How to Build Your Own VPC Architecture Using Linux Network Namespaces

This blog post will guide you through a hands-on project that simulates a Virtual Private Cloud (VPC) using Linux network namespaces. This project is a great way for beginners to understand fundamental networking concepts like VPCs, subnets, routing, NAT, and security groups in a practical, low-level way.

Overview of the project

The vpcctl.py script is a command-line tool that allows you to create, manage, and network your own virtual private clouds. Instead of using a cloud provider's complex UI or API, you'll use simple shell commands to build a VPC from scratch on your Linux machine. This provides a transparent and educational way to see how the different components of a VPC work together.

At its core, the script uses Linux network namespaces to create isolated network environments. Each VPC and subnet runs in its own namespace, preventing interference with your host machine's network or other simulated VPCs.

CLI usage examples and explanations

The vpcctl.sh script is the easiest way to get started. All commands must be run with sudo.

1. Create a VPC

First, let's create a new VPC named company-a with the IP address range 10.0.0.0/16.

sudo ./vpcctl.sh create-vpc company-a 10.0.0.0/16

2. Add Subnets

Now, let's add two subnets to our VPC: public-web and private-db.

sudo ./vpcctl.sh add-subnet company-a public-web 10.0.1.0/24
sudo ./vpcctl.sh add-subnet company-a private-db 10.0.2.0/24

3. Enable Internet (NAT Gateway)

By default, subnets are isolated. To grant the public-web subnet internet access, we enable a NAT gateway.

sudo ./vpcctl.sh enable-internet company-a public-web

Architecture diagram showing VPC → bridge → subnets → gateway

The architecture of our simulated VPC is a classic cloud networking setup.

1. VPC: The main container is a Linux Network Namespace that acts as a virtual router.
2. Bridge: Inside the router namespace, a virtual bridge (br-company-a) acts like a virtual switch, connecting all the subnets.
3. Subnets: Each subnet (public-web, private-db) is its own network namespace, providing isolation. They are connected to the bridge via a veth pair (a virtual network cable).
4. Gateway: To provide internet, a separate veth pair connects the VPC's router namespace to the host machine. iptables rules are then used on the host and in the router namespace to perform Network Address Translation (NAT), allowing traffic from the public subnet to go out to the internet.

Testing and validation steps (connectivity, NAT, isolation)

The script includes built-in commands to verify that your virtual network is behaving as expected.

1. Test Connectivity Between Subnets

First, use the test-connectivity command.

sudo ./vpcctl.py test-connectivity company-a

This test will:

• Ping between the public-web and private-db subnets to ensure they can communicate with each other within the VPC.
• Attempt to ping an external address (8.8.8.8) from each subnet.

Expected Outcome:

• You will see a SUCCESS message for communication between subnets.
• The public-web subnet will show that it Has internet access.
• The private-db subnet will show that it has No internet access, confirming our isolation is working.

2. Test NAT and Internet Access

To be absolutely sure the NAT gateway is working, run a command inside the public-web subnet to fetch a webpage.

sudo ./vpcctl.py run-workload company-a public-web "curl -s --head http://www.google.com"

Expected Outcome: You should see HTTP headers from Google, like HTTP/2 200, confirming that the public-web subnet can reach the internet through the NAT gateway.

3. Test Isolation

Now, run the same command inside the private-db subnet.

sudo ./vpcctl.py run-workload company-a private-db "curl -s --head http://www.google.com"

Expected Outcome: The command will hang and eventually time out. This proves that the private-db subnet is successfully isolated from the internet.

A clean up step for deleting resources after creation

After you are done experimenting, it is crucial to clean up the virtual network devices you created. The cleanup command removes all namespaces, virtual interfaces, and firewall rules created by the script.

sudo ./vpcctl.sh cleanup

This command ensures your system's networking configuration is returned to its original state.