The network moves to the cloud, but the fundamentals stay the same.
Your company just announced a migration from on-prem data centers to AWS. The CTO asks you to explain the networking implications
to the team. VPCs, security groups, NAT gateways -- you need to speak cloud networking fluently by the end of this meeting.
Replace dedicated hardware appliances with software running on standard servers.
Traditional Approach
Physical firewall, physical load balancer, physical router -- each a separate box in the rack, each with its own management plane and power draw.
NFV Approach
Those same functions run as virtual appliances on commodity hardware. Deploy a firewall in minutes instead of weeks. Scale by spinning up another VM.
Hypervisor Role
The hypervisor (Type 1: ESXi, Hyper-V; Type 2: VirtualBox) abstracts the hardware. Virtual switches (vSwitch) handle Layer 2 inside the host.
Key Distinction
NFV virtualizes network appliances (firewalls, routers, load balancers).
SDN (Software-Defined Networking) separates the control plane from the data plane, letting a central controller program forwarding rules across the network.
They are complementary, not the same thing.
You tell the team: "We will not be shipping physical firewalls to AWS. We will deploy virtual appliances that behave identically, but we can clone them across regions in seconds."
Slide 3 of 8
VPC: Your Private Cloud Network
A Virtual Private Cloud is an isolated network segment within a cloud provider's infrastructure.
VPC Fundamentals
You define the IP range (CIDR block), create subnets, attach route tables, and control all traffic flow. It is your data center in the cloud -- logically isolated from every other customer.
Public vs Private Subnets
Public subnets have a route to an Internet Gateway -- instances can reach the Internet directly. Private subnets have no direct Internet route; they reach out through a NAT Gateway.
NAT Gateway
Allows instances in private subnets to initiate outbound connections (software updates, API calls) without being directly reachable from the Internet. One-way door: traffic goes out, responses come back, but no unsolicited inbound traffic is permitted.
VPC Peering connects two VPCs so they can route traffic directly between each other using private IP addresses. No Internet exposure. Works across accounts and even across regions.
Slide 4 of 8
Cloud Firewalls: Security Groups & NACLs
Two layers of traffic control, each with different behavior.
Security Groups (Instance-Level)
Stateful firewall applied to individual instances.
If you allow inbound port 443, the return traffic is automatically allowed.
Default: deny all inbound, allow all outbound.
Rules are allow-only -- you cannot write explicit deny rules.
Network ACLs (Subnet-Level)
Stateless firewall applied at the subnet boundary.
You must explicitly allow both inbound and outbound traffic.
Default: allow all traffic in both directions.
Rules support both allow and deny, processed in order by rule number.
Stateful vs Stateless -- Why It Matters
Stateful (Security Groups): Tracks connections. If outbound is allowed, the reply is automatically permitted.
Stateless (NACLs): Every packet is evaluated independently. You must write rules for both directions or traffic will be dropped.
A junior admin opens port 443 in the NACL inbound rules but forgets the outbound rule for ephemeral ports. The web server accepts connections but cannot reply. Security Groups would have handled this automatically.
Slide 5 of 8
Connecting On-Prem to Cloud
How your existing data center reaches cloud resources securely.
Site-to-Site VPN
IPSec tunnel over the public Internet. Encrypted, quick to set up, lower cost. Bandwidth limited by your ISP. Latency varies.
Direct Connect / ExpressRoute
Dedicated private circuit from your data center to the cloud provider. Consistent latency, higher bandwidth (1-100 Gbps). Does not traverse the Internet. Higher cost, longer provisioning.
Transit Gateway
Hub-and-spoke model connecting multiple VPCs and on-prem networks through a single gateway. Simplifies routing when you have dozens of VPCs.
Exam Tip
If the question says "consistent, low-latency, private connection" -- the answer is Direct Connect (AWS) or ExpressRoute (Azure). If it says "quick, encrypted, over the Internet" -- the answer is site-to-site VPN.
Slide 6 of 8
Cloud Deployment Models
Where your infrastructure lives determines your security posture and flexibility.
Public Cloud
Resources hosted by a third-party provider (AWS, Azure, GCP). Multi-tenant by design. You share physical hardware with other customers, but your VPC is logically isolated. Pay-as-you-go pricing.
Private Cloud
Dedicated infrastructure for a single organization. Can be on-premises or hosted. Full control over hardware, security, and compliance. Higher cost, lower flexibility.
Hybrid Cloud
Combination of public and private. Sensitive workloads stay on-prem or in private cloud; elastic workloads burst to public cloud. Connected via VPN or Direct Connect.
Community Cloud
Shared by organizations with common concerns (compliance, security requirements). Example: government agencies sharing FedRAMP-compliant infrastructure.
Multitenancy
Multiple customers share the same physical infrastructure but are logically isolated. The hypervisor and cloud provider's network enforce separation. This is the foundation of public cloud economics.
IaaS / PaaS / SaaS
IaaS: you manage the OS up. PaaS: you manage the app and data. SaaS: you manage nothing -- just use it. Each model shifts more responsibility to the provider.
Slide 7 of 8
Scalability & Elasticity
They sound similar but serve different purposes on the exam.
Scalability
The ability to handle increased load by adding resources.
Vertical scaling (scale up): Bigger instance -- more CPU, more RAM.
Horizontal scaling (scale out): More instances behind a load balancer.
Scaling is typically a deliberate, planned action.
Elasticity
Automatic scaling based on demand.
Resources expand during peak load and contract during idle periods.
Auto-scaling groups, serverless functions, and container orchestration all provide elasticity.
You only pay for what you use.
Exam Distinction
Scalability = CAN your system handle more load?
Elasticity = Does it AUTOMATICALLY adjust to match current demand?
A system can be scalable without being elastic (manual scaling). Elasticity implies automation.
Load Balancing: Distributes traffic across multiple instances. Cloud providers offer Layer 4 (TCP/UDP) and Layer 7 (HTTP/HTTPS) load balancers. Health checks automatically remove unhealthy instances from the pool.
Slide 8 of 8 | N10-009 Obj 1.8
Cloud Networking -- Key Takeaways
You walk into the migration meeting and explain: "Our VPC gives us an isolated network. Public subnets face the Internet through an Internet Gateway. Private subnets reach out via NAT Gateway. Security Groups handle instance-level stateful filtering. We connect back to HQ with a site-to-site VPN now, and Direct Connect when the contract is ready."
5 Facts to Carry Out of This Presentation
1NFV replaces physical appliances with virtual ones. SDN separates control plane from data plane. They are complementary.
2A VPC is your isolated network in the cloud. Public subnets route to an Internet Gateway. Private subnets use a NAT Gateway for outbound-only access.
3Security Groups are stateful (instance-level). NACLs are stateless (subnet-level). Know the difference.
4Direct Connect = dedicated private link. Site-to-site VPN = encrypted tunnel over the Internet. Direct Connect is more consistent; VPN is faster to deploy.
5Scalability = can handle more. Elasticity = automatically adjusts. Public/Private/Hybrid/Community are the four deployment models.