Documenting My Cloud Journey – Understanding the Backbone of Cloud Infrastructure
Introduction
When I started learning about cloud computing, networking felt like the part I was most tempted to skip. “Just give me Lambda, S3, and etc,” I thought. It was like a complex world of IPs, subnets, and protocols. But as I’ve progressed in my journey as a Cloud Solutions Architect trainee, I’ve come to see cloud networking for what it really is: the invisible highway that connects users to applications, services to each other, and data across the globe.
Everything in the cloud is talking to something else—and networking is the language.
Without understanding how services talk to each other, how they’re secured, and how traffic flows in and out of your environment, you're flying blind. So here’s a guide—an honest, example-driven introduction to networking in the cloud and why it’s essential for resilient, secure, and scalable solutions.
What is Cloud Networking?
Cloud networking is how resources (like EC2, S3, RDS, Lambda, etc.) connect and communicate with each other inside the cloud, and how they connect to the outside world (users, on-prem infrastructure, apps, other systems). securely and efficiently.
In traditional IT, this meant routers, switches, and cables. In the cloud? It’s all virtual—built using software-defined networking (SDN). You control your networking through dashboards, APIs, or Infrastructure as Code (like Terraform).
It includes:
- IP addressing
- Subnets
- Gateways
- Routing
- Firewalls (security groups/NACLs)
- DNS
- Load balancing
- Connectivity options (VPN, Direct Connect, VPC Peering, et c.)
Just like in the physical world, networks in the cloud are designed to manage traffic flow, security, speed, and availability.
Core Concepts
Here are the key AWS networking components I’ve learned to work with:
- Virtual Private Cloud (VPC) Your own private network space in the cloud. You control IP ranges, subnets, route tables, and more. Think of a VPC as your private space in the AWS cloud—a walled garden where you launch your resources.
You define:
- IP range (e.g., 10.0.0.0/16)
- Public and private subnets
- Internet access rules
- Security policies
Use Case: You launch a web server (EC2) in a public subnet so users can access it, and a database in a private subnet so only your app can talk to it. This keeps your DB secure and unreachable from the internet.
2. Subnets (Public vs Private)
Think of these as dividing your VPC into smaller neighborhoods. You usually have:
- Public Subnet: Resources like web servers that need internet access. Connected to the internet via an Internet Gateway.
- Private Subnet: Databases or backend services that should stay isolated. No direct internet access—great for sensitive data or internal services.
Public subnets are like storefronts on a busy street. Private subnets are like offices behind locked doors.
3. Route Tables
These are like traffic maps. They tell network packets where to go next. For example, “send internet-bound traffic to the IGW
- A public subnet's route table might say: 0.0.0.0/0 → Internet Gateway (send all internet traffic outside)
- A private subnet might route through a NAT Gateway instead.
Use Case: You need your app server in a private subnet to download updates from the internet, but you don’t want it exposed. Route it through a NAT Gateway.
4. Security Groups & NACLs
These act like firewalls. They control who can talk to whom.
Your cloud firewalls. Security Groups act like virtual firewalls for EC2, controlling inbound/outbound traffic. NACLs control traffic at the subnet level
- Security Groups: Attached to instances. Stateful (they remember connections).
- NACLs (Network ACLs): Attached to subnets. Stateless (rules must be explicitly set for both inbound and outbound traffic). Example: You allow inbound HTTP (port 80) only from the internet to your web server, and only allow traffic to your database from the app server’s IP.
5. Internet Gateway & NAT Gateway
Internet Gateway: Attaches to your VPC to allow public
traffic (like users accessing your web app) and enables resources in public subnets to talk directly to the internet.
NAT Gateway: Let private subnets initiate connections to the
internet without being exposed. Is that private instances access
the internet for updates (like apt install), but prevent them
from being accessed from the outside.
Use Case: Your Lambda functions or EC2 servers in private
Subnets need to fetch data from an external API securely—NAT
Gateway makes it happen.
