There are two primary ways to talk about Private Cloud. One is the physical separation of resources on dedicated hardware, the other is virtual separation by isolated networking.
When we have Private Cloud by physical separation, we’re typically renting hardware as a single tenant user and our resources are tangibly set apart from everyone else’s. Private Cloud by virtual separation has our resources in a multitenant environment that is isolated from other users and the public internet at the software level. This is sometimes referred to as internal cloud, intranet, or, more commonly, Virtual Private Cloud (VPC).
Ultimately, the core feature of a private cloud is the ability to isolate and protect our infrastructure. This provides increased security by significantly reducing our network’s attack surface. VPCs enable us to achieve this at the software level while remaining cost effective.
Understanding VPCs, VLANs, and VPNs
In a VPC, servers are walled off from other public cloud resources and typically confined to their own collection or set of subnets. Another way to achieve this confinement is with a Virtual Local Area Network (VLAN).
To understand what role a VLAN plays, imagine five desktop computers in a room linked together with ethernet cables to privately communicate with each other. Once upon a time, people would actually do this, but today we remove the cables and move our connectivity from the physical to the data link layer of the OSI Model with VLANs.
In the example above, our users are in the same room, but this is not a common scenario today. For users to access our isolated network from an external location, we would need to set up a Virtual Private Network (VPN). A VPN is the means for a user to connect to a private network across the public internet securely through an encrypted tunnel.
In summary, we can use a VPC or VLAN to create an isolated network and a VPN is what we use to securely access this isolated network. The terms VPC and VLAN are sometimes used interchangeably, but we can see that they are certainly not the same.
Can a VLAN be used as a VPC?
The short answer is yes, we can use a VLAN as a VPC. VLANs provide network separation, which enables us to host sensitive information in a secure space, but this requires some additional planning and consideration. A major difference between VLANs and a true VPC can be found by looking at layers 2 and 3 of the OSI Model. Let’s dive in for a closer look.
Layer 2, the Data Link Layer, includes switching and ethernet cabling. Since a VLAN is essentially a virtualized replacement for physical ethernet cables, it would be considered layer 2 isolation. When attaching a VM onto a VLAN, we’re effectively plugged into our own isolated virtual network switch.
Layer 3, the Network Layer, includes IPv4 and IPv6. Firewalls, for example, are at layer 3 (or above) to monitor and filter traffic by IP address using allow and block lists. This would typically include network and OS level firewalls. A true VPC would include built-in solutions covering layer 2, layer 3, and above.
To secure our connections between layer 2 and above, we’d need to do some additional tooling. OS level firewalls can be implemented with iptables or nftables. We might also need to provide address resolution protocol (ARP) and neighbor discovery (ND) protections.
As we can see, while VLANs are functionality sufficient to isolate our VMs, we have some work to do before using it as a true virtual private cloud. Going back to our ethernet cable comparison, the risks and security considerations are no different than having a set of physical machines plugged into a shared network switch.
Can a VLAN be used as a VPC on Linode?
The short answer is again, yes, we can use a VLAN as a VPC on Linode. Linode offers a VLAN product that can be deployed directly from Cloud Manager and enables us to achieve secure, layer 2 network isolation between our Linodes. But, it’s crucial to consider your requirements and make sure you have a plan to configure additional layer 3 solutions.
Get started by checking out some common use cases for Linode’s VLAN service. Linode VLANs are free to use with your Linodes and are available in multiple data centers across the world. In addition to security isolating your resources, private network transfer is free. This means that communication over a VLAN does not count against a Linode’s monthly network transfer quota.
Comments