G
GuideDevOps
Lesson 8 of 12

Cloud Networking & DNS

Part of the Cloud Computing tutorial series.

Virtual Private Cloud (VPC)

Your isolated network in the cloud - like having your own data center.

VPC Components

VPC (10.0.0.0/16)
├── Public Subnet (10.0.1.0/24)
│   ├── Internet Gateway (IGW)
│   ├── NAT Gateway
│   └── EC2 instances with public IPs
├── Private Subnet (10.0.2.0/24)
│   └── EC2 instances (no internet without NAT)
└── Private Subnet (10.0.3.0/24)
    └── RDS database

Subnets

Public Subnet: Has route to Internet Gateway

  • Instances get public IPs
  • Accessible from internet
  • Good for: Web servers, load balancers

Private Subnet: No direct internet access

  • NAT Gateway enables outbound internet
  • Not accessible from internet
  • Good for: Databases, caches, internal services

Creating VPC (AWS)

# Create VPC
aws ec2 create-vpc --cidr-block 10.0.0.0/16
 
# Create public subnet
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24
 
# Create private subnet
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.2.0/24
 
# Create Internet Gateway
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --internet-gateway-id igw-xxx --vpc-id vpc-xxx
 
# Create route table for public subnet
aws ec2 create-route-table --vpc-id vpc-xxx
aws ec2 create-route --route-table-id rtb-xxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxx

Security Groups

Stateful firewall at instance level (allow inbound → auto-allow outbound)

# Create security group
aws ec2 create-security-group --group-name web --description "Allow HTTP/HTTPS" --vpc-id vpc-xxx
 
# Allow SSH from anywhere
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 0.0.0.0/0
 
# Allow HTTP from anywhere
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 80 --cidr 0.0.0.0/0
 
# Allow HTTPS from anywhere
aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 443 --cidr 0.0.0.0/0
 
# Allow all traffic from database security group
aws ec2 authorize-security-group-ingress --group-id sg-db --protocol tcp --port 5432 --source-group sg-app

Best Practices

✅ Never allow SSH (port 22) from 0.0.0.0/0 ✅ Use security group references instead of CIDR blocks when possible ✅ Use restrictive rules (allow specific ports) not permissive (allow all) ✅ Review rules regularly

Load Balancing

Network Load Balancer (NLB) - Ultra-high performance

  • 1 million RPS
  • Sub-millisecond latency
  • Use for: Real-time gaming, IoT

Application Load Balancer (ALB) - Content-aware

  • Route by hostname, path, protocol
  • Good for: Web apps, microservices

Classic Load Balancer (CLB) - Legacy

  • Round-robin load balancing

Creating ALB (AWS)

# Create target group
aws elbv2 create-target-group --name my-targets --protocol HTTP --port 80 --vpc-id vpc-xxx
 
# Register targets
aws elbv2 register-targets --target-group-arn arn:aws:elasticloadbalancing:... --targets Id=i-xxx Id=i-yyy
 
# Create load balancer
aws elbv2 create-load-balancer --name my-alb --subnets subnet-xxx subnet-yyy
 
# Create listener (forward port 80 to target group)
aws elbv2 create-listener --load-balancer-arn arn:... --protocol HTTP --port 80 --default-actions Type=forward,TargetGroupArn=arn:...

CDN (Content Delivery Network)

Serve content from edge locations closest to users

AWS CloudFront

# Create distribution
aws cloudfront create-distribution --distribution-config file://config.json
 
# Example config: origin=S3, behavior=cache everything, TTL=1 day

Azure CDN

az cdn profile create --resource-group myRG --name myProfile --sku Standard_Akamai
az cdn endpoint create --resource-group myRG --profile-name myProfile --name myEndpoint --origin mywebsite.com

GCP Cloud CDN

# Enable on backend service
gcloud compute backend-services update my-service \
  --enable-cdn \
  --global

DNS

Route 53 (AWS)

# Create hosted zone
aws route53 create-hosted-zone --name example.com --caller-reference $(date +%s)
 
# Simple routing
aws route53 change-resource-record-sets --hosted-zone-id ZXXX --change-batch '{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "example.com",
      "Type": "A",
      "TTL": 300,
      "ResourceRecords": [{"Value": "192.0.2.1"}]
    }
  }]
}'
 
# Weighted routing (for canary deployments)
aws route53 change-resource-record-sets --hosted-zone-id ZXXX --change-batch '{
  "Changes": [{
    "Action": "CREATE",
    "ResourceRecordSet": {
      "Name": "example.com",
      "Type": "A",
      "TTL": 60,
      "Weight": 70,
      "SetIdentifier": "stable",
      "AliasTarget": {"HostedZoneId": "...", "DNSName": "alb.aws.com", "EvaluateTargetHealth": false}
    }
  }]
}'

DDoS Protection

AWS Shield

  • Standard: Free protection (all customers)
  • Advanced: $3,000/month for advanced DDoS protection

AWS WAF (Web Application Firewall)

# Create IP set
aws wafv2 create-ip-set --name my-ips --scope REGIONAL --ip-address-version IPV4 --addresses '["203.0.113.0/24"]'
 
# Create rule group
aws wafv2 create-rule-group --name my-rules --scope REGIONAL --capacity 100 --rules '[...]'
 
# Create web ACL
aws wafv2 create-web-acl --name my-acl --scope REGIONAL --default-action Allow={} --rules '[...]'

Best Practices

✅ Use multiple availability zones for HA ✅ Public subnets for web tier, private for data tier ✅ Use bastion hosts (jump boxes) for SSH to private instances ✅ Enable VPC Flow Logs for traffic analysis ✅ Use network ACLs for additional layer of security ✅ Implement least privilege in security groups ✅ Use CDN for frequently accessed content ✅ Enable HTTPS everywhere (not just HTTP)

❌ Don't allow SSH from 0.0.0.0/0 ❌ Don't put databases in public subnets ❌ Don't forget to delete unused resources