If you’re a cloud service provider, one of the key things you need from your IaaS cloud platform is the ability to sell an array of different cloud services to your customers. Offering Virtual Private Cloud (VPC) is a great way to meet customer needs for secure cloud-based application hosting, and give companies an alternative to the hyperscale clouds (AWS, Azure, Google).
In this post we’ll look at what a Virtual Private Cloud is and why your customers need it; consider a few simple VPC configurations; and show how you can sell your own Virtual Private Cloud services using Virtuozzo Hybrid Infrastructure, our IaaS cloud platform.
- What is Virtual Private Cloud?
- Why do we need VPC functionality?
- Virtual Private Cloud network configurations
- Building Virtual Private Clouds using Virtuozzo Hybrid Infrastructure
What is Virtual Private Cloud?
Virtual Private Cloud (VPC) refers to an isolated and secure private cloud hosted within a public cloud or multi-tenanted environment. It provides similar functionality that an SMB or enterprise would expect from a private datacenter – it is just hosted remotely by a cloud provider. With a VPC, users can manage their own virtual networks and security policies to provide private communication between applications.
Virtual Private Cloud is a key part of any Infrastructure-as-a-Service offering. You’ll find VPC services at AWS, Azure and Google… and, if they use Virtuozzo, at your local alternative cloud provider too.
Why do we need VPC functionality?
When customers build out applications in their cloud environments, the key concern is always security. How can I ensure that my application is secure, when running in a cloud environment?
A key design requirement is segmentation. In its simplest form that can just be Network Segmentation - ensuring that networks are segmented to reduce the attack surface. There is normally only a very small part of the application that needs to be web/public facing: the majority of application components should be segregated from the public facing components.
Network segmentation involves splitting the larger network into smaller network segments, to ensure that East-West traffic between VMs is kept within a private network, while North-South traffic is via a Router or Firewall device.
The other term used is micro-segmentation, which takes a more specific approach to segmenting individual workloads - typically by creating different policies for applications to determine how components can communicate with each other. The workloads within a network segment can also be protected using application-aware security. This prevents ‘insider’ attacks, where once a private network is compromised, it protects East-West traffic within that network.
In most advanced cloud solutions today you see a mixture of both.
Virtual Private Cloud network configurations
Let’s look at some examples of potential networking layouts for a VPC – but first, for comparison, let’s look at a non-VPC example. This is typically how Virtual Private Servers are provided:
Public Network Only (no VPC)
In this scenario the service provider just gives the end user a number of Public IPs, and any VMs that the end user builds are given a public IP. Security is the responsibility of the end user, and they would have to ensure they configure strict firewall rules on the individual VMs themselves.
Public Network and Private Network with Firewall/Router appliance
Now let's look at a Virtual Private Cloud in its simplest form. The end user has a public network, but there’s an internal network separated by a router/firewall appliance that protects the VMs from the Internet. Access to the VMs can be configured using NAT/Firewall technologies:
Three Tier Architecture for Virtual Private Clouds
Now let’s consider a more sophisticated set-up, with multiple private networks protected by the same firewall, which provides internet access to all machines. Each private network represents a tier, and Security Groups are used to control the flows of traffic between the workloads:
You could also achieve the same three-tier architecture with a single private network, and security groups to determine the traffic flows between workloads:
Building Virtual Private Clouds using Virtuozzo Hybrid Infrastructure
Virtuozzo Hybrid Infrastructure (VHI) makes it easy to offer advanced VPC functionality to your customers.
Here is an example of how the three-tier architecture could be achieved in VHI. As you can see in the User Panel screenshot here, we have a public network, and we have created three separate private networks that will be used for each of our tiers:
Once the networks have been created, we can then create a Router to provide all of the private networks with internet access:
We can then use the Security Group feature to create Security Groups for each of our tiers:
In each Security Group we can define the network access. The web-tier will have inbound access from the public network:
We can then configure our app-tier Security Group to only have inbound access from the web-tier SG:
Finally, we configure the db-tier Security Group to only allow access from the app tier Security Group:
This configuration ensures that each tier can only communicate downwards by a single tier. For example, a web server can only ever communicate with an app server, and not to a database server. An app server can talk to a database server directly.
This example VPC should be configured further to only allow certain ports, while security for outbound access should also be tightened.
More information
You can find detailed explanations of virtual networks, virtual routers and security groups in Virtuozzo Hybrid Infrastructure at our documentation site:
If you’d like to know more about Virtuozzo Hybrid Infrastructure and the many different cloud services that it lets you take to market… get in touch for a demo!If you’d like to know more about Virtuozzo Hybrid Infrastructure and the many different cloud services that it lets you take to market… get in touch for a demo!