Imagine you own a big farm compound. On this compound, you want to organize different areas: fields, barns, and visitor areas. You want each area to have controlled access, and some areas might connect to the outside world, while others stay private. That’s exactly what a Virtual Private Cloud (VPC) does in computing: it’s a fenced-off network on your computer where you control access, routing, and connectivity.
In this guide, we’ll build a mini VPC on Linux using simple tools like network namespaces, bridges, routing tables, and iptables. By the end, you’ll understand how cloud networks work under the hood and be able to deploy isolated workloads like web servers.
The Farm Analogy: Understanding VPCs and Subnets
Think of a VPC as a farm.
The VPC = The farm compound
Subnets = Sections like:
Crop field (public, visitors allowed)
Barn (private, staff only)
Greenhouse (private, controlled access)
Bridge = Main road connecting all sections
NAT Gateway = Farm gate for sending goods out
Peering = Controlled paths between separate farms
Firewall rules = Security guards controlling who can enter each section
Creating Your First VPC (Farm Compound)
Let’s create a farm named greenfarm:
sudo vpcctl create greenfarm --cidr 10.50.0.0/16
- Creates a bridge: br-greenfarm (main road)
- Sets up routing and an isolated iptables chain
- Saves metadata for later inspection
Adding Subnets (Farm Sections)
Public Section (Crop Field)
sudo vpcctl add-subnet greenfarm public --cidr 10.50.1.0/24
- Creates namespace: ns-greenfarm-public
- Connects it to the bridge via a veth pair
- Assigns IP addresses and sets default route
Private Section (Barn)
sudo vpcctl add-subnet greenfarm private --cidr 10.50.2.0/24
- Namespace: ns-greenfarm-private
- No direct internet access by default
Deploying Simple Apps (Farm Stalls)
Deploy a small HTTP server in each section:
sudo vpcctl deploy-app greenfarm public --port 8080
sudo vpcctl deploy-app greenfarm private --port 8081
- Apps run inside namespaces, isolated from each other
- Public section can serve visitors; private section stays internal
Enabling Internet Access (NAT Gateway)
Allow the crop field to access the internet:
IFACE=$(ip route get 1.1.1.1 | awk '{print $5; exit}')
sudo vpcctl enable-nat greenfarm --interface "$IFACE"
- NAT acts like the farm gate, letting public subnets reach the internet
- Private subnets remain isolated
Connecting Farms (VPC Peering)
Suppose you have another farm, bluefarm
sudo vpcctl create bluefarm --cidr 10.60.0.0/16
sudo vpcctl add-subnet bluefarm public --cidr 10.60.1.0/24
sudo vpcctl deploy-app bluefarm public --port 8080
To allow only public areas to communicate:
sudo vpcctl peer greenfarm bluefarm --allow-cidrs 10.50.1.0/24,10.60.1.0/24
- Bridges are connected via veth pairs
- Only permitted CIDRs can communicate
Applying Security Rules (Firewall Policies)
Example policy JSON:
{
"subnet": "10.50.1.0/24",
"ingress": [
{"port": 80, "protocol": "tcp", "action": "allow"},
{"port": 22, "protocol": "tcp", "action": "deny"}
]
}
Apply it:
sudo vpcctl apply-policy greenfarm policy_examples/example_policy.json
- iptables inside namespaces enforce the rules
- Ensures only allowed traffic flows
Inspecting, Listing, and Cleaning Up
- List VPCs:
sudo vpcctl list
- Inspect VPC:
sudo vpcctl inspect greenfarm
- Delete VPC:
sudo vpcctl delete greenfarm
Cleanup removes: namespaces, bridges, veth pairs, apps, and firewall rules.
Conclusion
Using vpcctl, you can simulate a complete cloud like networking environment on Linux. Think of it as managing multiple farms with roads, gates, and security guards now applied to virtual networks. This hands on approach teaches you network isolation, routing, NAT, and firewall rules—key skills for any aspiring cloud engineer.
Top comments (0)