This chapter covers cloud network operations, focusing on how cloud-based networks are designed, configured, and managed. For the N10-009 exam, this topic appears in roughly 10-15% of questions under Domain 3.0 (Network Operations) and Objective 3.3 (Cloud Network Operations). Mastering these concepts is essential for understanding modern hybrid and cloud-only environments, which are increasingly common in production networks.
Jump to a section
Imagine a cloud network as a city transit system. The city has multiple neighborhoods (availability zones) connected by highways (virtual private cloud, or VPC, networks). Each building (virtual machine, or VM) has a unique street address (private IP). To go outside the city, buildings use a central bus station (NAT gateway) that replaces their private address with a public one. The bus station logs every departure and return, so replies find the correct building. Traffic lights (security groups) at each intersection control which vehicles (packets) can enter or leave a neighborhood based on rules like "only delivery trucks from certain companies" (source IP and port). A city planner (cloud administrator) designs the routes and rules using a map (cloud formation template) and monitors traffic flow (metrics and logs). If a road is blocked (misconfigured route table), vehicles are rerouted or stuck. The system scales by adding new neighborhoods and buses (auto-scaling groups and load balancers) as the city grows.
What is Cloud Network Operations?
Cloud network operations encompass the design, deployment, management, and troubleshooting of network infrastructure within cloud computing environments such as AWS, Microsoft Azure, and Google Cloud Platform (GCP). Unlike traditional on-premises networks, cloud networks are software-defined, highly elastic, and accessed via APIs. The N10-009 exam tests your understanding of key components like virtual private clouds (VPCs), subnets, routing, security groups, NAT, VPNs, and load balancing, as well as how these elements interact in a cloud-native or hybrid architecture.
Why Cloud Network Operations Matter
Enterprises increasingly migrate workloads to the cloud for scalability, cost efficiency, and global reach. Network operations teams must ensure connectivity, security, and performance across virtual networks that span multiple regions and availability zones. Misconfigurations—such as overly permissive security groups or incorrect route tables—are leading causes of data breaches and outages. The exam emphasizes common pitfalls and best practices.
Key Components and Mechanisms
#### Virtual Private Cloud (VPC) A VPC is an isolated virtual network within a cloud provider's infrastructure. It defines an IP address range (CIDR block), typically from /16 to /28. For example, 10.0.0.0/16 provides 65,536 private IPs. Inside the VPC, you create subnets—segments of the IP range—each associated with an availability zone (AZ) for fault tolerance. Subnets can be public (with a route to an internet gateway) or private (no direct internet access).
#### Subnets and Route Tables Each subnet must have a route table that controls traffic leaving the subnet. Route tables contain entries specifying destination CIDR and target (e.g., local, internet gateway, NAT gateway, virtual private gateway). The default route (0.0.0.0/0) points to an internet gateway for public subnets or a NAT gateway for private subnets. For example:
Destination Target
10.0.0.0/16 local
0.0.0.0/0 igw-12345Every subnet has an implicit local route for internal VPC traffic. If you need traffic to go to another VPC or on-premises, you add routes pointing to a VPC peering connection or VPN.
#### Internet Gateway (IGW) An IGW is a horizontally scaled, redundant component that allows communication between a VPC and the internet. It performs NAT for instances with public IPs. An IGW is attached to a VPC and must be referenced in route tables for public subnets. Without an IGW, instances in the VPC cannot reach the internet or be reached from the internet (unless using a NAT gateway or VPN).
#### NAT Gateway and NAT Instance A NAT gateway enables instances in a private subnet to initiate outbound traffic to the internet (e.g., for software updates) but prevents inbound connections from the internet. It is managed by the cloud provider, scales automatically, and is placed in a public subnet with an Elastic IP. NAT gateways are region-specific and support up to 45 Gbps. A NAT instance is a user-managed EC2 instance configured to perform NAT; it is less scalable and requires manual failover. Exam tip: NAT gateways are preferred for production due to high availability and managed service.
