Building Your Own VPC on Linux: A DevOps Love Story 💘🐧

Or: How I Learned to Stop Worrying and Love Network Namespaces

Introduction: The Plot Twist Nobody Saw Coming 🎬

Warning: No AWS bills were harmed in the making of this project! 💸

Hey! I'm Sherifdeen Adebayo, and buckle up because I'm about to tell you how I accidentally became best friends with Linux networking (didn't see THAT coming in 2025! 😅).

So there I was, staring at the HNG13 Stage 4 DevOps challenge like it was jollof rice without chicken 😭. The task? Build a complete Virtual Private Cloud system on Linux. My networking knowledge at the time? "IP address goes brrr" 🤷‍♂️

Spoiler alert: It's not magic. It's just clever use of Linux tools that have been chilling since before TikTok was a thing! (Yes, I'm old enough to remember when we had to ping people to know if they were online 👴)

What I Built (While Consuming Unhealthy Amounts of Coffee ☕️)

I created vpcctl - basically AWS VPC's younger, cooler cousin who lives in Lagos and knows all the shortcuts:

• Create isolated virtual networks faster than you can say "subnet mask" 🎯
• Provision public and private subnets (like VIP and regular sections at Detty December 🎉)
• Deploy applications without breaking a sweat 💪
• Control connectivity like a network traffic warden 🚦
• Apply firewall rules (because we don't trust anybody, not even ourselves 🔐)

Basically, I rebuilt a mini AWS VPC from scratch. And honestly? It was like learning to ride a bike - painful at first, then suddenly you're doing wheelies! 🚴‍♂️

Shopping List: What You'll Need 🛒

Before we dive into this beautiful mess, grab these:

• A Linux machine (Ubuntu 20.04+ - or as I call it, "The Reliable Uncle") 💻
• Root/sudo access (because we're about to do DANGEROUS things... safely 😎)
• Basic networking knowledge (if you know what an IP address is, you're 80% there!)
• Command line skills (copy-paste counts as skills, right? 👀)
• Patience (LOTS of it - this took me more coffee breaks than I care to admit ☕️☕️☕️)

The Secret Sauce: Linux Networking Unveiled 🎩✨

Like suya and yaji, these concepts are better together!

Network Namespaces: The Private Apartments 🏠

Network namespaces are like giving each subnet its own apartment - complete with:

• Its own network interfaces (like having your own Wi-Fi 📡)
• Personal IP addresses (no sharing with siblings!)
• Private routing tables (your business is YOUR business 🤫)
• Custom firewall rules (because boundaries matter!)

It's like having multiple computers on one machine, but without the electricity bill! 💡

veth Pairs: The Virtual Cables 🔌

Think of veth pairs as virtual LAN cables, but cooler:

• They come in pairs (like AirPods, but they never get lost!)
• What goes in one end, comes out the other (magic? Nope, just Linux! ✨)
• Perfect for connecting namespaces to bridges
• No tangling required (looking at you, earphones! 😤)

Pro tip: These are like WhatsApp groups - messages go in, chaos comes out! 📱

Linux Bridges: The Virtual Switch 🎛️

Bridges are basically the Dangote of networking - they connect EVERYTHING:

• Act as virtual switches (think of them as traffic controllers 🚥)
• Forward packets between interfaces (like a very efficient delivery service 📦)
• In our VPC, this bad boy is the central router
• More reliable than NEPA (okay, that's not saying much 😅)

NAT: The Internet Passport 🛂

Network Address Translation is like having a bouncer who lets your private IPs into the internet club:

• Translates private IPs to public IPs
• Keeps your internal network safe (like a digital bodyguard 💪)
• Makes the internet think everything is coming from one place
• Basically the VPN your parents wish they understood 😂

The Blueprint: What We're Actually Building 📐

Host System (aka "The Mothership" 🚀)
├── VPC (10.0.0.0/16) - The whole village 🏘️
│   ├── Bridge (br-my-vpc) - The town square 🏛️
│   ├── Public Subnet (10.0.1.0/24) - The market 🏪
│   │   ├── Namespace (ns-my-vpc-public) - Individual shops
│   │   ├── NAT Gateway (iptables) - The security guard 👮
│   │   └── Application - The goods 📦
│   └── Private Subnet (10.0.2.0/24) - The warehouse 🏭
│       ├── Namespace (ns-my-vpc-private) - Storage rooms
│       └── Application - The secret stash 🤐
└── Internet Connection - The outside world 🌍

Let's Get Our Hands Dirty: Building This Beast 💪

Fun fact: This section was written at 2 AM with questionable life choices being made!

