Ojasa Mirai
Cloud
Loading...
Learning Level
⚙️ Compute Services⚡ Serverless Functions🗄️ SQL Database Services📊 NoSQL Database Services📁 Storage Services🌐 Networking Services⚖️ Load Balancing Services🚀 CDN Services🔐 Security & Auth Services📊 Monitoring & Logging Services📬 Message Queue Services🔌 API Gateway Services🐳 Container Orchestration💾 Caching Services🌐 Domain & DNS Services💾 Backup & Recovery Services
🌐 Networking Services - Advanced Patterns
Network Architecture Patterns
Hub-and-Spoke (AWS)
Central Hub VPC
(10.0.0.0/16)
|
_______________+______________
| | |
Spoke1 Spoke2 Spoke3
(Prod) (Staging) (Dev)
VPC Peering + Transit Gateway
All traffic routes through hub
Centralized security policiesMesh Network (GCP)
All VPCs connected via VPC peering
Each VPC can reach others
No central hub
Distributed architectureHybrid Connectivity (Azure)
On-Premise Network
|
| (ExpressRoute - dedicated)
|
Azure Virtual Networks
|
| (VPN - encrypted)
|
AWS/GCP via hybrid connectivityAdvanced Security Patterns
Least Privilege Firewall
AWS Security Group Rules:
- Inbound:
- HTTP (80) from ALB only (sg-alb)
- MySQL (3306) from App layer only (sg-app)
- SSH (22) from Bastion only (sg-bastion)
- Outbound:
- HTTPS (443) to specific APIs only
- NTP (123) to time servers only
GCP Firewall Rules:
- Web servers: Allow ingress 80, 443 from 0.0.0.0/0
- App servers: Allow ingress 8080 from web-servers tag only
- Database: Allow ingress 5432 from app-servers tag only
Azure NSG Rules:
- Inbound:
- Priority 100: Allow 80 from AzureFrontDoor
- Priority 200: Allow 3306 from AppSubnet
- Priority 300: Deny all (default)
- Outbound: All allowed (default)Multi-VPC / Multi-VNet Architecture
AWS Transit Gateway
// Central hub for VPC connectivity
const ec2 = new AWS.EC2();
const tgw = await ec2.createTransitGateway({
Description: 'Central transit hub',
Options: {
AmazonSideAsn: 64512,
DefaultRouteTableAssociation: 'enable',
DefaultRouteTablePropagation: 'enable'
}
}).promise();
// Attach VPCs to gateway
await ec2.createTransitGatewayAttachment({
TransitGatewayId: tgw.TransitGateway.TransitGatewayId,
SubnetIds: ['subnet-12345', 'subnet-67890'],
VpcId: 'vpc-abcdef'
}).promise();GCP VPC Peering
# Create peering between VPCs
gcloud compute networks peerings create peering-prod-to-dev \
--network prod \
--auto-create-routes \
--peer-project dev-project \
--peer-network devAzure Virtual Network Peering
az network vnet peering create \
--name vnet1-to-vnet2 \
--resource-group rg1 \
--vnet-name vnet1 \
--remote-vnet /subscriptions/xxx/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet2 \
--allow-vnet-access \
--allow-forwarded-trafficAdvanced Routing
BGP Dynamic Routing (AWS)
# Enable dynamic routing with BGP
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-12345 \
--vpn-gateway-id vgw-67890 \
--options TunnelOptions=[{TunnelInsideCidr=169.254.10.0/30,PreSharedKey=password},{TunnelInsideCidr=169.254.11.0/30,PreSharedKey=password}]
# BGP automatically advertises routesPolicy-Based Routing (GCP)
# Route traffic based on priority
gcloud compute routes create my-route \
--network my-network \
--destination-range 0.0.0.0/0 \
--next-hop-gateway default-internet-gateway \
--priority 100
# Multiple routes with different prioritiesPerformance Optimization
Bandwidth Optimization
AWS Direct Connect: Up to 100 Gbps
- Lower latency than VPN
- Consistent performance
- Suitable for high-throughput
GCP Interconnect: Up to 200 Gbps
- Google's private network
- Very low latency to GCP
Azure ExpressRoute: Up to 100 Gbps
- Microsoft private peering
- Low latency to Azure servicesNetwork Placement
Co-locate resources:
- Database in same region as app
- Cache near compute
- Minimize cross-region traffic
Traffic costs:
- Intra-region: Free (AWS/GCP/Azure)
- Cross-region: $0.01-0.02/GB
- Optimize egressDDoS Protection & WAF
AWS Shield/WAF
const waf = new AWS.WAFV2();
const rule = {
Name: 'RateLimitRule',
Priority: 1,
Statement: {
RateBasedStatement: {
Limit: 2000,
AggregateKeyType: 'IP'
}
},
Action: { Block: {} },
VisibilityConfig: {
SampledRequestsEnabled: true,
CloudWatchMetricsEnabled: true,
MetricName: 'RateLimitRule'
}
};GCP Cloud Armor
gcloud compute security-policies create my-policy \
--description "DDoS protection"
gcloud compute security-policies rules create 100 \
--security-policy my-policy \
--action block-403 \
--rule-name block-ddos \
--expression "evaluatePreconfiguredExpr('xss-v33')"Monitoring and Troubleshooting
VPC Flow Logs
# AWS VPC Flow Logs
aws ec2 create-flow-logs \
--resource-type VPC \
--resource-ids vpc-12345 \
--traffic-type ALL \
--log-destination-type cloud-watch-logs \
--log-group-name /aws/vpc/flowlogs \
--deliver-logs-permission-role-arn arn:aws:iam::123456789012:role/flowLogsRole
# Analyze traffic patterns
# Identify security issues
# Debug connectivity problemsKey Takeaways
- **Hub-and-spoke scales** better than mesh
- **Direct Connect/Interconnect essential** for hybrid
- **Least privilege firewall** non-negotiable
- **VPC peering has limits** (transit gateway solves)
- **BGP dynamic routing** best for HA
- **DDoS protection mandatory** for public apps
- **VPC Flow Logs critical** for troubleshooting
- **Network costs significant** at scale - optimize
- **Latency matters** - architecture accordingly
- **Security groups don't replace WAF** - use both
Resources
Ojasa Mirai
Master AI-powered development skills through structured learning, real projects, and verified credentials. Whether you're upskilling your team or launching your career, we deliver the skills companies actually need.
Learn Deep • Build Real • Verify Skills • Launch Forward