#### Security Groups and Network ACLs Security groups act as virtual firewalls at the instance (or elastic network interface) level. They support allow rules only, are stateful (return traffic automatically allowed), and are evaluated as a whole. Default security group denies all inbound, allows all outbound. Network ACLs (NACLs) are stateless firewalls at the subnet level, supporting both allow and deny rules, and are evaluated in order by rule number. Exam tip: Security groups are stateful; NACLs are stateless. For example, if you allow inbound HTTP (port 80) in a security group, outbound responses are automatically allowed. With a NACL, you must explicitly allow both inbound and outbound ephemeral ports (1024-65535) for responses.
#### Load Balancers Cloud load balancers distribute traffic across multiple targets (instances, containers, IP addresses) in one or more AZs. Types include Application Load Balancer (ALB, layer 7), Network Load Balancer (NLB, layer 4), and Classic Load Balancer (CLB, legacy). ALBs route based on HTTP headers, path, host, etc., and support WebSocket and HTTP/2. NLBs handle millions of requests per second with ultra-low latency, preserving source IP. Health checks (e.g., HTTP 200, TCP handshake) determine target status. Exam tip: ALBs are for HTTP/HTTPS traffic; NLBs for TCP/UDP traffic requiring extreme performance.
#### VPN and Direct Connect Hybrid networks connect on-premises data centers to cloud VPCs via VPN (over the internet) or Direct Connect (dedicated private connection). VPN uses IPsec tunnels, with two tunnels per VPN connection for redundancy. Direct Connect provides consistent bandwidth and lower latency but requires physical cross-connects at colocation facilities. Exam tip: VPN is cheaper but depends on internet reliability; Direct Connect is more expensive but stable.
#### DNS and Cloud DNS Cloud providers offer managed DNS services (e.g., AWS Route 53, Azure DNS). These resolve domain names to IP addresses and support routing policies like latency-based, geolocation, and weighted. Private hosted zones allow DNS resolution within VPCs without exposing records to the internet. Exam tip: Understand how to configure private DNS for internal resources.
Configuration and Verification Commands
While cloud networks are managed via web consoles, CLI tools and APIs are common. Examples for AWS CLI:
Create VPC: aws ec2 create-vpc --cidr-block 10.0.0.0/16
Create subnet: aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.0.1.0/24 --availability-zone us-east-1a
Create internet gateway: aws ec2 create-internet-gateway
Attach IGW: aws ec2 attach-internet-gateway --vpc-id vpc-xxx --internet-gateway-id igw-xxx
Create route table: aws ec2 create-route-table --vpc-id vpc-xxx
Add route: aws ec2 create-route --route-table-id rtb-xxx --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxx
Associate subnet: aws ec2 associate-route-table --subnet-id subnet-xxx --route-table-id rtb-xxx
Create security group: aws ec2 create-security-group --group-name my-sg --description "My SG" --vpc-id vpc-xxx
Add rule: aws ec2 authorize-security-group-ingress --group-id sg-xxx --protocol tcp --port 22 --cidr 0.0.0.0/0
Launch instance: aws ec2 run-instances --image-id ami-xxx --instance-type t2.micro --subnet-id subnet-xxx --security-group-ids sg-xxx
How Cloud Network Operations Interact with Related Technologies
Cloud networks integrate with: - Containers and Kubernetes: Pods use overlay networks (e.g., Calico, AWS VPC CNI) that assign IPs from VPC subnets. Network policies control pod-to-pod traffic. - Serverless: AWS Lambda functions run in a VPC by attaching to an elastic network interface (ENI) in a private subnet, requiring a NAT gateway for internet access. - Storage: Amazon S3 uses internet-accessible endpoints; VPC endpoints (Gateway or Interface) allow private access without internet. - Monitoring: CloudWatch, VPC Flow Logs capture metadata about IP traffic (accepted/rejected) for troubleshooting and security analysis.
Common Pitfalls and Misconfigurations
Overly permissive security groups: Allowing 0.0.0.0/0 on SSH (port 22) or RDP (3389) is a common exam scenario—this is a security risk.
Missing NAT gateway: Private instances cannot reach the internet for updates, causing failures.
Incorrect route tables: A public subnet without a default route to an IGW will not be reachable from the internet.
Stateless NACL confusion: Forgetting ephemeral port rules blocks return traffic.