Step 1: Project Setup (The Boring Part We Must Endure) 😴

First, let's create our project home:

mkdir vpc-control  # AKA "The Beginning of Something Beautiful"
cd vpc-control
mkdir -p lib policies tests logs  # Creating our empire, one folder at a time

Step 2: The Brain - Core CLI Tool 🧠

Create the main vpcctl script. This is our Jarvis, our Friday, our... you get it:

#!/usr/bin/env python3
"""
vpcctl - Virtual Private Cloud Control CLI
AKA "The Magic Wand of Networking" 🪄
"""
import argparse
import sys
import os

# This bad boy handles:
# - create-vpc (Birth of a network 🐣)
# - create-subnet (Subdivision time! 🏘️)
# - deploy-app (App goes brrr 🚀)
# - peer-vpcs (Making friends across borders 🤝)
# - apply-policy (Because we need rules, apparently 📜)
# And more cool stuff that'll make your DevOps heart sing! 🎵

The full implementation includes these MVPs:

• vpc_manager.py - The VPC whisperer 🗣️
• subnet_manager.py - Subnet sensei 🥋
• nat_manager.py - Internet access enabler (the real MVP) 🌐
• peering_manager.py - The matchmaker 💑
• firewall_manager.py - The bouncer 🚪

Step 3: Birth of a VPC (It's Alive! ⚡️)

Here's what happens when you unleash the beast:

sudo ./vpcctl create-vpc --name my-vpc --cidr 10.0.0.0/16
# Translation: "Let there be network!" 🌟

Under the hood (this is where the magic happens ✨):

1. Creates a Linux bridge: ip link add br-my-vpc type bridge
   • Like building a roundabout in Lagos (but this one actually works!)
2. Brings it up: ip link set br-my-vpc up
   • "Hello world!" but for networks
3. Stores config in state file
   • Because elephants aren't the only ones who remember

The bridge is basically your VPC's brain 🧠. Treat it well!

Step 4: Subnet Mania (Where Things Get Spicy 🌶️)

Subnets = Network namespaces = Mini isolated networks. Mind = Blown 🤯

sudo ./vpcctl create-subnet --vpc my-vpc --name public --cidr 10.0.1.0/24 --type public
# AKA "Creating the VIP section" 😎

Behind the curtains (drum roll please 🥁):

1. Create namespace: ip netns add ns-my-vpc-public
   • Apartment building, meet your new tenant!
2. Create veth pair: ip link add veth-public type veth peer name eth0
   • Virtual cables, assemble!
3. Move one end to namespace: ip link set eth0 netns ns-my-vpc-public
   • "Welcome to your new home!" 🏠
4. Attach other end to bridge: ip link set veth-public master br-my-vpc
   • "Now kiss!" (the bridge and the interface, not you and your computer)
5. Configure IP address
   • Every subnet needs an identity!
6. Set up routing
   • GPS for packets 🗺️

For public subnets, we add the secret sauce (NAT):

# Enable IP forwarding (because sharing is caring 💝)
sysctl -w net.ipv4.ip_forward=1

# Add NAT rule (the bouncer at the internet club 🎭)
iptables -t nat -A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE

Pro tip: This took me 2 hours and 3 cups of coffee to debug. Save yourself the pain - copy paste is not just a skill, it's a lifestyle! ☕️😅

Step 5: Deploy ALL The Apps! 🚀

Time to make your subnet actually DO something:

sudo ./vpcctl deploy-app --vpc my-vpc --subnet public --port 8080
# Translation: "Let's get this party started!" 🎊

This creates a Python HTTP server that's more reliable than your ISP:

import http.server
import socketserver

PORT = 8080  # The magic number (or any port you fancy)
# Serving web pages like it's hot! 🔥
with socketserver.TCPServer(("", PORT), http.server.SimpleHTTPRequestHandler) as httpd:
    httpd.serve_forever()  # Forever ever? Forever ever!

