Modern cloud platforms make networking feel deceptively simple. You create a service, expose a port, and suddenly it is reachable. Under the surface, however, a number of classic networking concepts are still at work: routing tables, address spaces, gateways, and network boundaries.
This article revisits the core mechanics of cloud networking—using concepts from Google Cloud as a concrete example—while keeping the principles general enough to apply across most infrastructure environments.
1. The Basic Mental Model of a Network
At its most fundamental level, a network is simply:
- A range of IP addresses
- A set of machines assigned addresses from that range
- A routing system that determines where packets go
The moment two machines share a network, they can exchange packets directly, without passing through the public internet.
Every network therefore has three important properties:
- Address space (CIDR block)
- Connectivity rules
- Routing logic
Example CIDR ranges commonly used for private networks:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
These are defined by the Internet Assigned Numbers Authority as private IP ranges and are not routable on the public internet.
2. What Makes a Network “Private”?
A network is considered private when:
- Its IP addresses are not globally routable
- Access is restricted to specific connected networks
This means machines inside the network can communicate with each other, but external systems cannot directly reach them.
Typical examples:
- Databases inside a VPC
- Internal microservices
- Backend workers
- Private APIs
In cloud infrastructure, a private network is usually implemented as a Virtual Private Cloud (VPC).
For example in Google Cloud:
- A VPC network is a logically isolated network
- It contains subnets
- Resources get internal IP addresses
Example:
VPC: my-production-network Subnet: 10.10.0.0/24
Instances in this subnet might be:
10.10.0.5 API server 10.10.0.8 worker 10.10.0.12 database
All can communicate internally without touching the public internet.
3. Subnets: Structuring Networks
Subnets divide networks into smaller segments.
Why?
- Security boundaries
- Regional distribution
- Routing control
Example:
VPC: 10.0.0.0/16 Subnets: 10.0.1.0/24 europe-west1 10.0.2.0/24 europe-north1 10.0.3.0/24 us-central1
In cloud platforms this separation is important because infrastructure often spans multiple data centers and regions.
Subnets allow infrastructure teams to control:
- traffic flow
- firewall rules
- service placement
4. Routing: How Packets Know Where to Go
Networking works because of routing tables.
A routing table contains rules like:
Destination Next Hop 10.0.0.0/16 local 0.0.0.0/0 internet gateway 172.16.0.0/16 peer network
The special route:
0.0.0.0/0
is the default route. It means:
If the destination is unknown, send the packet to this gateway.
This gateway might be:
- an internet gateway
- a NAT gateway
- a VPN
- a peered network
Routing therefore determines whether traffic:
- stays internal
- leaves the network
- goes to another private network
5. Internet Access
A private machine cannot reach the internet unless a route exists.
Typical pattern:
Private VM ↓ NAT Gateway ↓ Internet
Why NAT?
Because private IPs are not globally routable.
A Network Address Translation (NAT) gateway:
- replaces the private source IP
- with a public IP
- forwards the packet
The response returns through the same gateway.
Key consequence:
- the machine can access the internet
- but cannot be reached from the internet
This is called egress-only connectivity.
6. Public Services
If you want external users to reach a service, you must expose it.
Typical mechanisms:
- Public IP on a machine
- Load balancer
- Reverse proxy
- API gateway
In many architectures the typical pattern is:
Internet ↓ Load Balancer ↓ Private Services
This keeps backend services private while exposing only controlled entry points.
7. Network Peering
Sometimes two private networks must communicate.
Example:
Network A (10.1.0.0/16) Network B (10.2.0.0/16)
Without configuration they are isolated.
Peering creates direct connectivity.
Network A ↔ Network B
After peering:
- machines in A can reach B
- machines in B can reach A
No internet routing is involved.
Important characteristics:
- traffic remains private
- latency is low
- bandwidth is high
However peering usually requires non-overlapping CIDR ranges.
8. Transitive Routing (Usually Not Allowed)
One important limitation of peering is non-transitivity.
Example:
Network A ↔ Network B Network B ↔ Network C
Usually:
A cannot reach C
because peering relationships do not propagate routes.
This prevents complex routing loops and unintended access paths.
To build multi-network topologies, cloud providers often require:
- shared VPCs
- transit gateways
- hub-and-spoke designs
9. Firewall Rules
Connectivity also depends on firewall policies.
Even if routing allows traffic, firewalls may block it.
Rules typically filter:
- source IP
- destination IP
- port
- protocol
Example:
Allow: 10.10.0.0/24 → database:5432 Deny: 0.0.0.0/0 → database
This ensures that only internal services can reach the database.
10. Isolation Levels in Practice
A network may appear in several isolation states.
Fully Private
No internet route.
Private VM ↔ internal services only
Used for:
- databases
- internal compute
- sensitive services
Private With Internet Egress
Uses NAT.
VM → NAT → Internet
Used for:
- package downloads
- API calls
- updates
Public Service
Accessible externally.
Internet → Load Balancer → Service
Used for:
- web applications
- APIs
- SaaS platforms
11. Typical Cloud Architecture
A common production layout looks like this:
Internet
│
Global Load Balancer
│
┌──────────────┐
│ VPC Network │
└──────────────┘
│
┌─────────────┼─────────────┐
│ │
Frontend Subnet Backend Subnet
(public services) (private services)
│
Database
(private)
Characteristics:
- Only the load balancer is public
- Services communicate over internal IPs
- Databases remain isolated
12. Key Components in Cloud Networking
The main building blocks are:
| Component | Purpose |
|---|---|
| VPC | Isolated virtual network |
| Subnet | IP segmentation |
| Routing table | Determines packet paths |
| NAT gateway | Internet egress |
| Internet gateway | Public connectivity |
| Firewall | Traffic filtering |
| Load balancer | Controlled entry point |
| Peering | Private network connectivity |
These concepts exist in nearly every cloud platform, including Amazon Web Services, Microsoft Azure, and Google Cloud.
13. A Useful Mental Model
One helpful way to think about cloud networking:
A VPC is basically a programmable data-center network.
Instead of configuring switches and routers physically, you configure:
- CIDR ranges
- routing rules
- firewall policies
- connectivity between networks
The result is the same outcome as traditional infrastructure—only expressed through software.
Conclusion
Cloud networking may look abstract at first, but it follows the same core principles as traditional networking:
- networks are defined by address ranges
- connectivity depends on routing
- exposure depends on gateways
- isolation depends on firewalls and topology
Understanding these fundamentals makes it much easier to reason about infrastructure behavior—especially when debugging connectivity problems or designing secure system architectures.
About Author
I am Mathias from Heidelberg, Germany. I am a passionate IT freelancer with 15+ years experience in programming, especially in developing web based applications for companies that range from small startups to the big players out there. I create Bosycom and initiated several software projects.