Post

Cloud Networking Deep Dive: VPCs, Subnets, and NAT

Posted
By R G
1 min read

Introduction

Cloud networking is the foundation for every production system. Misconfigured subnets, routing tables, and NAT gateways are common causes of outages and security incidents. This deep dive covers the core primitives and how to design a secure, scalable network layout.

Core Building Blocks

Virtual Private Cloud (VPC)

A VPC provides isolated, software-defined networking with its own CIDR range, route tables, and security boundaries.

Subnets

Subnets divide the VPC into smaller address ranges.

  • Public subnets host internet-facing resources.
  • Private subnets host internal workloads.

Route Tables

Route tables determine how traffic exits each subnet.

  • Public subnets route 0.0.0.0/0 to an internet gateway.
  • Private subnets route 0.0.0.0/0 to a NAT gateway or firewall.

Network Address Translation (NAT)

NAT allows outbound internet access for private resources while preventing inbound traffic.

Design Patterns

Hub-and-Spoke

  • Centralize shared services in a hub VPC.
  • Connect workload VPCs via peering or transit gateways.

Segmented Environments

  • Separate production and non-production networks.
  • Use shared services for logging and security tooling.

Example: CIDR Planning in Python

This Python example helps validate subnet sizing and prevents overlapping CIDRs.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

from ipaddress import IPv4Network

vpc = IPv4Network("10.20.0.0/16")
subnets = [IPv4Network("10.20.0.0/20"), IPv4Network("10.20.16.0/20")]

for subnet in subnets:
    if not subnet.subnet_of(vpc):
        raise ValueError(f"Subnet {subnet} not within VPC {vpc}")

for i, subnet in enumerate(subnets):
    for other in subnets[i + 1:]:
        if subnet.overlaps(other):
            raise ValueError(f"Overlap detected between {subnet} and {other}")

print("CIDR plan validated")

Security Controls

  • Use security groups for stateful filtering.
  • Apply network ACLs for stateless subnet-level rules.
  • Enforce egress restrictions for regulated workloads.

Observability

  • Enable flow logs for VPCs and subnets.
  • Monitor NAT gateway throughput and errors.
  • Track DNS latency and failure rates.

Conclusion

Cloud networking is a discipline that requires deliberate planning. Solid subnet design, clear routing intent, and strong security boundaries provide the foundation for stable and secure cloud platforms.

Cloud
cloud networking vpc subnets nat routing security
This post is licensed under CC BY 4.0 by the author.