Skip to main content

Cloud Concepts & Connectivity Options

Cloud Concepts

Network Functions Virtualization (NFV)

Virtual versions of network devices like routers or firewalls. NFV replaces traditional network hardware (like routers, firewalls, load balancers) with software-based virtual appliances that run on standard servers.

Instead of buying a separate physical box for each function, you can virtualize them using technologies like VMware, Hyper-V, or KVM.

For example, a company might deploy a virtual firewall or load balancer inside a cloud environment rather than a physical one in their data center. NFV makes networks flexible, scalable, and easier to automate—you can spin up new network functions instantly.

Virtual Private Cloud (VPC)

Your private network space inside a public cloud.

A VPC is an isolated section of a public cloud (like AWS, Azure, or GCP) that behaves like your own private data center.

You define your own IP ranges, subnets, routing tables, and security settings.

It lets you host cloud resources (VMs, databases, etc.) in a private environment, yet still connect to the internet securely.

VPC Internet Gateway: Provides a path out to the internet and for the internet to initiate connections in to your public-facing resources (like a web server).It is a two way public communication. Example: An EC2 instance with a public IP uses the Internet Gateway to download software updates from the internet

VPC Endpoint: A private connection between your VPC and supported AWS services (like S3 or DynamoDB) without using the public internet.

Security, privacy, and potentially lower latency. It keeps all traffic within the AWS network, avoiding the public internet entirely. There are two types:

  • Interface Endpoint: A private IP address in your subnet that acts as an entry point (uses AWS PrivateLink).
  • Gateway Endpoint: A route table target for traffic destined for S3 or DynamoDB.

Transit Gateway (TGW): A network transit hub that you can use to interconnect your multiple VPCs, on-premises data centers, and remote offices.

Virtual Private Gateway (VGW): To establish a secure, encrypted connection between your VPC and your remote corporate data center or office over the public internet. The VPN concentrator on the Amazon side of a Site-to-Site VPN connection. It's the anchor for your encrypted connection between your VPC and your on-premises network.

NAT Gateway (Network Address Translation Gateway): A managed service that allows private instances (with no public IP) in your VPC to initiate outbound connections to the internet or other AWS services, while preventing the internet from initiating a connection back to those instances. Security through obscurity. It lets your private databases or application servers get updates without exposing them to the public internet.

Network Security Groups (NSG)

An NSG acts like a virtual firewall controlling inbound and outbound traffic to specific resources (such as virtual machines or subnets).

Rules in an NSG specify which IPs, ports, and protocols are allowed or denied.

Cloud-based access control list for VMs and subnets.

For example, in Azure, you might allow inbound traffic on port 443 (HTTPS) but block port 23 (Telnet).

Network Security Lists (NSL)

Operates at the subnet level

  • You attach the security list to a subnet. Every single network interface (VM) that is placed inside that subnet inherits the same set of allow/deny rules. Analogy: The "Finance Building" has a rule: "No one from the Engineering Building is allowed to enter." This rule applies to every engineer who tries to enter, and it protects every single person and room inside the Finance Building.

Defines stateless rules. Imagine your EC2 instance in the "Finance Subnet" makes an outbound request to google.com on port 443 (HTTPS).

The Outbound Request:

  • Your EC2 instance sends a packet: Source: EC2 -> Destination: google.com:443

  • This packet hits the subnet's Outbound Security List rules.

  • You (the admin) have a rule: ALLOW Outbound to 0.0.0.0/0 on port 443.

  • Result: The packet is allowed to leave.

The Inbound Response:

  • google.com sends the response back. This is a new, separate packet from the network's perspective. It looks like: Source: google.com:443 -> Destination: EC2

  • This return packet arrives at your subnet's entrance and hits the Inbound Security List rules.

  • Here is the critical part: The firewall is stateless. It has forgotten the original outbound request. It doesn't know this is a "reply." It just sees an incoming packet from google.com on port 443.

The Decision:

  • The firewall checks its Inbound rules. What does it see?

  • If there is NO rule that says ALLOW Inbound from google.com (or 0.0.0.0/0) on port 443, then the firewall follows its default behavior: DENY.

