##

Cloud & Virtualization

How networking maps to the cloud — virtual networks, security boundaries, and the overlay tech underneath.

// service models

IaaS	Raw compute / network / storage
PaaS	Managed runtime / platform
SaaS	Finished application

// deployment

Public	Shared provider infrastructure
Private	Dedicated / on-prem
Hybrid	Mix + cloud bursting
Multi-cloud	Across providers

// cloud networking

VPC / VNet = isolated virtual network
Security Group = stateful, per-instance
NACL = stateless, per-subnet
IGW / NAT Gateway for internet egress
Peering / Transit Gateway connect VPCs
Direct Connect / ExpressRoute = private link

// virtualization

Hypervisor Type 1 (bare-metal) vs Type 2 (hosted)
VM = full OS · Container = shared kernel, lightweight
VxLAN = L2 overlay, 24-bit VNI (16M segments)
Underlay (physical) vs Overlay (virtual)
SDN separates the control & data planes

// security group vs NACL

	Security Group	NACL
Scope	Per instance / ENI	Per subnet
State	Stateful — return traffic auto-allowed	Stateless — allow both directions
Rules	Allow only	Allow + Deny
Evaluation	All rules together	Numbered order, first match wins

// cloud connectivity

VPN (IPsec)	Encrypted tunnel over the internet to the VPC
Direct Connect / ExpressRoute	Private dedicated circuit to the provider
VPC Peering	Private 1:1 link between two VPCs
Transit Gateway	Hub interconnecting many VPCs & on-prem
VPC Endpoint / PrivateLink	Reach a service without crossing the internet

// containers & kubernetes

Container	Isolated process sharing the host kernel
Pod	K8s smallest unit — one+ containers, shared IP
Service	Stable VIP / DNS in front of pods
CNI	Container Network Interface — pod networking plugin
Ingress	L7 HTTP routing into the cluster
Overlay (VXLAN/Geneve)	Flat pod network spanning all nodes

// provider terminology

Concept	AWS	Azure	GCP
Virtual network	VPC	VNet	VPC
Instance firewall	Security Group	NSG	Firewall rule
Region zone	Availability Zone	Availability Zone	Zone
Object storage	S3	Blob	Cloud Storage
Managed K8s	EKS	AKS	GKE