Cloud Concepts

1. Network Functions Virtualization (NFV)

Definition
Replacing dedicated hardware network appliances (routers, firewalls, load balancers, IDS/IPS) with software-based Virtual Network Functions (VNFs) running on standard x86 servers and hypervisors.
Core Components
- VNFs – virtualized network functions (vRouter, vFirewall, vLoad Balancer, etc.)
- NFV Infrastructure (NFVI) – compute, storage, network + hypervisor (VMware ESXi, KVM, etc.)
- MANO (Management and Orchestration) – deployment, scaling, lifecycle management (ETSI MANO, OpenStack, Kubernetes-based)
Benefits
- Lower CapEx (commodity hardware instead of proprietary appliances)
- Rapid provisioning and updates
- Elastic scaling
- Service function chaining (SFC) – linking multiple VNFs
- Better integration with SDN
Use Cases
- 5G core network virtualization (telcos)
- Virtual Customer Premises Equipment (vCPE)
- SD-WAN edge devices
Exam Notes
NFV virtualizes network functions
Often compared/contrasted with SDN (SDN = control/data plane separation)

Definition
Logically isolated portion of a public cloud where you define your own virtual network (IP ranges, subnets, routing, gateways).
Key Features
- Custom CIDR blocks
- Public and private subnets
- Route tables, internet gateways, NAT gateways
- VPC peering, transit gateways
- Isolation from other tenants
Major Provider Examples
- AWS → VPC
- Azure → Virtual Network (VNet)
- Google Cloud → VPC Network
Benefits
- Strong network-level isolation
- Full control over IP addressing and routing
- Foundation for hybrid connectivity
Use Cases
- 3-tier application architecture (web/app/db)
- Secure multi-tenant environments
- Hybrid cloud extension

Definition
Virtual stateful firewalls controlling inbound/outbound traffic to cloud resources (instances, subnets, NICs).
Characteristics
- Stateful – tracks connections (return traffic auto-allowed)
- Rules: source/destination IP, port, protocol, direction
- Priority-based evaluation (some providers)
- Attached to instances or subnets (provider-specific)
Provider Examples
- AWS Security Groups → instance-level (default: deny inbound, allow all outbound)
- Azure NSG → subnet or NIC level
- GCP Firewall Rules → VPC-level
Use Cases
- Allow 80/443 inbound to web servers only
- Restrict RDP/SSH to bastion/jump host IPs
- Zero-trust micro-segmentation
Exam Notes
Compare: NSGs/Security Groups = stateful
Network ACLs (AWS) = stateless, subnet-level

Internet Gateway
Enables public internet access to/from VPC (public subnet routing + outbound NAT for instances)
NAT Gateway / NAT Instance
Allows private subnet instances to reach internet outbound (without exposing public IPs)
VPN Gateway
Terminates site-to-site or client VPN tunnels (IPsec usually)
Examples: AWS VPN Gateway, Azure VPN Gateway
Direct Connect / ExpressRoute / Dedicated Interconnect
Private, dedicated, high-bandwidth, low-latency physical connection
Examples: AWS Direct Connect, Azure ExpressRoute, Google Cloud Interconnect
Exam Focus
Internet Gateway ↔ public access
NAT Gateway ↔ private outbound only
VPN vs Direct Connect: cost vs performance/security

VPN – encrypted over public internet (quick, cheaper, variable latency)
Direct Connect / ExpressRoute – private circuit (predictable latency, high throughput, compliance-friendly)
Peering / Transit Gateway – VPC-to-VPC or multi-region connectivity

Model	Tenancy	Control	Cost	Best For
Public	Multi-tenant	Low	Pay-as-you-go	Scalability, startups, web apps
Private	Single-tenant	High	High CapEx/OpEx	Compliance, security, legacy systems
Hybrid	Mixed	Medium–High	Optimized	Bursting, DR, gradual migration

Model	Provider Manages	Customer Manages	Examples
SaaS	Infrastructure, platform, application	Data, access controls	Office 365, Salesforce, Dropbox
PaaS	Infrastructure, OS, runtime, middleware	Application code, data	Azure App Service, Heroku
IaaS	Infrastructure (compute, storage, networking)	OS, middleware, apps, data, security	AWS EC2, Azure VMs, GCP Compute

Key Principle: Responsibility shifts toward the customer as you move from SaaS → PaaS → IaaS.