This chapter covers cloud networking concepts as tested in CompTIA Network+ N10-009 Objective 1.7. Cloud networking is a core topic, appearing in roughly 10-15% of exam questions, often integrated with virtualization, security, and infrastructure scenarios. You will learn the differences between public, private, hybrid, and community clouds, the various service models (IaaS, PaaS, SaaS), and key networking components like VPCs, subnets, and cloud gateways. Understanding these concepts is essential for designing and troubleshooting modern network environments that span on-premises and cloud resources.
Jump to a section
Imagine a large office building with multiple floors, each floor representing a different cloud deployment model. On the ground floor, you have a private suite (private cloud) — only your company's employees have keys, and you control every aspect of the space. The upper floors are co-working spaces (public cloud) where anyone can rent a desk or a conference room on demand, paying only for the time they use. The building's management (cloud provider) handles maintenance, electricity, and internet access. You can also have a hybrid setup: your team uses the private suite for sensitive work but rents the co-working space for overflow projects. This mirrors cloud networking: you choose how much control you need (private), how much you want to share (public), or a mix (hybrid). The building's internal network (VPC/VNet) lets your team communicate securely across different floors, while the front desk (internet gateway) manages who enters from outside. Multi-cloud is like having offices in two different buildings in different cities — you manage both but they're independent.
What is Cloud Networking?
Cloud networking refers to the use of cloud-based resources to deliver network services, such as connectivity, routing, and security, over the internet. Instead of owning physical routers, switches, and firewalls, organizations lease virtualized network functions from cloud providers like AWS, Microsoft Azure, and Google Cloud Platform (GCP). This model provides scalability, elasticity, and pay-as-you-go pricing.
Cloud Deployment Models
The N10-009 exam distinguishes four primary deployment models:
Public Cloud: Infrastructure is owned and operated by a third-party provider and shared across multiple tenants. Examples: AWS EC2, Azure VMs, GCP Compute Engine. The provider manages the physical hardware; the tenant manages the OS and applications (in IaaS).
Private Cloud: Infrastructure is used exclusively by one organization. It can be hosted on-premises or by a third party. The organization has full control over hardware and software. Example: VMware vSphere private cloud on company premises.
Hybrid Cloud: Combines public and private clouds, allowing data and applications to be shared between them. This requires a secure, dedicated network connection (e.g., VPN or direct connect) and orchestration tools. Example: Running a web app on AWS but keeping a database on-premises.
Community Cloud: Infrastructure is shared by several organizations with common concerns (e.g., compliance, security). Example: A government cloud shared by multiple agencies.
Cloud Service Models
Three main service models define what the provider manages:
Infrastructure as a Service (IaaS): Provides virtualized computing resources (VMs, storage, networks). The tenant manages the OS, middleware, and applications; the provider manages the hypervisor, physical servers, and networking. Example: AWS EC2.
Platform as a Service (PaaS): Provides a platform for developing and deploying applications without managing underlying infrastructure. The tenant manages only the application and data; the provider manages the OS, runtime, and middleware. Example: AWS Elastic Beanstalk.
Software as a Service (SaaS): Provides fully functional applications accessed via a web browser. The tenant only configures usage; the provider manages everything. Example: Office 365, Salesforce.
Virtual Private Cloud (VPC) and Virtual Network (VNet)
A VPC (AWS) or VNet (Azure) is a logically isolated section of the cloud where you can launch resources. It is analogous to a virtual data center. Key components:
Subnets: Segments of the VPC's IP address range (CIDR block). Subnets can be public (accessible from the internet) or private (no direct internet access).
Internet Gateway (IGW): A horizontally scaled, redundant component that allows communication between a VPC and the internet. Only one IGW per VPC.
NAT Gateway/Instance: Enables instances in private subnets to initiate outbound traffic to the internet (e.g., for updates) but prevents inbound traffic.
Route Tables: Define rules (routes) that determine where network traffic is directed. Each subnet must be associated with a route table.
Security Groups: Stateful virtual firewalls that control inbound and outbound traffic at the instance level. Rules are permit-only; deny rules cannot be created.