6. VPC Peering & Transit Gateway
What if you have multiple VPCs and they need to talk to each other?
- VPC Peering: One-to-one connection between two VPCs.
- Transit Gateway: A scalable hub-and-spoke model to connect many VPCs. Real-World Example: Your company has a dev environment in one VPC and prod in another. VPC peering lets them share logs or data securely.
7. DNS with Route 53
Route 53 is AWS’s Domain Name System (DNS). It translates friendly names like api.myapp.com into IP addresses.
It also supports:
- Health checks
- Load balancing
- Geo-routing
Use Case: You want your customers in Europe to be routed to your European servers and US users to US servers—Route 53 handles that.
Why Networking in the Cloud Matters
Imagine building a brilliant web app that:
- Times out every few minutes
- Gets hacked due to an open port
- Can’t scale because backend services are stuck in one AZ
- Costs a fortune because traffic is routed inefficiently
These are not app problems — they’re networking problems.
Real-World Scenarios That Help It All Click
Streaming App Architecture
Imagine you're building a streaming platform like Netflix. You need:
- Public subnets: to host your APIs, load balancers
- Private subnets: to run your transcoding services and databases
- NAT Gateway: to let private services fetch updates from the internet
-
Route 53: to map
video.myflix.comto your backend services. Your networking design directly impacts performance, security, and costs.
Multi-Department VPC Setup
Your company has different departments: HR, Finance, and Engineering, each with its own VPC.
- Finance can’t access HR’s data.
- HR can share limited access with Engineering for reports.
- Use Transit Gateway to manage all connections from a single place. Now you’ve created network isolation with optional interconnectivity. That's cloud networking done right.
Hosting a Scalable Web App
- EC2 in a public subnet
- Database in a private subnet
- Load Balancer to distribute traffic
- Security groups to restrict access to only port 80/443
Hybrid Cloud: Connecting AWS to On-Prem
Use VPN or AWS Direct Connect to link your on-prem servers to your VPC securely
Cross-Region Replication
S3 buckets in different regions communicating via VPC Peering, CRR, and Route 53
Isolated Environments for Dev/Test/Prod
Separate VPCs with peering or a Transit Gateway for controlled communication
Networking & Security Go Hand-in-Hand
Many security issues start as networking misconfigurations:
- Open ports
- Overly permissive CIDR ranges
- Unrestricted SSH access
Best Practices I’ve Learned:
- Principle of least privilege (0.0.0.0/0 only where necessary)
- Use CloudFront to reduce direct exposure of S3/static content
- Don’t just “accept defaults” when setting up a VPC. Understand why something is public or private.
- Security Groups can stack plan rules carefully to avoid unintended access.
- Use AWS VPC Flow Logs to monitor traffic for debugging.
- Practice! Build a VPC with public and private subnets, deploy EC2s, and try connecting them—it clicks faster when you do it yourself.
Automation + Networking
I’ve also started using Terraform to automate network setups:
resource "aws_vpc" "main" {
cidr_block = "10.0.0.0/16"
}
resource "aws_subnet" "public" {
vpc_id = aws_vpc.main.id
cidr_block = "10.0.1.0/24"
map_public_ip_on_launch = true
}
Automating networking makes environments reproducible, auditable, and easy to tear down when needed.
Cloud Networking is Evolving
With modern tools like:
- AWS Transit Gateway
- PrivateLink
- Global Accelerator
- App Mesh
Doing it hands-on—setting up VPCs, subnets, and gateways—helped me truly understand what cloud networking is about. It’s not just IPs and rules; it’s the architecture of user experience.
Conclusion
Networking is the unsung hero of cloud architecture.
It’s not glamorous like AI, but nothing works without it.
Learning it changed how I design systems:
I now see flows, boundaries, and security layers instead of just “servers.”
If you're on a similar journey—don’t skip the basics. Get hands-on. Ask why. Test everything.
This is the foundation of everything you’ll build.