Result: The response packet is discarded. Your EC2 instance never receives the data it was waiting for, and the connection fails.

Cloud Connectivity Options

VPN (Virtual Private Network)

A secure, encrypted tunnel connecting on-premises networks to the cloud over the internet.

Direct Connect (or ExpressRoute / Dedicated Interconnect)

A dedicated, private physical link between your data center and the cloud provider.

You have a physical cross-connect (like a fiber optic cable) from your router (or your colocation provider's router) directly into the cloud provider's network backbone. Example: A business connects its office network to AWS or Azure using an IPsec VPN.

It offers lower latency, higher reliability, and better performance than VPN. Example: AWS Direct Connect or Azure ExpressRoute.

Deployment Models

Public Cloud:

Services offered over the internet to anyone (e.g., AWS, Azure, GCP). Customers share infrastructure but have isolated environments. Shared but isolated environment managed by provider.

Private Cloud:

Dedicated resources for a single organization—can be on-premises or hosted. Provides full control, security, and compliance. One organization, full control.

Hybrid Cloud

Combines public and private clouds, allowing data and apps to move between them. Example: A company keeps sensitive data in a private cloud but uses the public cloud for web hosting.

Community Cloud

A community cloud is a multi-tenant infrastructure shared by several organizations that belong to a specific community with common interests, such as:Security requirements, Compliance policies, Jurisdictional laws, Business objectives.

Examples

  • All public schools in a state might share a community cloud for their student information systems, ensuring all data is handled under the same privacy laws (like FERPA).
  • A group of hospitals might share a community cloud to store and process patient records. This ensures that all data is managed in a way that is compliant with HIPAA regulations, and it allows for easier sharing of medical data for research within the trusted community.
  • A consortium of banks might create a community cloud to develop shared tools for fraud detection, all built on a platform that meets their strict financial industry regulations.

Service Models

Infrastructure as a Service (IaaS)

Provides virtualized hardware resources — you manage the OS, apps, and data.

  • What you get: A raw, empty vehicle. You have complete control over the driving, the route, the music, and the passengers.
  • What you manage: Everything inside the car. You are responsible for fueling it (scaling), maintenance (OS patches), and navigation (networking configuration). If you crash it (security breach), it's your fault.
  • What the provider manages: The car itself, the car lot, and the road infrastructure.

Platform as a Service (PaaS)

Provides the full development environment — OS, runtime, and tools — so developers can focus on coding without managing infrastructure.

  • What you get: A ride. You don't care about the car, the gas, or the maintenance. You just tell the driver where you want to go.

  • What you manage: Your destination and your behavior in the backseat (your application code and data).

  • What the provider manages: The vehicle, the fuel, the driver, the route, and all the maintenance. You are abstracted away from the underlying machinery.

Software as a Service (SaaS)

Fully managed applications accessible over the internet. You only use the software — no management of servers or updates.

  • What you get: A completed transportation service with a fixed route and schedule.

  • What you manage: Nothing. You just show up, pay the fare, and use the service to get to your destination. You have no control over the bus, the driver, or the route.

  • What the provider manages: Everything. The buses, the routes, the schedules, the drivers, the bus stops, and the ticketing system. Examples: Gmail, Office 365, Salesforce, Zoom.

Scalability

Scalability means the ability of a system to handle increasing workload by adding more resources.

It can be vertical (scale up) — adding more power (CPU, RAM) to an existing server, or horizontal (scale out) — adding more servers.

It is the Ability to Grow

Elasticity

Elasticity is the automatic adjustment of resources — scaling up or down — based on demand. If usage spikes, more instances are added; when it drops, they’re removed automatically.

Cloud providers like AWS use Auto Scaling Groups for this.

It is the Ability to Expand & Contract

A system must be scalable to be truly elastic. You can't quickly add 50 servers (elasticity) if your architecture isn't designed to handle multiple servers (scalability). You build a scalable system so that it can be elastic when it needs to be. Scalability is about handling growth; elasticity is about handling flux.

Multitenancy

Multitenancy means multiple customers (tenants) share the same physical cloud resources securely.

Each tenant’s data is isolated, even though they share hardware.