Network Access Control Lists (NACLs): Stateless firewalls that control traffic at the subnet level. NACLs support both allow and deny rules, and rules are evaluated in order (lowest number first).
Cloud Connectivity Options
To connect on-premises networks to cloud VPCs:
VPN Connection: Uses IPsec tunnels over the internet. Can be static (site-to-site VPN) or dynamic (BGP-based). Common for hybrid clouds. Example: AWS Site-to-Site VPN.
Direct Connect / ExpressRoute: A dedicated physical connection from your on-premises data center to the cloud provider. Provides higher bandwidth, lower latency, and more consistent performance than VPN. Example: AWS Direct Connect, Azure ExpressRoute.
VPC Peering: Connects two VPCs within the same cloud provider so they can communicate using private IP addresses. Traffic stays within the provider's network. Not transitive (unless using a transit gateway).
Transit Gateway: A central hub that connects multiple VPCs and on-premises networks, simplifying network architecture. Supports transitive routing.
Cloud Security and Compliance
Shared Responsibility Model: The provider secures the infrastructure (physical security, hypervisor, network); the tenant secures everything they deploy (OS, applications, data, access).
Identity and Access Management (IAM): Controls who can perform actions on cloud resources. Key concepts: users, groups, roles, policies.
Encryption: Data should be encrypted at rest (e.g., S3 server-side encryption) and in transit (TLS). Cloud providers offer key management services (e.g., AWS KMS).
Cloud Elasticity and Scalability
Elasticity: The ability to automatically scale resources up or down based on demand. Example: AWS Auto Scaling groups launch additional EC2 instances when CPU utilization exceeds 70%.
Scalability: The ability to handle increased load by adding resources. Vertical scaling (increase instance size) vs. horizontal scaling (add more instances).
Cloud Management Interfaces
Web Console: GUI for managing resources.
CLI: Command-line tools (e.g., AWS CLI, Azure CLI) for scripting and automation.
APIs: RESTful APIs for programmatic control.
Infrastructure as Code (IaC): Tools like Terraform, CloudFormation, and ARM templates define infrastructure in declarative files.
Common Cloud Networking Misconfigurations
Overly permissive security groups: Allowing 0.0.0.0/0 on all ports.
Missing route table entries: Instances in private subnets cannot reach the internet without a NAT gateway.
Incorrect NACL rules: Stateless NACLs require both inbound and outbound rules for traffic to flow.
VPC peering misrouting: Peering connections are not transitive; each VPC needs explicit routes to the peer.
Cloud Cost Considerations
Data transfer costs: Ingress (incoming) is often free; egress (outgoing) is charged. Cross-region and cross-AZ traffic incurs costs.
Reserved instances: Commit to a 1- or 3-year term for lower hourly rates.
Spot instances: Use unused capacity at steep discounts but can be terminated with little notice.
Exam Relevance
For N10-009, focus on:
Differentiating deployment models and service models.
Understanding VPC components and their functions.
Knowing connectivity options (VPN, Direct Connect, peering).
Recognizing the shared responsibility model.
Identifying common cloud security tools (IAM, security groups, NACLs).
Understanding elasticity vs. scalability.
Define Cloud Requirements
The network engineer assesses the organization's needs: which applications will run in the cloud, data sensitivity, compliance requirements (e.g., HIPAA, PCI-DSS), expected traffic patterns, and budget. This step determines the deployment model (public, private, hybrid) and the service model (IaaS, PaaS, SaaS). For example, a healthcare app requiring PHI data might mandate a private cloud or a dedicated instance. The engineer also estimates bandwidth, latency, and redundancy needs.
Design VPC and Subnets
The engineer creates a VPC with a CIDR block (e.g., 10.0.0.0/16) and divides it into subnets. Public subnets (e.g., 10.0.1.0/24) will host web servers; private subnets (e.g., 10.0.2.0/24) host databases. Each subnet is associated with a route table and a NACL. The VPC is given an Internet Gateway for public subnets and a NAT Gateway for private subnets to access the internet. Route tables are configured: public subnets route 0.0.0.0/0 to the IGW; private subnets route 0.0.0.0/0 to the NAT Gateway.
