Simulating a Virtual Private Cloud (VPC) with `vpcctl.py`

This blog post will guide you through a hands-on project that simulates a Virtual Private Cloud (VPC) using Linux network namespaces. This project is a great way for beginners to understand fundamental networking concepts like VPCs, subnets, routing, NAT, and security groups in a practical, low-level way.

Overview of the Project

The vpcctl.py script is a command-line tool that allows you to create, manage, and network your own virtual private clouds. Instead of using a cloud provider's complex UI or API, you'll use simple shell commands to build a VPC from scratch on your Linux machine. This provides a transparent and educational way to see how the different components of a VPC work together.

At its core, the script uses Linux network namespaces to create isolated network environments. Each VPC and subnet runs in its own namespace, preventing interference with your host machine's network or other simulated VPCs.

Here's what you can do with vpcctl.py:

• Create and manage VPCs: Each VPC gets a dedicated router namespace and an internal bridge.
• Add subnets: Create isolated subnets within your VPC, each with its own IP address range.
• Enable Internet access: Configure a NAT (Network Address Translation) gateway to allow subnets to access the internet.
• Isolate subnets: Apply firewall rules to control which subnets can access the internet.
• Peer VPCs: Connect two VPCs together to allow communication between their subnets.
• Apply security groups: Define ingress and egress rules to control traffic to and from your subnets.

CLI Usage Examples and Explanations

The vpcctl.py script must be run as root. Here are some common commands to get you started.

1. Create a VPC

First, let's create a new VPC named my-vpc with the IP address range 10.1.0.0/16.

sudo ./vpcctl.py create-vpc my-vpc 10.1.0.0/16

This command does the following:

• Creates a new network namespace called vpc-my-vpc-rt to act as the VPC's router.
• Inside this namespace, it creates a bridge device named br-my-vpc. This bridge will connect all the subnets within the VPC.

2. Add Subnets

Now, let's add two subnets to our VPC: web and db.

sudo ./vpcctl.py add-subnet my-vpc web 10.1.1.0/24
sudo ./vpcctl.py add-subnet my-vpc db 10.1.2.0/24

For each subnet, the script:

• Creates a new network namespace (e.g., my-vpc-web).
• Creates a virtual Ethernet (veth) pair to connect the subnet's namespace to the VPC's bridge.
• Assigns an IP address to the subnet and sets up a default route to the VPC's router.

3. Enable Internet Access for a Subnet

By default, subnets are isolated. To grant the web subnet internet access, we can enable a NAT gateway.

sudo ./vpcctl.py enable-internet my-vpc web

This command sets up iptables rules within the router namespace to masquerade traffic from the web subnet, allowing it to access the internet through the host machine's network interface.

4. Test Connectivity

You can test the network setup using the test-connectivity command.

sudo ./vpcctl.py test-connectivity my-vpc

This will:

• Ping between the web and db subnets to ensure they can communicate with each other.
• Check if each subnet has internet access by pinging 8.8.8.8.

You should see that web can reach the internet, but db cannot.

Architecture Diagram

The architecture of our simulated VPC can be visualized as follows:

• VPC Router Namespace: An isolated environment that contains the bridge and acts as the central router for the VPC.
• Bridge: A virtual switch that connects all the subnets within the VPC.
• Subnets: Each subnet is its own isolated namespace with a virtual network interface connected to the VPC's bridge.

Testing and Validation Steps

The vpcctl.py script includes built-in commands for testing.

Connectivity Testing

As shown earlier, the test-connectivity command is a great way to verify your setup.

sudo ./vpcctl.py test-connectivity my-vpc

NAT and Isolation Testing

After enabling internet for the web subnet, you can run a command inside its namespace to confirm it can reach the internet.

sudo ./vpcctl.py run-workload my-vpc web "curl -s https://www.google.com"

You should see the HTML of Google's homepage. If you try the same command in the db subnet, it will fail, demonstrating its isolation.

sudo ./vpcctl.py run-workload my-vpc db "curl -s https://www.google.com"

Clean Up

To delete all the resources you've created (namespaces, veth pairs, etc.), simply use the delete-vpc command.

sudo ./vpcctl.py delete-vpc my-vpc

This will remove the router namespace, all subnet namespaces, and the associated network interfaces, leaving your system clean.

This project provides a powerful and intuitive way to learn about VPCs and networking. By building and managing your own VPCs from the command line, you'll gain a deeper understanding of the concepts that underpin modern cloud infrastructure.