Cloud Networking Aws Azure Gcp

Category: Advanced Networking Concepts
Type: Network Concepts
Generated on: 2025-07-10 09:11:16
For: Network Engineering, Administration & Technical Interviews

This cheat sheet covers advanced networking concepts relevant to the major cloud providers: AWS, Azure, and GCP. It aims to provide a practical reference for students and professionals involved in cloud network design, deployment, and troubleshooting.

1. Quick Overview

Cloud networking allows you to create and manage virtual networks in the cloud, enabling resources to communicate with each other, the internet, and on-premises networks. It’s crucial for:

Scalability: Easily scale network resources as needed.
Flexibility: Customize network configurations to meet specific application requirements.
Cost Efficiency: Pay only for the network resources you use.
Security: Implement robust security measures to protect your data.
Hybrid Cloud: Seamlessly connect cloud and on-premises environments.

2. Key Concepts

Concept	Definition	AWS Equivalent	Azure Equivalent	GCP Equivalent
Virtual Network (VNet)	Logically isolated network in the cloud.	VPC (Virtual Private Cloud)	Virtual Network	VPC (Virtual Private Cloud)
Subnet	A range of IP addresses within a VNet.	Subnet	Subnet	Subnet
Route Table	Contains a set of rules (routes) that determine where network traffic is directed.	Route Table	Route Table	Route
Internet Gateway	Enables resources in a VPC to connect to the internet.	Internet Gateway	Internet Gateway	Cloud Router + NAT Gateway
NAT Gateway	Allows instances in a private subnet to connect to the internet without having public IP addresses.	NAT Gateway	NAT Gateway	Cloud NAT
Security Group/Network Security Group (NSG)	Acts as a virtual firewall, controlling inbound and outbound traffic at the instance level.	Security Group	Network Security Group (NSG)	Firewall Rules
Network ACL (NACL)	Acts as a stateless firewall, controlling inbound and outbound traffic at the subnet level.	Network ACL	N/A (NSGs can be applied at subnet level)	N/A (Firewall Rules are global)
Virtual Private Network (VPN)	Securely connects your on-premises network to your cloud network.	AWS VPN	Azure VPN Gateway	Cloud VPN
Direct Connect/ExpressRoute/Cloud Interconnect	Dedicated network connection between your on-premises network and the cloud.	AWS Direct Connect	Azure ExpressRoute	Cloud Interconnect
Peering	Connects two VNets, allowing resources in each network to communicate with each other.	VPC Peering	Virtual Network Peering	VPC Network Peering
Load Balancer	Distributes incoming traffic across multiple instances.	ELB (Elastic Load Balancer)	Azure Load Balancer	Cloud Load Balancing
DNS	Translates domain names into IP addresses.	Route 53	Azure DNS	Cloud DNS
Firewall	Controls network access based on defined rules.	Security Groups, Network ACLs	Network Security Groups, Azure Firewall	Firewall Rules
Network Interface	Virtual network adapter that enables a resource to connect to a network.	Elastic Network Interface (ENI)	Network Interface	Network Interface
PrivateLink/Private Endpoint/Private Service Connect	Enables private connectivity to services without exposing them to the public internet.	AWS PrivateLink	Azure Private Endpoint	Private Service Connect
Service Endpoints	Private access to cloud services without traversing the public internet (service specific)	AWS Gateway Endpoints	Azure Service Endpoints	Private Service Connect (Similar functionality)

3. How It Works

Example: Creating a simple VPC/VNet with a public subnet in AWS

Create a VPC: Define the IP address range (CIDR block) for your VPC (e.g., 10.0.0.0/16).
```
+-----------------------+
|      VPC (10.0.0.0/16)      |
+-----------------------+
```

Create a Subnet: Define a subnet within the VPC’s IP address range (e.g., 10.0.1.0/24). Tag it as a public subnet.

+-----------------------+
|      VPC (10.0.0.0/16)      |
|   +-------------------+   |
|   |  Subnet (10.0.1.0/24) |   |
|   +-------------------+   |
+-----------------------+

Create an Internet Gateway: This allows the VPC to communicate with the internet.

+-----------------------+     +--------------+
|      VPC (10.0.0.0/16)      |-----|Internet Gateway|
|   +-------------------+   |     +--------------+
|   |  Subnet (10.0.1.0/24) |   |
|   +-------------------+   |
+-----------------------+

Create a Route Table: Define a route that directs traffic destined for the internet (0.0.0.0/0) to the Internet Gateway. Associate the route table with the subnet.