Step 6: VPC Isolation (Trust Issues Much? 🚧)

By default, VPCs don't talk to each other. It's like having separate WhatsApp groups for work and family - necessary for sanity! 😌

sudo ./vpcctl create-vpc --name dev-vpc --cidr 10.1.0.0/16
sudo ./vpcctl create-subnet --vpc dev-vpc --name public --cidr 10.1.1.0/24 --type public
# Creating parallel universes, one VPC at a time! 🌌

Try to ping from one VPC to another - DENIED! 🚫 This is isolation working as intended. Your subnets are safer than money in your mom's purse! 💰

Step 7: VPC Peering (Now They're BFFs! 👯‍♀️)

Want your VPCs to be friends? Let's introduce them properly:

sudo ./vpcctl peer-vpcs --vpc1 my-vpc --vpc2 dev-vpc
# "Meet cute" but for networks! 💕

What this does (it's actually pretty cool):

1. Creates a veth pair connecting both bridges
   • Building bridges, literally!
2. Adds routes so they can find each other
   • Like sharing locations on WhatsApp 📍

Now they can communicate! It's like when your crush finally texts back! 📱✨

Step 8: Firewall Policies (The Rulebook 📖)

Create a JSON policy file (fancy way of saying "The Law"):

{
  "subnet": "10.0.1.0/24",
  "ingress": [
    {
      "port": 80,
      "protocol": "tcp",
      "action": "allow" // Come on in, HTTP! 🚪
    },
    {
      "port": 22,
      "protocol": "tcp",
      "action": "deny" // SSH? We don't know her! 🙅‍♂️
    }
  ]
}

Apply it like a boss:

sudo ./vpcctl apply-policy --vpc my-vpc --subnet public --policy policy.json
# "These are the rules, and yes, I made them up!" 😤

This translates to iptables magic (don't worry about understanding it, even I Google it sometimes 🤫):

iptables -A INPUT -p tcp --dport 80 -j ACCEPT  # Welcome!
iptables -A INPUT -p tcp --dport 22 -j DROP    # Nope!

Testing Your Masterpiece 🧪

If you're not testing, you're just hoping. And hope is NOT a strategy!

Test 1: Intra-VPC Love Connection 💘

Subnets within the same VPC should talk like old friends:

sudo ./vpcctl test-connectivity --vpc my-vpc --from-subnet public --to-subnet private
# Expected: ✓ Connectivity test PASSED
# If it fails: Time for more coffee! ☕️

Test 2: VPC Cold Shoulder 🥶

Different VPCs without peering should ignore each other like exes at a party:

# Get the deets
NS1="ns-my-vpc-public"
IP2="10.1.1.2"  # IP from dev-vpc (the stranger danger)

# Try to ping (spoiler: it won't work)
sudo ip netns exec $NS1 ping -c 2 $IP2
# Result: Network unreachable ✓
# Translation: "New phone, who dis?" 📱

Test 3: Internet Access Check 🌐

Public subnets flexing their internet access:

sudo ip netns exec ns-my-vpc-public ping -c 3 8.8.8.8
# Result: Success ✓ (Google DNS says hello!)

Private subnets staying humble and offline:

sudo ip netns exec ns-my-vpc-private ping -c 3 8.8.8.8
# Result: Network unreachable ✓
# They're focused on the grind, no distractions! 💪

Test 4: Peering Power-Up 🔌

After peering, VPCs become besties:

sudo ./vpcctl peer-vpcs --vpc1 my-vpc --vpc2 dev-vpc
sudo ip netns exec ns-my-vpc-public ping -c 2 10.1.1.2
# Result: Success ✓
# They're texting now! 📱💕

When Things Go Wrong (And They Will! 😅)

Debugging is like being a detective in a crime movie where you're also the murderer!

