Modern cloud platforms make networking feel deceptively simple. You create a service, expose a port, and suddenly it is reachable. Under the surface, however, a number of classic networking concepts are still at work: routing tables, address spaces, gateways, and network boundaries.

This article revisits the core mechanics of cloud networking—using concepts from Google Cloud as a concrete example—while keeping the principles general enough to apply across most infrastructure environments.

---

1. The Basic Mental Model of a Network

At its most fundamental level, a network is simply:

• A range of IP addresses
• A set of machines assigned addresses from that range
• A routing system that determines where packets go

The moment two machines share a network, they can exchange packets directly, without passing through the public internet.

Every network therefore has three important properties:

1. Address space (CIDR block)
2. Connectivity rules
3. Routing logic

Example CIDR ranges commonly used for private networks:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

These are defined by the Internet Assigned Numbers Authority as private IP ranges and are not routable on the public internet.

---

2. What Makes a Network “Private”?

A network is considered private when:

1. Its IP addresses are not globally routable
2. Access is restricted to specific connected networks

This means machines inside the network can communicate with each other, but external systems cannot directly reach them.

Typical examples:

• Databases inside a VPC
• Internal microservices
• Backend workers
• Private APIs

In cloud infrastructure, a private network is usually implemented as a Virtual Private Cloud (VPC).

For example in Google Cloud:

• A VPC network is a logically isolated network
• It contains subnets
• Resources get internal IP addresses

Example:

VPC: my-production-network
Subnet: 10.10.0.0/24

Instances in this subnet might be:

10.10.0.5   API server
10.10.0.8   worker
10.10.0.12  database

All can communicate internally without touching the public internet.

---

3. Subnets: Structuring Networks

Subnets divide networks into smaller segments.

Why?

1. Security boundaries
2. Regional distribution
3. Routing control

Example:

VPC: 10.0.0.0/16

Subnets:

10.0.1.0/24  europe-west1
10.0.2.0/24  europe-north1
10.0.3.0/24  us-central1

In cloud platforms this separation is important because infrastructure often spans multiple data centers and regions.

Subnets allow infrastructure teams to control:

• traffic flow
• firewall rules
• service placement

---

4. Routing: How Packets Know Where to Go

Networking works because of routing tables.

A routing table contains rules like:

Destination        Next Hop
10.0.0.0/16        local
0.0.0.0/0          internet gateway
172.16.0.0/16      peer network

The special route:

0.0.0.0/0

is the default route. It means:

If the destination is unknown, send the packet to this gateway.

This gateway might be:

• an internet gateway
• a NAT gateway
• a VPN
• a peered network

Routing therefore determines whether traffic:

• stays internal
• leaves the network
• goes to another private network

---

5. Internet Access

A private machine cannot reach the internet unless a route exists.

Typical pattern:

Private VM
   ↓
NAT Gateway
   ↓
Internet

Why NAT?

Because private IPs are not globally routable.

A Network Address Translation (NAT) gateway:

1. replaces the private source IP
2. with a public IP
3. forwards the packet

The response returns through the same gateway.

Key consequence:

• the machine can access the internet
• but cannot be reached from the internet

This is called egress-only connectivity.

---

6. Public Services

If you want external users to reach a service, you must expose it.

Typical mechanisms:

• Public IP on a machine
• Load balancer
• Reverse proxy
• API gateway

In many architectures the typical pattern is:

Internet
   ↓
Load Balancer
   ↓
Private Services

This keeps backend services private while exposing only controlled entry points.

---

7. Network Peering

Sometimes two private networks must communicate.

Example:

Network A (10.1.0.0/16)
Network B (10.2.0.0/16)

Without configuration they are isolated.

Peering creates direct connectivity.

Network A  ↔  Network B

After peering:

• machines in A can reach B
• machines in B can reach A

No internet routing is involved.

Important characteristics:

• traffic remains private
• latency is low
• bandwidth is high

However peering usually requires non-overlapping CIDR ranges.

---

8. Transitive Routing (Usually Not Allowed)

One important limitation of peering is non-transitivity.

Example:

Network A ↔ Network B
Network B ↔ Network C

Usually:

A cannot reach C

because peering relationships do not propagate routes.

This prevents complex routing loops and unintended access paths.

To build multi-network topologies, cloud providers often require:

• shared VPCs
• transit gateways
• hub-and-spoke designs

---

9. Firewall Rules

Connectivity also depends on firewall policies.

Even if routing allows traffic, firewalls may block it.

Rules typically filter:

• source IP
• destination IP
• port
• protocol

Example:

Allow:
10.10.0.0/24 → database:5432

Deny:
0.0.0.0/0 → database

This ensures that only internal services can reach the database.

---

10. Isolation Levels in Practice

A network may appear in several isolation states.

Fully Private

No internet route.

Private VM
  ↔ internal services only

Used for:

• databases
• internal compute
• sensitive services

---

Private With Internet Egress

Uses NAT.

VM → NAT → Internet

Used for:

• package downloads
• API calls
• updates

---

Public Service

Accessible externally.

Internet → Load Balancer → Service

Used for:

• web applications
• APIs
• SaaS platforms

---

11. Typical Cloud Architecture

A common production layout looks like this:

                    Internet
                        │
                Global Load Balancer
                        │
                ┌──────────────┐
                │   VPC Network │
                └──────────────┘
                      │
        ┌─────────────┼─────────────┐
        │                           │
    Frontend Subnet             Backend Subnet
   (public services)          (private services)

                                   │
                               Database
                               (private)

Characteristics:

• Only the load balancer is public
• Services communicate over internal IPs
• Databases remain isolated

---

12. Key Components in Cloud Networking

The main building blocks are:

Component	Purpose
VPC	Isolated virtual network
Subnet	IP segmentation
Routing table	Determines packet paths
NAT gateway	Internet egress
Internet gateway	Public connectivity
Firewall	Traffic filtering
Load balancer	Controlled entry point
Peering	Private network connectivity

These concepts exist in nearly every cloud platform, including Amazon Web Services, Microsoft Azure, and Google Cloud.

---

13. A Useful Mental Model

One helpful way to think about cloud networking:

A VPC is basically a programmable data-center network.

Instead of configuring switches and routers physically, you configure:

• CIDR ranges
• routing rules
• firewall policies
• connectivity between networks

The result is the same outcome as traditional infrastructure—only expressed through software.

---

Conclusion

Cloud networking may look abstract at first, but it follows the same core principles as traditional networking:

• networks are defined by address ranges
• connectivity depends on routing
• exposure depends on gateways
• isolation depends on firewalls and topology

Understanding these fundamentals makes it much easier to reason about infrastructure behavior—especially when debugging connectivity problems or designing secure system architectures.