+-----------------------+     +--------------+
|      VPC (10.0.0.0/16)      |-----|Internet Gateway|
|   +-------------------+   |     +--------------+
|   |  Subnet (10.0.1.0/24) |   |
|   +-------------------+   |
|        Route Table (0.0.0.0/0 -> IGW)          |
+-----------------------+

Create a Security Group: Define rules to allow inbound traffic (e.g., SSH on port 22, HTTP on port 80) and outbound traffic. Associate the security group with instances launched in the subnet.

+-----------------------+     +--------------+
|      VPC (10.0.0.0/16)      |-----|Internet Gateway|
|   +-------------------+   |     +--------------+
|   |  Subnet (10.0.1.0/24) |   |
|   +-------------------+   |
|        Route Table (0.0.0.0/0 -> IGW)          |
|   +-------------------+   |
|   |  Security Group (Allow SSH, HTTP) |   |
|   +-------------------+   |
+-----------------------+

Launch an Instance: Launch an EC2 instance within the subnet and associate it with the security group. Assign a public IP address to the instance (or enable auto-assign public IP).

+-----------------------+     +--------------+
|      VPC (10.0.0.0/16)      |-----|Internet Gateway|
|   +-------------------+   |     +--------------+
|   |  Subnet (10.0.1.0/24) |   |
|   |  EC2 Instance (Public IP) |   |
|   +-------------------+   |
|        Route Table (0.0.0.0/0 -> IGW)          |
|   +-------------------+   |
|   |  Security Group (Allow SSH, HTTP) |   |
|   +-------------------+   |
+-----------------------+

4. Protocol Details

IP Protocol: The foundation of cloud networking. Understanding IP addressing, subnetting, and routing is critical.
TCP/UDP: Used for communication between instances.
ICMP: Used for network diagnostics (e.g., ping).
BGP (Border Gateway Protocol): Used for routing information between autonomous systems, particularly in Direct Connect/ExpressRoute/Cloud Interconnect scenarios. Key attributes include AS_PATH, NEXT_HOP, MED (Multi-Exit Discriminator).
GRE (Generic Routing Encapsulation): Used for creating VPN tunnels.
IPsec (Internet Protocol Security): Used for encrypting VPN traffic. Common modes are Tunnel and Transport. Uses AH (Authentication Header) and ESP (Encapsulating Security Payload).

Example: TCP Header

+-------+-------+-------+-------+
| Source Port (16 bits) | Destination Port (16 bits) |
+-------+-------+-------+-------+
|                    Sequence Number (32 bits)                      |
+-------------------------------------------------------------------+
|                    Acknowledgement Number (32 bits)                   |
+-------+-------+-------+-------+
| Data Offset | Reserved | Flags | Window Size (16 bits) |
+-------+-------+-------+-------+
|   Checksum (16 bits)  | Urgent Pointer (16 bits) |
+-------+-------+-------+-------+
|                    Options (Variable Length)                    |
+-------------------------------------------------------------------+
|                              Data (Variable Length)                              |
+-------------------------------------------------------------------+

Example: IP Header

+-----+-----+-------+----------------+
| Ver | IHL |  DSCP |    Total Length   |
+-----+-----+-------+----------------+
|         Identification (16 bits)          |Flags| Fragment Offset (13 bits) |
+-----+----------------+----------------+
| TTL | Protocol | Header Checksum |
+-----+----------------+----------------+
|                    Source Address (32 bits)                      |
+-------------------------------------------------------------------+
|                 Destination Address (32 bits)                   |
+-------------------------------------------------------------------+
|                    Options (Variable Length)                    |
+-------------------------------------------------------------------+
|                              Data (Variable Length)                              |
+-------------------------------------------------------------------+

5. Real-World Examples

Web Application Hosting: Distributing web traffic across multiple EC2 instances behind an Application Load Balancer (ALB) in AWS. Using Security Groups to restrict access to the web servers.
Database Connectivity: Connecting an on-premises database to a cloud-based application using a VPN tunnel. Using Azure VPN Gateway or Cloud VPN.
Hybrid Cloud Environment: Connecting an on-premises network to a cloud VPC/VNet using Direct Connect/ExpressRoute/Cloud Interconnect for low latency and high bandwidth.
Microservices Architecture: Deploying microservices in separate VPCs/VNets and connecting them using VPC Peering/Virtual Network Peering/VPC Network Peering.
Secure Data Storage: Using PrivateLink/Private Endpoint/Private Service Connect to securely access cloud storage services (e.g., S3, Azure Blob Storage, Cloud Storage) without exposing them to the public internet.