Configure Security Groups and NACLs
Security groups (stateful) are created for each instance type: a web security group allows inbound HTTP/HTTPS from 0.0.0.0/0 and outbound to anywhere; a database security group allows inbound MySQL (3306) only from the web security group. NACLs (stateless) are applied at the subnet level: public subnet NACL allows inbound HTTP/HTTPS and ephemeral ports for return traffic; private subnet NACL denies all inbound from 0.0.0.0/0 except from the public subnet. The engineer must ensure NACL rules are symmetric (inbound and outbound) because they are stateless.
Establish Connectivity to On-Premises
For a hybrid cloud, the engineer sets up a site-to-site VPN or a Direct Connect connection. For VPN, a virtual private gateway is attached to the VPC, and an IPsec tunnel is configured with the on-premises VPN device. BGP is often used for dynamic routing. For Direct Connect, a cross-connect is ordered from a colocation provider. The engineer configures the on-premises router to advertise routes to the cloud and accepts routes from the cloud via BGP. Route tables in the VPC are updated to direct on-premises traffic to the virtual private gateway.
Deploy Resources and Test
EC2 instances (or Azure VMs) are launched in the appropriate subnets. The engineer verifies that web servers in public subnets are reachable from the internet via the IGW, that database servers in private subnets can connect to the internet for updates via the NAT Gateway, and that on-premises users can access resources through the VPN. Tools like ping, traceroute, and cloud-specific commands (e.g., `aws ec2 describe-instances`) are used for verification. The engineer also tests failover and scalability by simulating traffic spikes.
Enterprise Scenario 1: E-Commerce Platform on AWS
A large e-commerce company runs its website on AWS using a multi-tier architecture. The web tier is in public subnets across three Availability Zones (AZs) behind an Application Load Balancer (ALB). The application tier is in private subnets, and the database tier uses Amazon RDS in private subnets. The company uses a VPC with CIDR 10.0.0.0/16. Security groups are tightly scoped: the ALB allows HTTPS from 0.0.0.0/0; the web instances allow traffic only from the ALB; the app instances allow traffic only from web instances; the database allows traffic only from app instances. NACLs provide an additional layer at the subnet level. For hybrid connectivity, the company uses AWS Direct Connect to link its on-premises inventory system to the VPC, enabling real-time stock updates. Performance considerations include ensuring sufficient bandwidth on the Direct Connect link (1 Gbps) and monitoring for throttling. A common misconfiguration is forgetting to add routes to the virtual private gateway in the route tables, causing on-premises traffic to drop.
Enterprise Scenario 2: Healthcare Provider on Azure
A healthcare provider migrates its patient portal to Azure using a private cloud model (Azure Stack) due to HIPAA compliance. They deploy a VNet with address space 192.168.0.0/16 and use Azure Site-to-Site VPN to connect to multiple clinics. Each clinic has a local network gateway and a connection to the VNet. The provider uses Azure Firewall to inspect traffic between subnets and to the internet. They also use Azure Bastion for secure RDP/SSH access to VMs without public IPs. A key challenge is managing IP address overlap between clinics (e.g., two clinics using 192.168.1.0/24). The solution is to use network address translation (NAT) on the VPN devices or renumber one clinic. The exam often tests the shared responsibility model: the provider is responsible for securing the OS and applications on the VMs, while Azure secures the physical infrastructure.
Enterprise Scenario 3: Multi-Cloud with Google Cloud and AWS
A financial services firm uses both AWS and GCP to avoid vendor lock-in. They have a VPC in AWS (10.1.0.0/16) and a VPC in GCP (10.2.0.0/16). They connect them via a VPN tunnel between the two cloud providers. BGP is used for dynamic route exchange. The firm also uses a transit gateway in AWS to connect multiple VPCs and on-premises. A common issue is asymmetric routing, where traffic goes from AWS to GCP via VPN but returns via the internet, causing session drops. The fix is to ensure symmetric routing by using static routes or BGP policies. The exam may ask about the differences between cloud providers' terminology (e.g., VPC vs. VNet, IGW vs. internet gateway).
