Building the VPC Layer for Cloud

Jan 30, 2022

Virtual private clouds (VPCs) live at the molecular level of cloud architecture. Not quite atomic (core cloud services) or elemental (user-defined services), they define how which sets of services can talk to each other,

They act as security boundaries and a networking layer for sets of services.

But in the SaaS cloud era, VPCs take on even more importance. They are a deployment target for SaaS vendors – (see SaaS Isolation Patterns). These vendors "take ownership" of a VPC. Customers can ensure that specific products are sufficiently isolated "cloud-prem," but gives the opportunity for the vendor to do some management (otherwise... where's the managed service?).

For customer-to-customer connections, AWS has built AWS PrivateLink (Google Cloud and Azure have similar services), allowing private connectivity between two VPCs in different accounts without going over the internet. But I think there's more to this story. A VPN company could build this layer that looks like a VPC with zero trust and a global ACL. Maybe this is the answer to the host of serverless offerings that don't operate in a VPC, but all the networking quirks must be completely hidden from the end users. And it needs to be as ephemeral as a cloud service.

As with most multi-cloud dreams, it won't happen today for a few reasons. Egress fees are too costly when services have to go out and back from the public internet (why SaaS companies like Snowflake utilize Private Link). But the pressure from SaaS companies is real. Anything that can solve The Problems With Cloud-Prem will be very successful.