Issue 1: "Operation not permitted" 🚫

Problem: Forgot to use sudo (we've ALL been there!)

Solution: Channel your inner admin:

sudo ./vpcctl create-vpc --name test --cidr 10.0.0.0/16
# Remember: With great power comes great sudo! 🦸‍♂️

Issue 2: "Bridge already exists" 🌉

Problem: You tried to create what already exists (philosophers hate this trick!)

Solution: Clear the slate:

sudo ./cleanup.sh
# When in doubt, nuke it out! 💥

Issue 3: "No internet connectivity" 📡

Problem: This one haunted my dreams for 2 hours! 😭

Solution: This got me! I spent like 30 minutes debugging before realizing IP forwarding was disabled. Check it:

sysctl net.ipv4.ip_forward
# If it's 0, you need to flip that switch!
sudo sysctl -w net.ipv4.ip_forward=1  # The magic command ✨

Other things to check (because I'm nice like that):

• Interface name might be ens33 instead of eth0 (Linux is creative with naming!)
• iptables rules might be blocking you (check with sudo iptables -t nat -L)
• Your coffee might be empty (this is CRITICAL! ☕️)

Cleanup: Leaving No Trace 🧹

Always clean up after yourself (your mom taught you this!):

# Delete specific VPC (the gentle approach)
sudo ./vpcctl delete-vpc --name my-vpc

# Delete EVERYTHING (the "I need a fresh start" approach)
sudo ./vpcctl cleanup-all

# Or use the cleanup script (the "I trust this more" approach)
sudo ./cleanup.sh
# Thanos would be proud! 🫰✨

This removes (THE COMPLETE PURGE):

• All network namespaces 🗑️
• All bridges 🌉
• All veth pairs 🔌
• All iptables rules 🔥
• State files 📁
• Your mistakes (we all need this sometimes!) 😌

The Victory Lap: Full Test Suite 🏁

The project includes tests more comprehensive than your mom's questions when you get home late:

sudo make test
# Sit back, relax, and watch the magic happen! ✨

This validates (EVERYTHING):

• ✅ VPC creation and deletion (Birth and... well, you know)
• ✅ Subnet management (The subdivision saga)
• ✅ Application deployment (App goes live!)
• ✅ Connectivity (Can we talk?)
• ✅ Isolation (Stay in your lane!)
• ✅ Peering (Making friends!)
• ✅ Firewall policies (The rules of engagement)
• ✅ NAT gateway (Internet access for all!)
• ✅ Cleanup (Leaving it better than we found it)

What You Just Became an Expert In 🎓

Congratulations! You now understand:

1. Linux Network Namespaces: Like apartments for network stacks 🏠
2. Virtual Networking: The art of making cables out of thin air 🎨
3. Routing: GPS for packets, but actually reliable 🗺️
4. NAT: The passport office of networking 🛂
5. iptables: The bouncer who decides who gets in 💪
6. VPC Architecture: How AWS does it (but now YOU can do it too!) 😎
7. Infrastructure as Code: Because clicking buttons is so 2010 🖱️

Where This Knowledge Pays Rent 💰

These concepts show up EVERYWHERE:

• Docker: Uses network namespaces (you're basically a Docker expert now! 🐳)
• Kubernetes: Pod networking is just fancy namespace usage (k8s who? We know them! ☸️)
• Cloud VPCs: AWS VPC, Azure VNet, Google VPC (all doing what you just did!) ☁️
• SD-WAN: Software-defined networking (fancy name, same concepts) 🌐
• Job Interviews: "So tell me about network namespaces..." (You: cracks knuckles 😏)

Next Level Moves (When You're Feeling Adventurous) 🚀

Want to take this further? Here are some ideas:

1. Add custom DHCP (automatic IP assignment, fancy!)
2. Implement load balancing (spread the load like butter 🧈)
3. Add VPN gateway (secure connections ftw! 🔐)
4. Create a web dashboard (because CLI is cool but GUI is prettier 🎨)
5. Support IPv6 (future-proofing like a boss! 🔮)
6. Container runtime integration (Docker + Your VPC = 💕)

The Grand Finale: What Did We Learn Today? 🎬

So that's it! I went from "network namespace what?" to building a full VPC system that would make AWS nervous (okay, maybe not nervous, but they'd def give a nod of respect 🫡).

