Have you ever wondered how cloud providers like AWS or Azure create isolated, secure networks? This project, built entirely on native Linux kernel tools (like ip, brctl, and iptables), demonstrates a fully functional Virtual Private Cloud (VPC) environment on a single host. We built a custom command-line interface, vpcctl, to manage it all.
Project Overview & Architecture
The goal of this project was to replicate a cloud VPC's complex routing and security features without using any third-party virtualization software. The core of the architecture relies on three kernel primitives:
Component,Linux Implementation,Function
VPC (The Network),"Linux Bridge (vpc0, vpc1)","Acts as the central VPC Router, connecting all subnets."
Subnets,"Network Namespaces (web_ns, db_ns)",Provides complete network isolation for each subnet's hosts.
Connecting Cable,VETH Pairs (Virtual Ethernet),Links each Subnet (namespace) to the central VPC Router (bridge).
Security by Design: Security Groups & Isolation
Security is enforced at multiple levels to ensure the network is robust:
- Deny by Default: Every subnet's firewall is initialized to DROP all traffic (iptables -P INPUT DROP), ensuring no unauthorized communication is possible.
- Controlled Access: The JSON-based Security Policy (parsed by jq) explicitly defines which ports and protocols are allowed. For example, your db_ns only permits MySQL traffic (port 3306) from the authorized web subnet.
- VPC Isolation: By default, two VPCs (vpc0 and vpc1) are completely isolated, enforcing the separation required for enterprise environments.
CLI Usage Examples (vpcctl)
The custom vpcctl.sh script automates the entire process. Here are the most critical commands:
Command Description Example
Create VPC Creates a new VPC (Bridge), sets the router IP, and initializes the secure DROP policy. sudo ./vpcctl.sh create vpc vpc1 10.10.0.1/16 10.10.0.0/16
Add Subnet Creates a namespace, links it to the VPC, and applies the JSON firewall policy. sudo ./vpcctl.sh add subnet web_ns 10.0.1.0/24 public vpc0
Peering Creates the VETH link, static routes, and host firewall rules required for controlled cross-VPC traffic. sudo ./vpcctl.sh peer vpcs vpc0 10.0.0.0/16 vpc1 10.10.0.0/16
Enable NAT Configures the host's iptables to provide Internet access via Masquerade. sudo ./vpcctl.sh enable nat
Testing and Validation Steps
Validation proves the system works and obeys the security rules.
Test Command Expected Result Requirement Verified
1. Subnet Routing sudo ./vpcctl.sh test subnet_to_subnet web_ns db_ns SUCCESS (0% Loss) Subnets within a VPC can communicate.
2. Firewall Enforcement sudo ip netns exec web_ns nc -zv 10.0.2.1 80 -w 2 FAILURE (Connection Refused) Firewall rules block unauthorized traffic (Port 80 is denied by policy).
3. VPC Isolation sudo ip netns exec web_ns ping -c 1 10.10.1.1 FAILURE (100% Loss) VPCs are fully isolated by default.
4. Final Peering Requires adding iptables -I FORWARD 1... after peering. SUCCESS (0% Loss) Controlled cross-VPC communication works after security exception.
Clean Up: Deleting All Resources
To ensure the host machine remains clean, the final step is to run the idempotent teardown command. This reliably removes all namespaces, bridges, custom VETH links, and firewall rules created during the project.
# Deletes all VPCs, subnets, and restores host firewall settings
sudo ./vpcctl.sh clean
Top comments (0)