Cross-zone load balancer: If cross-zone load balancing is disabled, traffic stays within the same AZ, potentially overloading one AZ.
Define IP Addressing and CIDR
Start by determining the IP address range for the VPC. Choose a CIDR block that does not overlap with on-premises networks or other VPCs you plan to connect. Common choices are 10.0.0.0/16 or 172.16.0.0/16. Then divide this range into subnets for each availability zone. For example, 10.0.1.0/24 (256 addresses) for public subnet in AZ-a and 10.0.2.0/24 for private subnet in AZ-a. Ensure you leave room for future expansion. The VPC automatically creates a default route table and network ACL, but you will customize them.
Create VPC and Subnets
Using the cloud provider's console or CLI, create the VPC with the chosen CIDR. Then create subnets, each in a specific availability zone. Assign each subnet a CIDR block within the VPC range. Mark subnets as public or private by design—public subnets will later have a route to an internet gateway. For high availability, create at least two subnets in different AZs. For example, in AWS, you would create a VPC with CIDR 10.0.0.0/16, then subnets 10.0.1.0/24 (us-east-1a) and 10.0.2.0/24 (us-east-1b).
Configure Internet Gateway and Route Tables
Create an internet gateway and attach it to the VPC. Then, create a custom route table for public subnets. Add a default route (0.0.0.0/0) pointing to the internet gateway. Associate this route table with the public subnets. For private subnets, create a separate route table that either has no default route or points to a NAT gateway for outbound internet access. The local route (VPC CIDR) is automatically added. Verify that the route tables are correctly associated with the subnets.
Set Up NAT for Private Subnets
To allow instances in private subnets to access the internet (e.g., for updates), deploy a NAT gateway in one public subnet. Allocate an Elastic IP address for it. Then, add a route in the private subnet's route table: destination 0.0.0.0/0, target NAT gateway ID. The NAT gateway translates private IPs to its Elastic IP for outbound traffic and forwards responses back. Note that NAT gateways are not free; they incur hourly and data processing charges. For cost savings, consider NAT instances, but they require manual failover.
Define Security Groups and Network ACLs
Create security groups for your instances. For a web server, allow inbound HTTP (80) and HTTPS (443) from 0.0.0.0/0, and SSH (22) from a trusted IP (e.g., your office). Security groups are stateful, so outbound rules are not needed for return traffic. For network ACLs, define inbound and outbound rules for subnets. For a public subnet, allow inbound HTTP/HTTPS and ephemeral ports (1024-65535) for return traffic, and outbound ephemeral ports. Remember, NACLs are stateless—you must explicitly allow return traffic. Order rules carefully; lower number rules are evaluated first.
Launch Instances and Test Connectivity
Launch an EC2 instance in the public subnet with a public IP (auto-assign or Elastic IP). Ensure its security group allows SSH from your IP. SSH into the instance to verify internet connectivity (e.g., ping google.com). Then, launch an instance in the private subnet (no public IP). From the public instance, try to SSH into the private instance using its private IP (if security groups allow). The private instance should be able to reach the internet via the NAT gateway. Test by running 'curl http://checkip.amazonaws.com'—it should show the NAT gateway's Elastic IP. If not, check route tables and security group outbound rules.
Scenario 1: E-Commerce Application with High Availability
A retail company deploys a three-tier web application (web, app, database) in AWS. They use a VPC with two AZs for resilience. Public subnets host web servers behind an Application Load Balancer (ALB). Private subnets host app servers and RDS databases. The ALB distributes traffic across AZs, and health checks ensure unhealthy instances are replaced. NAT gateways in each AZ allow app servers to download security patches. Security groups restrict database access to only the app server security group. Route tables are configured so that web subnets have a default route to IGW, app subnets to NAT gateway, and database subnets have no internet route. This setup ensures high availability and security. A common issue is accidentally allowing SSH from 0.0.0.0/0 on the database security group, which the exam would flag as a misconfiguration.
