An introduction to VPC, Subnets, IP addresses, load balancers, VPNs, and Interconnectivity at IBM Cloud.
Networking literally connects our world and is an essential element of Cloud computing. In its simplest cloud terms, networking is how different parts of an infrastructure are connected together, both physically and/or virtually, enabling all the different pieces to send data to one another and share resources.
Once a customer decides on the type of compute they will need, the next step is to connect it all together by defining their network.
The backbone of all networking is physical networking, where network admins physically run and connect cables to and from devices. This is what typically comes to mind when we think of data centers and the seemingly endless amounts of neatly arranged cables physically connecting everything in the building together.
One of the main benefits of cloud computing is that IBM Cloud (and other cloud providers like AWS, Azure, and Google Cloud) build, control, and maintain the data centers, so everything, including the networking can be ordered on-demand and controlled entirely virtually through a user interface.
At IBM Cloud, networking teams are split between two distinct product areas: VPC networking (connecting everything within a single environment), and Interconnectivity (connecting multiple environments together).
Also known as core networking, consists of a suite of services (VPCs, subnets, VPNs, IP addresses, etc) that enables our customers to connect their virtual compute resources together; creating a highly secure, virtual cloud environment.
A suite of services that connect environments together. These can be on-prem to the cloud (via Direct Link) and cloud to cloud (via Transit Gateway).
One way we can begin to better understand cloud networking is to compare it to how a modern city works. In this case, if servers (compute) are the private houses and public buildings in our city, then networking would consist of all the roads, addresses, and even entrances that connect them together and allow the city to function. But due to the vastness and inherent dangers of the internet that must be considered, instead of our city being on a continent, connected to many other cities by a system of interstates, it is more accurate to picture our city on an island with the internet being our metaphorical (and dangerous) ocean. With that in mind, let’s dive into VPC — the island itself.
VPC — The island
Within the expansive world of the public cloud, you can create your own cloud environment to run your application on. This is essentially what a Virtual Private Cloud is — it’s your own reserved slice of public cloud; your island. Here, you can set up all the resources you’ll need, including virtual servers and networking services. These islands have a unique code to help identify them from each other (UUID) as well as complete control over their address schemes.
VPCs often have many virtual servers which are constantly sending and receiving data (network traffic) every second of the minute and hour. The best practice is to create sub-networks within a VPC to separate out the network traffic into “containers”. Better known as a subnet, these invisible network “containers” are really just IP address ranges in which you can establish other resources. Back on Network Island, subnets are really just the same as zipcodes (simple region identifiers that help postal workers separate out the mail to be sent to the correct areas of the island). Unique to the cloud, however, these “zipcodes” can be reused on other islands since the UUID is the primary identifier of the island itself.
IP Address — Individual addresses
If a subnet is just a range of IP addresses, then what is an IP address? An IP address is a numeric tag assigned to a compute resource so that you can find its location in digital space. In your VPC, network traffic travels from one IP address to another. On Network Island, IP addresses — unsurprisingly — are the equivalent of addresses — telling you the locations of everything from City Hall to the seaside lobster shack. Similar to zipcodes (subnets), these addresses are also only unique within a specific island (VPC) and can be repeated on other islands, similar to how multiple towns will each have a “main street”.
Public “floating” and private IP address — Public building and private home addresses
At IBM Cloud, we have 2 types of IP addresses — public and private. Public IP addresses allow communications from the internet to reach your resource in VPC. A private IP address only allows communications within your VPC. Imagine a Public IP address being the address of any commercial stores on the island, like Starbucks or 7-Eleven. Essentially anyone can come in and out. A Private IP address would be the address of all private residences like houses or apartments.
Load balancers — Traffic cop
Load balancers are specialized resources that take in data and direct it to different virtual servers. Load balancers are attached to multiple virtual servers running the same application. If one server is down, the load balancer can avoid that server and direct traffic toward healthy servers. That way, consumers of the application will never be affected by server malfunctions and can still reach their application with no issues. On Network Island, load balancers are the traffic cops standing in the middle of busy intersections, directing traffic down roads safely so that people can reach their destinations.
