IaaS 101: What is — Networking

VPC networking

Also known as core networking, consists of a suite of services (VPCs, subnets, VPNs, IP addresses, etc) that enables our customers to connect their virtual compute resources together; creating a highly secure, virtual cloud environment.


A suite of services that connect environments together. These can be on-prem to the cloud (via Direct Link) and cloud to cloud (via Transit Gateway).

VPC — The island

Within the expansive world of the public cloud, you can create your own cloud environment to run your application on. This is essentially what a Virtual Private Cloud is — it’s your own reserved slice of public cloud; your island. Here, you can set up all the resources you’ll need, including virtual servers and networking services. These islands have a unique code to help identify them from each other (UUID) as well as complete control over their address schemes.


VPCs often have many virtual servers which are constantly sending and receiving data (network traffic) every second of the minute and hour. The best practice is to create sub-networks within a VPC to separate out the network traffic into “containers”. Better known as a subnet, these invisible network “containers” are really just IP address ranges in which you can establish other resources. Back on Network Island, subnets are really just the same as zipcodes (simple region identifiers that help postal workers separate out the mail to be sent to the correct areas of the island). Unique to the cloud, however, these “zipcodes” can be reused on other islands since the UUID is the primary identifier of the island itself.

IP Address — Individual addresses

If a subnet is just a range of IP addresses, then what is an IP address? An IP address is a numeric tag assigned to a compute resource so that you can find its location in digital space. In your VPC, network traffic travels from one IP address to another. On Network Island, IP addresses — unsurprisingly — are the equivalent of addresses — telling you the locations of everything from City Hall to the seaside lobster shack. Similar to zipcodes (subnets), these addresses are also only unique within a specific island (VPC) and can be repeated on other islands, similar to how multiple towns will each have a “main street”.

Public “floating” and private IP address — Public building and private home addresses

At IBM Cloud, we have 2 types of IP addresses — public and private. Public IP addresses allow communications from the internet to reach your resource in VPC. A private IP address only allows communications within your VPC. Imagine a Public IP address being the address of any commercial stores on the island, like Starbucks or 7-Eleven. Essentially anyone can come in and out. A Private IP address would be the address of all private residences like houses or apartments.

Load balancers — Traffic cop

Load balancers are specialized resources that take in data and direct it to different virtual servers. Load balancers are attached to multiple virtual servers running the same application. If one server is down, the load balancer can avoid that server and direct traffic toward healthy servers. That way, consumers of the application will never be affected by server malfunctions and can still reach their application with no issues. On Network Island, load balancers are the traffic cops standing in the middle of busy intersections, directing traffic down roads safely so that people can reach their destinations.

Security within the VPC

Access control lists — Entrance gates

An access control list is a set of rules that control traffic traveling to and from subnets. These rules define where traffic is allowed or denied. If you look closely at Network Island, you might see that some neighborhoods have an entrance gate, so only residents and guests can enter and use their gym, swimming pool, etc. That concept is exactly that of an access control list — providing security measures for a certain area.

Security groups — Home security systems

A security group is very similar to an access control list. The difference is that they control traffic to and from virtual servers. Security groups translated into the physical world would be like any security setups for individual houses or buildings — that can be locks, door codes, alarm systems — anything that someone might set up to prevent others from entering a private home.

Flow Logs — Traffic cameras

Flow logs for VPC track your network traffic going to and from your compute resources. This fine-grain data helps you secure your network further by enabling you to monitor where traffic is getting accepted or rejected. On Network Island, this would act as your system of traffic cameras, allowing you to see all the different intersections, traffic jams and accident reports, giving you the foresight you need to understand what’s happening out on the roads.

Access outside of the VPC

Public gateway — Boat dock

A simple way to connect your application to another network would be with a public gateway. Your network traffic travels across the public internet. That would be like if you were to go to an open dock and paddle a boat out to sea. The sea best represents the internet, a vast network but also one with significant security risks.

VPN gateway — Underwater tunnel

What if you wanted a more secure connection to the internet? Instead of a public gateway, you could use a Virtual Private Network gateway or VPN gateway for short. When network traffic is running through a VPN gateway, the traffic is encrypted to prevent security attacks on the data being sent. On our Network Island, instead of going across the sea on a boat, you could avoid the dangers at sea by traveling via an underwater tunnel. You are still traveling across water, but safely through a tunnel.

Transit Gateway— Airport

Transit Gateway interconnects all of your VPCs to other cloud networks and really does work like an airport connecting the islanders to a plethora of different destinations. If VPC-A needs to connect to cloud network #143, then Transit Gateway can connect these two networks directly, while avoiding a complicated web of gateways and connections.

Direct Link 2.0— Non-stop airline

Direct Link 2.0 is a physical network connection between your cloud network and an on-premise network (i.e. if you were hosting an application on your own servers in your basement.) The connection between the two networks creates a fast, secure, and reliable hybrid environment. On Network Island, Direct Link is really just like an international airline that serves direct, nonstop flights to a mainland continent.

Bonus networking services

In recent years, IBM Cloud’s VPC offering has expanded to include new networking services such as Routing Tables and Virtual Private Endpoints which both allow more detailed control over your network traffic as well as greater network security.

Wrapping this up

While networking is complicated, it is also one of the most critical pieces of an infrastructure stack and without it, our customers cannot use the compute and storage resources that their applications are running on. We hope this has helped give a small introduction to the basics of networking at IBM Cloud and encourages you to continue exploring.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
IaaS Compute Design

IaaS Compute Design

The IaaS Compute Design team is a specialized group of designers and researchers within IBM Cloud.