Scenario 2: Hybrid Network with VPN and Direct Connect
A financial services firm connects its on-premises data center to AWS via a site-to-site VPN and a Direct Connect circuit for redundancy. The VPN uses two tunnels with BGP dynamic routing. The VPC has a virtual private gateway attached. On-premises routes are advertised via BGP, and VPC routes are advertised back. The route tables include a route to the on-premises CIDR via the virtual private gateway. Security groups are configured to allow traffic from on-premises IP ranges. A common problem is asymmetric routing when both VPN and Direct Connect are active—solved by using BGP attributes (AS path prepend) to prefer Direct Connect. The exam may test understanding of BGP over VPN vs. static routes.
Scenario 3: Multi-Region Disaster Recovery
A global SaaS provider replicates its infrastructure across two AWS regions (us-east-1 and eu-west-1). Each region has its own VPC with overlapping CIDR (10.0.0.0/16). They use Route 53 latency-based routing to direct users to the nearest region. VPC peering (or Transit Gateway) connects VPCs within a region, but inter-region connectivity uses VPN or Direct Connect. Database replication occurs over encrypted VPN tunnels. Security groups allow cross-region database ports only from the peer VPC CIDR. Misconfiguration: if the CIDRs overlap, VPC peering fails, requiring NAT or careful IP planning. The exam may ask about resolving overlapping IP conflicts.
What N10-009 Tests on Cloud Network Operations (Objective 3.3)
The exam focuses on your ability to:
Compare and contrast cloud network concepts: VPC, subnet, internet gateway, NAT gateway, security group, network ACL, load balancer, VPN, Direct Connect.
Understand how to design a basic cloud network for high availability and security.
Identify misconfigurations: overly permissive security groups, missing NAT gateway, incorrect route tables, stateless NACL rules.
Recognize the differences between cloud and on-premises networking.
Common Wrong Answers and Why
"Security groups are stateless" – Wrong. Security groups are stateful; network ACLs are stateless. Candidates confuse the two. Remember: SG = stateful, NACL = stateless.
"NAT gateway allows inbound traffic from the internet" – Wrong. NAT gateway only allows outbound traffic from private subnets. Inbound traffic is blocked unless there is a public IP on the instance (which would defeat the purpose).
"A subnet must have an internet gateway attached" – Wrong. Internet gateways are attached to VPCs, not subnets. Subnets use route tables to point to the IGW.
"Load balancers can be placed in private subnets" – Wrong. Load balancers must be in public subnets to accept internet traffic, or in private subnets for internal-only traffic (internal load balancers). The exam tests this distinction.
Specific Numbers and Terms
VPC CIDR range: /16 (65,536 IPs) to /28 (16 IPs). Minimum /28.
Security group rules: up to 60 inbound and 60 outbound rules per SG.
Network ACLs: up to 20 rules per NACL (inbound + outbound). Rule numbers from 1 to 32766; best practice to use increments of 100.
NAT gateway: supports up to 45 Gbps, automatically scales.
ALB: supports up to 100 targets per target group.
VPN: uses IPsec, two tunnels per connection.
Direct Connect: speeds from 50 Mbps to 100 Gbps.
Edge Cases and Exceptions
VPC Peering: Transitive peering is not supported. If VPC A peers with VPC B and VPC B peers with VPC C, traffic cannot flow from A to C via B unless there is a direct peering or Transit Gateway.
Egress-Only Internet Gateway: For IPv6 traffic, use an egress-only internet gateway (EIGW) for private subnets to access the internet outbound only.
AWS Global Accelerator: Improves performance by routing traffic over AWS global network; not a load balancer but often confused with one.
How to Eliminate Wrong Answers
If the question mentions "stateful firewall," look for security group answers; if "stateless," look for NACL.
If the question asks about "outbound-only internet access for private instances," the answer is NAT gateway (or NAT instance).
If the question involves "public subnet" and "internet access," ensure the route table has a default route to an IGW.
For load balancing, if it's HTTP/HTTPS, choose ALB; if TCP/UDP with extreme performance, choose NLB.
VPC CIDR blocks must not overlap with on-premises or other VPCs when connected.
Security groups are stateful; network ACLs are stateless.
NAT gateways enable outbound internet for private subnets but block inbound.
Public subnets require a route to an internet gateway; private subnets route to NAT gateway for internet.
Load balancers: ALB for HTTP/HTTPS, NLB for TCP/UDP with extreme performance.