Objective 1.7: Cloud Networking Concepts
The N10-009 exam tests your ability to compare and contrast cloud deployment models, service models, and networking components. Expect 4-6 questions on this topic. Key areas:
Deployment Models: Know the definitions and use cases for public, private, hybrid, and community clouds. A common wrong answer is confusing hybrid with community — hybrid mixes public and private; community is shared by multiple organizations with similar interests.
Service Models: Be able to differentiate IaaS, PaaS, and SaaS. The exam loves to ask: 'Which model gives you the most control?' (IaaS) and 'Which model requires you to manage the OS?' (IaaS). A trap: some think PaaS requires managing the OS — it does not.
VPC Components: Memorize the function of Internet Gateway, NAT Gateway, security groups, and NACLs. A frequent wrong answer is that security groups are stateless — they are stateful. Another is that NACLs are stateful — they are stateless.
Connectivity Options: Know the difference between VPN (over internet, variable performance) and Direct Connect (dedicated, consistent). The exam may ask: 'Which provides the most consistent latency?' (Direct Connect).
Shared Responsibility Model: You must know who is responsible for what. A common trap: the provider is responsible for securing the guest OS — false; the tenant is.
Elasticity vs. Scalability: Elasticity is automatic scaling up/down; scalability is the ability to handle growth. The exam might ask: 'Which term describes automatically adding instances during peak traffic?' (Elasticity).
Numbers and Values: Know that VPC CIDR blocks can range from /16 to /28. Security groups support up to 60 inbound and 60 outbound rules. NACLs support up to 20 rules per direction (inbound/outbound).
Edge Cases: If a security group allows inbound HTTP from 0.0.0.0/0, outbound traffic is automatically allowed (stateful). But a NACL must have an outbound rule for ephemeral ports (1024-65535) to allow return traffic. Also, VPC peering does not support transitive routing — if VPC A is peered with B and B with C, A cannot talk to C unless there is a direct peering or a transit gateway.
How to Eliminate Wrong Answers
If the question mentions 'stateful', it is likely a security group; if 'stateless', it is a NACL.
If the question mentions 'shared infrastructure', it is public cloud; 'exclusive use' is private.
If the question asks about 'most control', the answer is IaaS; 'least control' is SaaS.
For connectivity, if the answer includes 'internet', it is VPN; if 'dedicated line', it is Direct Connect.
Always check who is responsible: if the scenario involves patching the OS, it is the tenant's responsibility.
The four cloud deployment models are public, private, hybrid, and community.
The three cloud service models are IaaS, PaaS, and SaaS, with decreasing tenant control.
A VPC/VNet is a logically isolated network in the cloud with subnets, route tables, and gateways.
Security groups are stateful and operate at the instance level; NACLs are stateless and operate at the subnet level.
NAT gateways enable outbound internet access for private instances but do not allow inbound connections.
Hybrid cloud connectivity options include VPN (over internet) and Direct Connect/ExpressRoute (dedicated).
VPC peering is not transitive; use a transit gateway for multi-VPC connectivity.
The shared responsibility model: provider secures the cloud; tenant secures what is in the cloud.
Elasticity refers to automatic scaling; scalability is the ability to handle growth.
Common cloud security tools include IAM, security groups, NACLs, and encryption (at rest and in transit).
These come up on the exam all the time. Here's how to tell them apart.
Public Cloud
Infrastructure shared across multiple tenants.
Lower upfront cost, pay-as-you-go pricing.
Less control over physical security and compliance.
Scalable and elastic resources on demand.
Provider manages hardware and hypervisor.
Private Cloud
Infrastructure dedicated to a single organization.
Higher upfront cost for hardware and maintenance.
Full control over security, compliance, and data.
Limited scalability by physical capacity.
Organization manages hardware and software stack.
Security Group
Stateful: return traffic automatically allowed.
Operates at the instance level (first layer).
Supports only allow rules, no deny rules.
Rules are evaluated as a whole (all rules apply).
Default: all inbound traffic denied, all outbound allowed.
Network ACL (NACL)
Stateless: must explicitly allow both directions.
