Summary
Highlights
Cloud computing allows for the rapid deployment and scaling of applications with seemingly unlimited resources, providing elasticity during peak demands. It utilizes multitenancy for efficiency and cost-effectiveness. The virtualization extends beyond servers to networks, enabling Network Function Virtualization (NFV), where physical networking devices like routers, switches, and firewalls are replaced by virtual versions.
A common cloud application instance includes web servers, database servers, load balancers, virtual switches, routers, and firewalls, all running within a Virtual Private Cloud (VPC). Multiple VPCs can be used to separate different applications or company departments. A Transit Gateway acts as a cloud router to connect these different VPCs, enabling communication between them.
For external access to VPCs, a VPN connection can provide secure access from remote sites or workstations. To make applications publicly available on the internet, an Internet Gateway is used. For VPCs to communicate outbound to external internet resources while maintaining internal privacy, a VPC NAT (Network Address Translation) Gateway is employed, translating private IP addresses to public ones.
Organizations using multiple cloud providers can achieve connectivity between their VPCs via a VPC endpoint, creating direct connections. An example demonstrates how public subnets can connect to cloud storage over the internet, while private subnets require a VPC endpoint for communication with cloud storage, ensuring security.
Cloud providers offer additional security layers like security groups and network access control lists (NACLs), which function as firewalls for cloud services. These control inbound and outbound traffic based on port numbers, protocols (TCP/UDP), and IP addresses (IPv4/IPv6 ranges or CIDR blocks). Security lists apply broadly to all virtual cloud networks within a VPC.
While network security lists offer broad protection, Network Security Groups (NSG) provide more granularity. NSGs allow rules to be assigned to individual Virtual Network Interface Cards (VNICs), enabling different security policies on different interfaces within the same subnet. This offers more precise control but also increases administrative overhead. For even greater security, virtual firewalls or other virtualized platforms can be implemented.