │ │                VPC (10.3.0.0/16)      │  │
              │ │  ┌─────────┐ ┌─────────┐ ┌─────────┐  │  │
              │ │  │   LB    │ │   GKE   │ │Database │  │  │
              │ │  │         │ │Cluster  │ │(Global) │  │  │
              │ │  └─────────┘ └─────────┘ └─────────┘  │  │
              │ └───────────────────────────────────────┘  │
              └────────────────────────────────────────────┘

Connectivity Matrix:
AWS ←→ Azure: VPN Gateway (IPSec)
AWS ←→ GCP:   Cloud Interconnect
Azure ←→ GCP: ExpressRoute + Cloud Interconnect
All ←→ Users: Global DNS (Route 53/Traffic Manager/Cloud DNS)

VPN Connections

Connect your VPCs across cloud providers:

# AWS: Create VPN gateway
aws ec2 create-vpn-gateway --type ipsec.1

# Create customer gateway (representing your on-premises or other cloud)
aws ec2 create-customer-gateway --type ipsec.1 \
  --public-ip 203.0.113.12 --bgp-asn 65000

# Create VPN connection
aws ec2 create-vpn-connection --type ipsec.1 \
  --customer-gateway-id cgw-12345678 --vpn-gateway-id vgw-87654321

VPC Peering

Connect VPCs within the same cloud provider:

# Create peering connection between VPCs
aws ec2 create-vpc-peering-connection \
  --vpc-id vpc-12345678 --peer-vpc-id vpc-87654321

# Accept the peering connection
aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id pcx-12345678

# Update route tables to enable communication
aws ec2 create-route --route-table-id rtb-11111111 \
  --destination-cidr-block 10.1.0.0/16 --vpc-peering-connection-id pcx-12345678

Cloud DNS Services

Cloud providers offer managed DNS services with advanced features.

Route 53 (AWS) Advanced Routing

Health-based routing automatically removes unhealthy endpoints:

{
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "api.example.com",
        "Type": "A",
        "SetIdentifier": "primary",
        "TTL": 60,
        "ResourceRecords": [{ "Value": "203.0.113.10" }],
        "HealthCheckId": "12345678-1234-1234-1234-123456789012"
      }
    },
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "api.example.com",
        "Type": "A",
        "SetIdentifier": "secondary",
        "TTL": 60,
        "ResourceRecords": [{ "Value": "203.0.113.20" }],
        "HealthCheckId": "87654321-4321-4321-4321-210987654321",
        "Failover": "SECONDARY"
      }
    }
  ]
}

Geolocation Routing

Route users to the nearest datacenter:

# Create records for different geographic locations
aws route53 change-resource-record-sets --hosted-zone-id Z12345678 --change-batch '{
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "api.example.com",
        "Type": "A",
        "SetIdentifier": "US-East",
        "GeoLocation": {"ContinentCode": "NA"},
        "TTL": 300,
        "ResourceRecords": [{"Value": "203.0.113.10"}]
      }
    },
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "api.example.com",
        "Type": "A",
        "SetIdentifier": "Europe",
        "GeoLocation": {"ContinentCode": "EU"},
        "TTL": 300,
        "ResourceRecords": [{"Value": "203.0.113.20"}]
      }
    }
  ]
}'

Container Networking in the Cloud

Cloud platforms provide specialized networking for containers.

AWS EKS Networking

EKS uses the Amazon VPC CNI plugin for pod networking:

# aws-node-daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: aws-node
  namespace: kube-system
spec:
  template:
    spec:
      containers:
        - name: aws-node
          image: amazon/amazon-k8s-cni:v1.11.4
          env:
            - name: AWS_VPC_K8S_CNI_VETHPREFIX
              value: eni
            - name: AWS_VPC_ENI_MTU
              value: '9001'
            - name: AWS_VPC_K8S_CNI_LOG_LEVEL
              value: DEBUG

Each pod gets an IP address from your VPC subnet range:

# Check pod IP addresses
kubectl get pods -o wide

# Pods can be reached directly from other VPC resources
aws ec2 describe-instances --filters "Name=private-ip-address,Values=10.0.1.100"

Service Mesh in the Cloud

Cloud providers offer managed service mesh services:

# AWS App Mesh virtual service
apiVersion: appmesh.k8s.aws/v1beta2
kind: VirtualService
metadata:
  name: productpage
  namespace: bookinfo
spec:
  awsName: productpage
  provider:
    virtualRouter:
      virtualRouterRef:
        name: productpage-router

Cloud Network Monitoring

Cloud providers offer extensive networking monitoring and logging.