VPN uses IPsec tunnels; Direct Connect provides dedicated private bandwidth.
VPC Flow Logs capture IP traffic metadata for troubleshooting.
Minimum subnet size is /28 (16 IPs).
Network ACL rule numbers should be in increments (e.g., 100, 200).
Transitive peering is not supported; use Transit Gateway for hub-and-spoke.
These come up on the exam all the time. Here's how to tell them apart.
Security Group
Stateful (return traffic automatically allowed)
Operates at instance/ENI level
Supports allow rules only
Rules evaluated as a whole (no order)
Default: deny all inbound, allow all outbound
Network ACL
Stateless (explicit rules for both directions)
Operates at subnet level
Supports allow and deny rules
Rules evaluated in order by rule number
Default: deny all inbound, deny all outbound
Mistake
Security groups are stateless like network ACLs.
Correct
Security groups are stateful. If you allow inbound traffic, the outbound return traffic is automatically allowed, regardless of outbound rules. Network ACLs are stateless and require explicit rules for both directions.
Mistake
A NAT gateway can be used to allow inbound connections from the internet to private instances.
Correct
NAT gateways only support outbound traffic from private subnets to the internet. Inbound connections from the internet are blocked. For inbound access, you need a public IP on the instance or a load balancer in a public subnet.
Mistake
Subnets are automatically public or private based on their IP range.
Correct
A subnet is public only if its route table has a default route (0.0.0.0/0) pointing to an internet gateway. The IP range does not determine public/private status.
Mistake
VPC peering allows transitive routing.
Correct
VPC peering does not support transitive routing. If VPC A is peered with VPC B, and VPC B is peered with VPC C, traffic cannot flow from A to C through B. Each VPC pair requires a direct peering connection.
Mistake
Network ACLs are evaluated after security groups.
Correct
Network ACLs are evaluated first (at the subnet boundary), then security groups (at the instance level). Traffic must pass both to reach an instance.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A security group is a stateful virtual firewall that operates at the instance (ENI) level, supporting only allow rules. Return traffic is automatically permitted. A network ACL (NACL) is a stateless firewall at the subnet level, supporting both allow and deny rules, evaluated in numeric order. NACLs require explicit rules for inbound and outbound traffic, including ephemeral ports for return traffic. For the exam, remember: SG = stateful, instance-level; NACL = stateless, subnet-level.
No. A NAT gateway only allows outbound traffic from private subnets to the internet. Inbound connections from the internet are blocked. For inbound internet access, you must assign a public IP to the instance or use a load balancer (e.g., ALB) in a public subnet. NAT gateways are for outbound-only scenarios like software updates.
A subnet becomes public when its associated route table has a default route (0.0.0.0/0) pointing to an internet gateway (IGW). Additionally, instances in the subnet need a public IP (auto-assign or Elastic IP) to be reachable from the internet. The subnet itself is not inherently public; it depends on the route table configuration.
An Application Load Balancer (ALB) operates at Layer 7 (HTTP/HTTPS) and can route based on URL path, host, headers, etc. It supports WebSocket and HTTP/2. A Network Load Balancer (NLB) operates at Layer 4 (TCP/UDP), handles millions of requests per second with ultra-low latency, and preserves the source IP. ALB is for web applications; NLB for performance-critical or non-HTTP traffic.
VPC peering connects two VPCs directly using private IP addresses. It does not support transitive routing (if A peers with B and B peers with C, A cannot reach C via B). Also, VPC CIDRs cannot overlap. For hub-and-spoke connectivity, use a Transit Gateway instead.
Start with VPC Flow Logs to see if traffic is allowed or denied. Check route tables: does the subnet have a route to the destination? Verify security group and NACL rules: are the necessary ports open? For internet access, ensure the subnet has a route to an IGW (public) or NAT gateway (private). Use ping and traceroute from instances, but note that ICMP may be blocked by security groups.
A site-to-site VPN uses IPsec tunnels over the public internet, providing encrypted connectivity but with variable performance and latency. Direct Connect is a dedicated private physical connection from your on-premises data center to the cloud provider, offering consistent bandwidth and lower latency, but at higher cost and longer setup time.
You've just covered Cloud Network Operations — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?