Security is a big priority for cloud infrastructure. In the digital realm, security threats can come from anywhere at any point. Luckily, a cloud network has resources that specialize in securing a network.
Security within the VPC
Access control lists — Entrance gates
An access control list is a set of rules that control traffic traveling to and from subnets. These rules define where traffic is allowed or denied. If you look closely at Network Island, you might see that some neighborhoods have an entrance gate, so only residents and guests can enter and use their gym, swimming pool, etc. That concept is exactly that of an access control list — providing security measures for a certain area.
Security groups — Home security systems
A security group is very similar to an access control list. The difference is that they control traffic to and from virtual servers. Security groups translated into the physical world would be like any security setups for individual houses or buildings — that can be locks, door codes, alarm systems — anything that someone might set up to prevent others from entering a private home.
Flow Logs — Traffic cameras
Flow logs for VPC track your network traffic going to and from your compute resources. This fine-grain data helps you secure your network further by enabling you to monitor where traffic is getting accepted or rejected. On Network Island, this would act as your system of traffic cameras, allowing you to see all the different intersections, traffic jams and accident reports, giving you the foresight you need to understand what’s happening out on the roads.
Access outside of the VPC
Public gateway — Boat dock
A simple way to connect your application to another network would be with a public gateway. Your network traffic travels across the public internet. That would be like if you were to go to an open dock and paddle a boat out to sea. The sea best represents the internet, a vast network but also one with significant security risks.
VPN gateway — Underwater tunnel
What if you wanted a more secure connection to the internet? Instead of a public gateway, you could use a Virtual Private Network gateway or VPN gateway for short. When network traffic is running through a VPN gateway, the traffic is encrypted to prevent security attacks on the data being sent. On our Network Island, instead of going across the sea on a boat, you could avoid the dangers at sea by traveling via an underwater tunnel. You are still traveling across water, but safely through a tunnel.
What if you’d like to travel farther away from Network Island to a neighboring country or even to a distant continent? Luckily an airport on the island allows for flights all over the world. This represents IBM Cloud’s Interconnectivity services: Transit Gateway and Direct Link 2.0. Simply put, these IBM products connect your cloud (i.e. VPC) to other environments.
Transit Gateway— Airport
Transit Gateway interconnects all of your VPCs to other cloud networks and really does work like an airport connecting the islanders to a plethora of different destinations. If VPC-A needs to connect to cloud network #143, then Transit Gateway can connect these two networks directly, while avoiding a complicated web of gateways and connections.
Direct Link 2.0— Non-stop airline
Direct Link 2.0 is a physical network connection between your cloud network and an on-premise network (i.e. if you were hosting an application on your own servers in your basement.) The connection between the two networks creates a fast, secure, and reliable hybrid environment. On Network Island, Direct Link is really just like an international airline that serves direct, nonstop flights to a mainland continent.
Bonus networking services
In recent years, IBM Cloud’s VPC offering has expanded to include new networking services such as Routing Tables and Virtual Private Endpoints which both allow more detailed control over your network traffic as well as greater network security.
If you’re in the specific domain of internet networking, CIS and DNS are the services to know. Cloud Internet Services (CIS) is a set of tools to customize internet performance for people trying to reach your network or application. Domain Name System (DNS) Services, like its name suggests, allows you to manage your applications’ domain names and gives customers the ability to access your application.
Wrapping this up
While networking is complicated, it is also one of the most critical pieces of an infrastructure stack and without it, our customers cannot use the compute and storage resources that their applications are running on. We hope this has helped give a small introduction to the basics of networking at IBM Cloud and encourages you to continue exploring.
– Written by: Michelle Yang, Josef Bodine, and Austin Edwards
– Illustrations by: Austin Edwards