Home / Networking / VPC & Subnets

Virtual Private Cloud & Subnets

Isolated, highly customizable network environments with fine-grained control over IP allocation, routing, and security policies.

Create VPC → View API Docs Best Practices Guide

Overview

A CloudNexus VPC (Virtual Private Cloud) provides a logically isolated section of the cloud where you can launch resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.

💡
Pro Tip: Each VPC is scoped to a single region. For multi-region architectures, use VPC Peering or Transit Gateways to interconnect networks securely across regions.

Architecture & Components

CloudNexus VPCs are built with a modular, layered networking stack designed for performance, security, and scalability. Below is a high-level visualization of how components interact within a standard VPC deployment.

Internet Gateway
Public IP Routing
Public Subnet
Web Servers / LBs
NAT Gateway
Outbound Only
Private Subnet
App Tier / APIs
Security Groups
Stateful Firewall
Data Subnet
Databases / Cache
Route Tables
Controls traffic flow between subnets, IGWs, and NATs

Core Components

Component Description Use Case
VPC Logical isolation of network resources Environment separation (prod/staging/dev)
Subnets IP address range segments within a VPC AZ distribution, tiered architecture
Route Tables Rules that determine where network traffic is directed Public/private routing, peering paths
Security Groups Stateful, instance-level firewall Application layer access control
NACLs Stateless, subnet-level firewall Additional subnet perimeter defense

Configuration Guide

When provisioning a VPC, you'll define the CIDR block, subnet ranges, DNS settings, and DHCP options. CloudNexus supports IPv4/IPv6 dual-stack and automatically provisions a DHCP server unless disabled.

CIDR Block Requirements

  • IPv4 ranges must be between /16 (65,536 addresses) and /28 (16 addresses)
  • Cannot overlap with existing VPCs in the same region
  • Must not conflict with standard reserved ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) unless explicitly allowed
# CloudFormation / Terraform HCL Example
resource "cloudnexus_vpc" "production" {
  cidr_block           = "10.42.0.0/16"
  enable_dns_support   = true
  enable_dns_hostnames = true
  instance_tenancy     = "default"
  tags = {
    Name    = "prod-app-vpc"
    Env     = "production"
    Managed = "terraform"
  }
}

Subnet Sizing Best Practices

Allocate subnets with sufficient headroom for growth. CloudNexus reserves 5 IP addresses per subnet (255, 0, and 3 system addresses). A /24 subnet (255 addresses) is recommended for most workloads, while /20 is preferred for high-density deployments.

Route Tables & Traffic Flow

Each subnet must be associated with exactly one route table. You can attach multiple subnets to a single route table, but not vice versa. Route tables contain rules that control how traffic leaves the VPC.

⚠️
Routing Conflict: Overlapping routes within the same table will cause packet drops. CloudNexus validates route conflicts during update and prevents application of ambiguous paths.
Destination Target Behavior
10.42.0.0/16 local Automatic route to VPC CIDR
0.0.0.0/0 igw-0a1b2c3d Direct internet access (Public)
0.0.0.0/0 nat-0x9y8z7w Outbound-only internet (Private)
10.99.0.0/16 pcx-0m1n2o3p VPC Peering to staging network

Security Groups & NACLs

CloudNexus uses a layered security model. Security Groups act as stateful virtual firewalls at the instance level, while Network ACLs provide stateless subnet-level filtering.

Security Group Rules

  • Supports allow/deny (default: deny all inbound, allow all outbound)
  • References IP ranges, security groups, or prefix lists
  • Changes apply immediately without instance restart
  • Stateful: return traffic is automatically allowed regardless of rules
# Example: Web Server Security Group
ingress_rules = [
  {
    from_port   = 443
    to_port     = 443
    protocol    = "TCP"
    cidr_blocks = ["0.0.0.0/0"]  # Public HTTPS
  },
  {
    from_port   = 5432
    to_port     = 5432
    protocol    = "TCP"
    source_sg   = "sg-app-tier"  # DB access from app servers
  }
]

Limits & Pricing

CloudNexus VPCs are free to provision. You only pay for the resources deployed inside them and optional networking add-ons.

Resource Default Limit Max Limit Pricing Model
VPCs per Region 5 50 (requestable) Free
Subnets per VPC 20 200 Free
Route Tables 5 50 Free
NAT Gateways 5 Unlimited $0.045/hr + $0.045/GB processed
VPC Peering Connections 5 50 $0.01/hr + $0.01/GB

Frequently Asked Questions

Can I resize a VPC CIDR block after creation?

Yes. CloudNexus supports CIDR resizing up to a /8 block (16M addresses). You can add secondary CIDR blocks or expand the primary range. Expansions take effect immediately for new resources; existing instances retain their IPs.

How does VPC peering differ from Transit Gateway?

VPC Peering creates a direct 1:1 connection between two VPCs. Transit Gateway acts as a central hub for hub-and-spoke architectures, supporting up to 1,000 VPC attachments, simplifying route propagation, and enabling traffic policy control.

Are security groups transitive?

No. Security group references do not follow VPC peering or Transit Gateway routes. You must explicitly configure rules in each VPC to allow traffic from peered networks.

Can I enable IPv6 on an existing VPC?

Yes. IPv6 can be enabled post-creation. CloudNexus will automatically assign a /56 prefix from our partner provider. Subnets will receive /64 prefixes automatically. IPv6 traffic is billed at the same rate as IPv4.

Ready to Isolate Your Workloads?

Provision your first VPC in under 60 seconds. Get full control over networking, security, and routing.

Create VPC in Console Deploy with Terraform