Building Your Own Virtual Private Cloud (VPC) on Linux – A Beginner’s Guide

josiah favour — Wed, 12 Nov 2025 16:14:51 +0000

Imagine you own a big farm compound. On this compound, you want to organize different areas: fields, barns, and visitor areas. You want each area to have controlled access, and some areas might connect to the outside world, while others stay private. That’s exactly what a Virtual Private Cloud (VPC) does in computing: it’s a fenced-off network on your computer where you control access, routing, and connectivity.

In this guide, we’ll build a mini VPC on Linux using simple tools like network namespaces, bridges, routing tables, and iptables. By the end, you’ll understand how cloud networks work under the hood and be able to deploy isolated workloads like web servers.

The Farm Analogy: Understanding VPCs and Subnets

Think of a VPC as a farm.
The VPC = The farm compound
Subnets = Sections like:
Crop field (public, visitors allowed)
Barn (private, staff only)
Greenhouse (private, controlled access)
Bridge = Main road connecting all sections
NAT Gateway = Farm gate for sending goods out
Peering = Controlled paths between separate farms
Firewall rules = Security guards controlling who can enter each section

Creating Your First VPC (Farm Compound)

Let’s create a farm named greenfarm:

sudo vpcctl create greenfarm --cidr 10.50.0.0/16

Creates a bridge: br-greenfarm (main road)
Sets up routing and an isolated iptables chain
Saves metadata for later inspection

Adding Subnets (Farm Sections)

Public Section (Crop Field)

sudo vpcctl add-subnet greenfarm public --cidr 10.50.1.0/24

Creates namespace: ns-greenfarm-public
Connects it to the bridge via a veth pair
Assigns IP addresses and sets default route

Private Section (Barn)

sudo vpcctl add-subnet greenfarm private --cidr 10.50.2.0/24

Namespace: ns-greenfarm-private
No direct internet access by default

Deploying Simple Apps (Farm Stalls)

Deploy a small HTTP server in each section:

sudo vpcctl deploy-app greenfarm public  --port 8080
sudo vpcctl deploy-app greenfarm private --port 8081

Apps run inside namespaces, isolated from each other
Public section can serve visitors; private section stays internal

Enabling Internet Access (NAT Gateway)

Allow the crop field to access the internet:

IFACE=$(ip route get 1.1.1.1 | awk '{print $5; exit}')
sudo vpcctl enable-nat greenfarm --interface "$IFACE"

NAT acts like the farm gate, letting public subnets reach the internet
Private subnets remain isolated

Connecting Farms (VPC Peering)

Suppose you have another farm, bluefarm

sudo vpcctl create bluefarm --cidr 10.60.0.0/16
sudo vpcctl add-subnet bluefarm public --cidr 10.60.1.0/24
sudo vpcctl deploy-app bluefarm public --port 8080

To allow only public areas to communicate:

sudo vpcctl peer greenfarm bluefarm --allow-cidrs 10.50.1.0/24,10.60.1.0/24

Bridges are connected via veth pairs
Only permitted CIDRs can communicate

Applying Security Rules (Firewall Policies)

Example policy JSON:

{
  "subnet": "10.50.1.0/24",
  "ingress": [
    {"port": 80, "protocol": "tcp", "action": "allow"},
    {"port": 22, "protocol": "tcp", "action": "deny"}
  ]
}

Apply it:

sudo vpcctl apply-policy greenfarm policy_examples/example_policy.json

iptables inside namespaces enforce the rules
Ensures only allowed traffic flows

Inspecting, Listing, and Cleaning Up

List VPCs:

sudo vpcctl list

Inspect VPC:

sudo vpcctl inspect greenfarm

Delete VPC:

sudo vpcctl delete greenfarm

Cleanup removes: namespaces, bridges, veth pairs, apps, and firewall rules.

Conclusion

Using vpcctl, you can simulate a complete cloud like networking environment on Linux. Think of it as managing multiple farms with roads, gates, and security guards now applied to virtual networks. This hands on approach teaches you network isolation, routing, NAT, and firewall rules—key skills for any aspiring cloud engineer.

Forem: josiah favour