Example: Web Application Architecture (AWS)

+-----------------------+     +-----------------+
|       Internet       |-----| Route 53 (DNS) |
+-----------------------+     +-----------------+
|          |
|          |
+-----------------------+
|  Application Load Balancer (ALB) |
+-----------------------+
|          |
|          |
+-----------------------+-----+-------------------+
|  Auto Scaling Group (ASG) |     | Security Group (Allow HTTP, HTTPS)  |
+-----------------------+-----+-------------------+
|          |
|          |
+-----------------------+
|    EC2 Instances (Web Servers)   |
+-----------------------+
|          |
|          |
+-----------------------+
|  Private Subnet (Database)  |
+-----------------------+

6. Common Issues

Connectivity Issues: Troubleshoot using ping, traceroute, and network monitoring tools. Check route tables, security groups/NSGs, and NACLs. Verify DNS resolution.
Routing Problems: Ensure that routes are correctly configured to direct traffic to the appropriate destination. Check for conflicting routes.
Security Group/NSG Misconfigurations: Verify that security groups/NSGs allow the necessary traffic. Ensure that rules are not overly permissive.
VPN Tunnel Failures: Check VPN tunnel configuration, including IPsec parameters (encryption algorithms, authentication methods, pre-shared keys). Verify that the VPN gateway is reachable.
DNS Resolution Failures: Ensure that DNS servers are correctly configured and reachable. Check for DNS zone configuration errors.
Network Latency: Investigate network latency using tools like mtr or traceroute. Consider using Direct Connect/ExpressRoute/Cloud Interconnect for lower latency.
MTU Issues: Ensure that the Maximum Transmission Unit (MTU) is consistent across the network. Path MTU Discovery (PMTUD) can help resolve MTU-related issues.

Troubleshooting Example (AWS): Instance cannot connect to the internet

Check the Route Table: Verify that the subnet has a route to an Internet Gateway (0.0.0.0/0 -> IGW).
Check the Security Group: Ensure that the security group allows outbound traffic to the internet (0.0.0.0/0).
Check the NACL (Network ACL): If using NACLs, ensure that they allow both inbound and outbound traffic to the internet. Remember that NACLs are stateless.
Check the Internet Gateway: Verify that the Internet Gateway is attached to the VPC.
Check the Instance: Verify that the instance has a public IP address (or is behind a NAT Gateway).

Command Line Tools for Troubleshooting:

ping: Test basic connectivity. ping <destination>
traceroute/tracert: Trace the route packets take to reach a destination. traceroute <destination> (Linux/macOS), tracert <destination> (Windows)
nslookup/dig: Query DNS servers. nslookup <domain> , dig <domain>
tcpdump/Wireshark: Capture and analyze network traffic. tcpdump -i <interface> -n -s 0
mtr (My Traceroute): Combines ping and traceroute functionality. mtr <destination>

7. Configuration Examples

AWS CLI Example: Create a VPC

aws ec2 create-vpc --cidr-block 10.0.0.0/16

AWS CLI Example: Create a Subnet

aws ec2 create-subnet --vpc-id <vpc-id> --cidr-block 10.0.1.0/24 --availability-zone us-east-1a

Azure CLI Example: Create a Virtual Network

az network vnet create \
  --resource-group <resource-group-name> \
  --name <vnet-name> \
  --address-prefixes 10.0.0.0/16 \
  --location <location>

Azure CLI Example: Create a Subnet

az network vnet subnet create \
  --resource-group <resource-group-name> \
  --vnet-name <vnet-name> \
  --name <subnet-name> \
  --address-prefixes 10.0.1.0/24

GCP CLI Example: Create a VPC Network

gcloud compute networks create <network-name> --subnet-mode custom

GCP CLI Example: Create a Subnet

gcloud compute networks subnets create <subnet-name> \
  --network <network-name> \
  --region <region> \
  --range 10.0.1.0/24