Key takeaways (write these down, there might be a test):

1. VPCs aren't magical - they're just namespaces + bridges + routing (and A LOT of coffee ☕️)
2. The onlink flag is a LIFESAVER (seriously, I almost named my firstborn "Onlink")
3. Always enable IP forwarding BEFORE testing NAT (learn from my pain!)
4. Interface names have a 15-character limit (learned THAT one the expensive way - 2 hours I'll never get back! ⏰)
5. When in doubt, check the logs (they never lie, unlike my "5 minutes left" estimates)
6. Google is your friend (so is Stack Overflow, so is that random blog from 2012)

The complete code is available in the repository. Try it out, break it (you will!), fix it (you can!), and most importantly - understand how every piece works together like a well-oiled machine! 🛠️

Additional Resources (For the Overachievers 📚)

Want to go deeper? Check these out:

• Linux Network Namespaces: man ip-netns (bedtime reading? 😴)
• iptables Documentation: man iptables (thriller novel alternative!)
• Linux Bridge: man bridge (surprisingly less boring than expected!)
• iproute2 Documentation: man ip (for when Netflix isn't enough!)
• My GitHub: hng13-stage4-devops (shameless plug! 😎)

Installation Speedrun 🏃‍♂️💨

git clone https://github.com/herdeybayor/hng13-stage4-devops
cd hng13-stage4-devops
make install  # One command to rule them all!
sudo ./vpcctl --help  # Your journey begins here! 🗺️

Quick Start (For the Impatient Ones) ⚡️

# Create a VPC (you're basically a cloud provider now!)
sudo ./vpcctl create-vpc --name demo --cidr 10.0.0.0/16

# Add a public subnet (VIP section activated!)
sudo ./vpcctl create-subnet --vpc demo --name web --cidr 10.0.1.0/24 --type public

# Deploy an app (hello world, but make it network-y!)
sudo ./vpcctl deploy-app --vpc demo --subnet web --port 8080

# View your empire
sudo ./vpcctl list-vpcs  # Look at what you built! 🏰

# Clean up (responsible developer energy!)
sudo ./vpcctl delete-vpc --name demo

Connect With Me! 🤝

If you're working on something similar, or if this helped you, or if you just want to chat about networking over virtual jollof rice, hit me up!

• 🌐 Portfolio: sherifdeenadebayo.com (check out my other projects!)
• 💼 LinkedIn: @herdeybayor (let's connect professionally!)
• 💻 GitHub: @herdeybayor (where the code lives!)
• ✍️ DEV.to: Where I write stuff like this when caffeine levels are optimal ☕️
• 📧 Questions? Create an issue! I promise I read them (eventually 😅)

---

Sherifdeen Adebayo

DevOps Engineer | Professional Coffee Consumer | Network Namespace Whisperer

Built for HNG13 Stage 4 Challenge - November 2025

Powered by determination, late nights, and an unhealthy amount of Stack Overflow! 💻

---

P.S. - If you're doing the HNG challenge too, you got this! 💪 This stage kicked my butt multiple times, but look - we both made it! If I can build this while Googling "what is a network namespace" every 5 minutes, you can too!

P.P.S. - Special shoutout to coffee, without which this project would still be "TODO: Figure out networking" 😂

P.P.P.S. - Yes, the interface naming bug took me 2 hours. Yes, I cried a little. Yes, it was just a 15-character limit. We don't talk about it. 🙈

Remember: In software development, like in life, sometimes you just gotta sudo your way through! 🚀✨

---

Written while simultaneously debugging, eating chin-chin, and questioning my career choices (in the best way possible!) 🌟

If this code works on your machine, you're welcome! If it doesn't... did you try turning it off and on again? 😉