Operates at the subnet level (second layer).
Supports both allow and deny rules.
Rules are evaluated in order (lowest number first).
Default: all inbound and outbound traffic denied.
Mistake
In a public cloud, the provider is responsible for all security.
Correct
Security follows the shared responsibility model. The provider secures the physical infrastructure, hypervisor, and network. The tenant is responsible for securing their OS, applications, data, and access management (IAM). For example, if a VM is compromised due to unpatched software, it is the tenant's fault.
Mistake
Security groups and NACLs both are stateful.
Correct
Security groups are stateful: if you allow inbound traffic, the outbound return traffic is automatically allowed. NACLs are stateless: you must explicitly allow both inbound and outbound traffic. For example, if a NACL allows inbound HTTP, you must also allow outbound ephemeral ports (1024-65535) for the response to reach the client.
Mistake
VPC peering allows transitive routing between three VPCs.
Correct
VPC peering is not transitive. If VPC A is peered with VPC B, and VPC B is peered with VPC C, traffic from A to C is blocked unless A and C are directly peered. To enable transitive routing, you must use a transit gateway or a hub-and-spoke architecture.
Mistake
A NAT gateway allows inbound connections from the internet to private instances.
Correct
A NAT gateway only allows outbound traffic from private instances to the internet and permits the return traffic. It does not allow unsolicited inbound connections. For inbound access, you must use a public IP on the instance or a load balancer in a public subnet.
Mistake
Hybrid cloud and multi-cloud are the same thing.
Correct
Hybrid cloud combines a public cloud with a private cloud (or on-premises) that are connected. Multi-cloud uses multiple public cloud providers (e.g., AWS and Azure) without necessarily having a private cloud. Hybrid focuses on connectivity between environments; multi-cloud focuses on diversity of providers.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Public cloud is shared infrastructure owned by a third-party provider (e.g., AWS, Azure). Private cloud is dedicated to a single organization, either on-premises or hosted. Hybrid cloud combines public and private clouds that are connected (e.g., via VPN). Community cloud is shared by multiple organizations with common goals (e.g., government agencies). The exam focuses on knowing these definitions and their use cases.
The shared responsibility model defines who is responsible for security. The cloud provider is responsible for the security OF the cloud (physical infrastructure, hypervisor, network). The tenant is responsible for security IN the cloud (OS, applications, data, IAM). For example, in IaaS, the tenant patches the OS; in PaaS, the provider patches the OS. The exam tests this by asking which party is responsible for a specific task.
A VPC (Virtual Private Cloud) is a software-defined network in the cloud. It is logically isolated and can be created quickly without physical hardware. It includes virtual components like subnets, route tables, internet gateways, and security groups. Unlike on-premises, you pay only for what you use, and you can scale elastically. The exam may ask you to identify VPC components in a diagram.
A NAT gateway allows instances in a private subnet to initiate outbound traffic to the internet (e.g., for software updates) while preventing inbound traffic from the internet. It translates the private IP to the NAT gateway's public IP. It is different from an internet gateway, which allows both inbound and outbound traffic to instances with public IPs. The exam often tests scenarios where private instances need internet access.
Elasticity is the ability to automatically scale resources up or down based on demand (e.g., AWS Auto Scaling). Scalability is the capability to handle increased load by adding resources (either vertically or horizontally). Elasticity implies dynamic, automatic adjustment; scalability is a broader term that includes planned scaling. The exam may ask which term describes automatic scaling during traffic spikes.
Security groups are stateful virtual firewalls at the instance level. They only have allow rules, and return traffic is automatically permitted. NACLs are stateless firewalls at the subnet level. They have both allow and deny rules, evaluated in order, and you must explicitly allow return traffic. The exam tests this by asking which is stateful or which supports deny rules.
A transit gateway acts as a central hub to connect multiple VPCs and on-premises networks, enabling transitive routing. Without a transit gateway, VPC peering is not transitive. It simplifies network architecture and reduces the number of peering connections. The exam may ask how to connect multiple VPCs efficiently.
You've just covered Cloud Networking Concepts — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?