Cloud VPC Networking: Subnets, Routes, and Security Groups Explained
A Virtual Private Cloud (VPC) is your own private slice of a cloud provider’s network. AWS, Google Cloud, and Azure all offer VPCs that let you define IP ranges, subnets, and routing rules just like you would in a physical data center — but software-defined and provisioned in seconds.
The building blocks
Every cloud VPC is built from the same primitives, even when the names differ:
| Concept | AWS | GCP | Azure |
|---|---|---|---|
| Network container | VPC | VPC Network | VNet |
| IP segment | Subnet | Subnet | Subnet |
| Stateful firewall (instance) | Security Group | Firewall Rule | NSG |
| Subnet ACL | NACL | — | NSG (subnet) |
| Internet egress | IGW + NAT GW | Cloud NAT | NAT Gateway |
Designing the IP plan
Pick a private CIDR block (RFC 1918) for the entire VPC, then carve subnets out of it. A common 3-tier layout in 10.0.0.0/16:
10.0.0.0/24 public-web-az-a (NAT, Load balancer)
10.0.1.0/24 public-web-az-b
10.0.10.0/24 private-app-az-a (App servers, no internet)
10.0.11.0/24 private-app-az-b
10.0.20.0/24 private-db-az-a (Databases, locked down)
10.0.21.0/24 private-db-az-bSpread subnets across availability zones for redundancy. Leave headroom — once a subnet is allocated you usually can’t resize it.
Routing
Each subnet attaches to a route table. A typical setup:
- Public subnet: default route
0.0.0.0/0 → Internet Gateway - Private subnet: default route
0.0.0.0/0 → NAT Gateway(outbound only) - Database subnet: no default route, only local VPC traffic
Security groups vs network ACLs
This trips up almost everyone. Security groups are stateful — if you allow outbound traffic, the response is automatically allowed back in. Network ACLs are stateless — you must explicitly allow both directions. Default to security groups for almost everything; reach for NACLs only when you need a hard subnet-level deny.
Connecting VPCs
VPCs are isolated by default. To join them, use VPC Peering (1:1 link), Transit Gateway (hub-and-spoke), VPN (encrypted tunnel to on-prem), or Direct Connect / Interconnect (dedicated fiber). Avoid the temptation to flatten everything — segmentation is your friend during incidents.
What to learn next
Cloud networks are still IP networks underneath, so revisit subnetting and CIDR notation. Then explore the modern delivery patterns in CDN basics and service meshes.