- Useful for:
- Gatekeeping traffic between parts of the network for regulatory purposes
- Isolating cloud-based systems from on-prem
- Isolating private resources from public ones
- Also called a star topology
- VPC peering: no transitive connections; requires proxies for access
- Cloud VPN: no peering limits, egress is limited to 3 Gbps per VPN tunnel
- Can also use a NGFW
- This article’s content doesn’t seem to match the title; I think they meant “networks that need to talk to an on-prem resource via the Internet”
- Lift-and-shift architecture: one VPC, identical to on-prem setup
- When using a hybrid of cloud and on-prem, have an “untrusted” VPC and isolate on-prem from public Internet
Remarks about article
- Again, I think the title here was misleading; I believe they meant “networks that exist entirely within the cloud”
- Mostly repeats content from Best Practices articles; adding new stuff below
New content
- Implement hub-and-spoke with a “full mesh topology” (every VPC peers with every other VPC) for transitivity
- Can also use a network virtual appliance
- Using shared VPCs can still make sense, but you’ll still want to separate, e.g., dev/test and prod
- Can use Private Service Connect to expose your own services in a different VPC (!)