Security Group Example (AWS): Allow SSH and HTTP

[
  {
    "IpProtocol": "tcp",
    "FromPort": 22,
    "ToPort": 22,
    "IpRanges": [
      {
        "CidrIp": "0.0.0.0/0"  // WARNING: Restrict to specific IP addresses for security
      }
    ]
  },
  {
    "IpProtocol": "tcp",
    "FromPort": 80,
    "ToPort": 80,
    "IpRanges": [
      {
        "CidrIp": "0.0.0.0/0"  // WARNING: Restrict to specific IP addresses for security
      }
    ]
  }
]

Network Security Group Example (Azure): Allow SSH and HTTP

[
  {
    "name": "AllowSSH",
    "properties": {
      "priority": 100,
      "direction": "Inbound",
      "access": "Allow",
      "protocol": "Tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "22",
      "sourceAddressPrefix": "*", // WARNING: Restrict to specific IP addresses for security
      "destinationAddressPrefix": "*"
    }
  },
  {
    "name": "AllowHTTP",
    "properties": {
      "priority": 110,
      "direction": "Inbound",
      "access": "Allow",
      "protocol": "Tcp",
      "sourcePortRange": "*",
      "destinationPortRange": "80",
      "sourceAddressPrefix": "*", // WARNING: Restrict to specific IP addresses for security
      "destinationAddressPrefix": "*"
    }
  }
]

8. Interview Questions

What is a VPC/VNet and why is it important? (See Quick Overview and Key Concepts)
Explain the difference between a Security Group and a Network ACL (AWS). Security Groups are stateful and operate at the instance level. Network ACLs are stateless and operate at the subnet level. Security Groups allow by default; Network ACLs deny by default.
How do you connect an on-premises network to the cloud? Using VPN (site-to-site or client-to-site) or Direct Connect/ExpressRoute/Cloud Interconnect.
What is VPC Peering/Virtual Network Peering/VPC Network Peering? It allows you to connect two VPCs/VNets, enabling resources in each network to communicate with each other.
How do you ensure high availability for your applications in the cloud? Using multiple Availability Zones, Load Balancers, and Auto Scaling.
What is a NAT Gateway and why would you use it? A NAT Gateway allows instances in a private subnet to connect to the internet without having public IP addresses, enhancing security.
Explain the difference between public and private subnets. Public subnets have a route to an Internet Gateway, allowing instances to connect to the internet. Private subnets do not have a route to an Internet Gateway and require a NAT Gateway to connect to the internet.
How does BGP work in the context of Direct Connect/ExpressRoute/Cloud Interconnect? BGP is used to exchange routing information between your on-premises network and the cloud provider’s network. BGP attributes like AS_PATH, NEXT_HOP, and MED are used to influence routing decisions.
What are the security considerations when connecting your on-premises network to the cloud? Firewall configuration, VPN tunnel security, access control, and monitoring.
How do you troubleshoot network connectivity issues in the cloud? Use ping, traceroute, network monitoring tools, and check route tables, security groups/NSGs, and NACLs.

Example Interview Answer: Difference between Security Group and NACL (AWS)

“Security Groups and Network ACLs are both firewalls used to control network traffic in AWS, but they operate at different layers and have different characteristics. Security Groups act at the instance level, controlling inbound and outbound traffic for individual EC2 instances. They are stateful, meaning that if you allow inbound traffic on a specific port, the corresponding outbound traffic is automatically allowed. Security Groups operate on a ‘allow’ principle; all traffic is denied by default unless explicitly allowed.

Network ACLs, on the other hand, operate at the subnet level, controlling traffic entering and exiting subnets. They are stateless, meaning that you need to explicitly allow both inbound and outbound traffic. Network ACLs operate on a ‘deny’ principle; all traffic is allowed by default unless explicitly denied.

In summary, Security Groups provide a more granular level of control at the instance level and are easier to manage due to their stateful nature, while Network ACLs provide a broader level of control at the subnet level and are useful for implementing more complex network security policies.”

Software Defined Networking (SDN): Provides a centralized control plane for managing network resources.
Network Function Virtualization (NFV): Virtualizes network functions (e.g., firewalls, load balancers) as software.
Containers and Kubernetes Networking: Networking concepts specific to containerized applications.
Service Mesh: A dedicated infrastructure layer for handling service-to-service communication in microservices architectures.
Network Automation: Automating network tasks using tools like Ansible, Terraform, and CloudFormation.
Cloud Security Best Practices: Implementing security measures to protect your cloud network and resources.

This cheat sheet provides a comprehensive overview of cloud networking concepts. Remember to consult the official documentation for each cloud provider for the most up-to-date information and specific configuration details. Good luck!