VPC Flow Logs

Capture network traffic for analysis:

# Enable VPC Flow Logs
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-12345678 \
  --traffic-type ALL --log-destination-type cloud-watch-logs \
  --log-group-name VPCFlowLogs

# Query flow logs
aws logs filter-log-events --log-group-name VPCFlowLogs \
  --filter-pattern '[version, account, eni, source, destination, srcport, destport="22", protocol="6", packets, bytes, windowstart, windowend, action="REJECT", flowlogstatus]'

This query finds rejected SSH connection attempts.

CloudWatch Network Insights

Monitor application performance across network boundaries:

# Create network insights path
aws ec2 create-network-insights-path \
  --source i-instance1 --destination i-instance2 \
  --protocol tcp --destination-port 443

# Analyze the path
aws ec2 start-network-insights-analysis --network-insights-path-id nip-12345678

Cloud Cost Optimization

Cloud networking can generate significant costs.

Data Transfer Costs

Understand how data transfer pricing works:

# Same AZ: Usually free
# Same region, different AZ: ~$0.01/GB
# Different regions: ~$0.02/GB
# Internet egress: ~$0.09/GB (first 1TB free per month)

Optimize by:

Keeping related services in the same AZ when possible
Using CloudFront or other CDNs for static content
Compressing data before transfer

NAT Gateway Alternatives

NAT Gateways charge for data processing:

# Instead of NAT Gateway for all traffic
# Use VPC endpoints for AWS services
aws ec2 create-vpc-endpoint --vpc-id vpc-12345678 \
  --service-name com.amazonaws.us-east-1.s3 \
  --route-table-ids rtb-11111111

# This allows direct access to S3 without NAT Gateway costs

Troubleshooting Cloud Networking

Cloud networking issues require systematic debugging.

Connectivity Testing

Test connectivity step by step:

# 1. Can the instance reach the internet?
curl -I http://google.com

# 2. Can it reach other instances in the VPC?
ping 10.0.1.100

# 3. Are security groups allowing the traffic?
aws ec2 describe-security-groups --group-ids sg-12345678

# 4. Are network ACLs blocking traffic?
aws ec2 describe-network-acls --network-acl-ids acl-12345678

# 5. Is the route table configured correctly?
aws ec2 describe-route-tables --route-table-ids rtb-11111111

Flow Log Analysis

Use flow logs to understand traffic patterns:

# Analyze rejected connections
aws logs filter-log-events --log-group-name VPCFlowLogs \
  --filter-pattern '[version, account, eni, source, destination, srcport, destport, protocol, packets, bytes, windowstart, windowend, action="REJECT", flowlogstatus]' \
  --start-time $(date -d '1 hour ago' +%s)000

Load Balancer Health Checks

Debug load balancer health check failures:

# Check target health
aws elbv2 describe-target-health --target-group-arn arn:aws:elasticloadbalancing:...

# Review load balancer logs
aws s3 ls s3://my-alb-logs/AWSLogs/123456789012/elasticloadbalancing/us-east-1/

Multi-Region Architecture

Design applications that span multiple geographic regions.

Database Replication

Set up cross-region database replication:

# RDS read replica in different region
aws rds create-db-instance-read-replica \
  --db-instance-identifier replica-west \
  --source-db-instance-identifier arn:aws:rds:us-east-1:123456789012:db:primary-db \
  --db-instance-class db.r5.large

Global Load Balancing

Use Route 53 for global traffic distribution:

{
  "Changes": [
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "app.example.com",
        "Type": "A",
        "SetIdentifier": "us-east-1",
        "Latency": "us-east-1",
        "TTL": 60,
        "ResourceRecords": [{ "Value": "203.0.113.10" }]
      }
    },
    {
      "Action": "CREATE",
      "ResourceRecordSet": {
        "Name": "app.example.com",
        "Type": "A",
        "SetIdentifier": "us-west-2",
        "Latency": "us-west-2",
        "TTL": 60,
        "ResourceRecords": [{ "Value": "203.0.113.20" }]
      }
    }
  ]
}

Security Best Practices

Cloud networking security requires multiple layers of protection.

Network Segmentation

Use multiple VPCs for isolation:

# Production VPC: 10.0.0.0/16
# Staging VPC: 10.1.0.0/16
# Development VPC: 10.2.0.0/16
# Management VPC: 10.3.0.0/16

# Connect with peering or transit gateway as needed

Principle of Least Privilege

Only allow necessary network access:

# Instead of allowing all traffic from a subnet
aws ec2 authorize-security-group-ingress --group-id sg-12345678 \
  --protocol tcp --port 5432 --cidr 10.0.0.0/24

# Allow only from specific security group
aws ec2 authorize-security-group-ingress --group-id sg-db12345 \
  --protocol tcp --port 5432 --source-group sg-app12345

In the next section, we'll explore network monitoring and troubleshooting tools that help you maintain visibility into your cloud and on-premises network infrastructure.

Cloud networking provides powerful capabilities, but complexity increases with scale. Start simple, document your architecture, and gradually add advanced features as your needs grow.

Happy cloud networking!