VPC (Virtual Private Cloud)
Isolated network environments for secure, private communication between your resources.
Overview
Sparbz Cloud VPC provides isolated virtual networks that enable secure communication between your databases, Kubernetes namespaces, and other resources without exposing traffic to the public internet.
Features
- Network Isolation: Dedicated CIDR block with no overlap with other tenants
- Private Endpoints: Access databases and services via private IP addresses
- Security Groups: Fine-grained firewall rules for traffic control
- VPC Peering: Connect VPCs across regions or organizations
- VPN Gateway: Secure connection to on-premises networks
Getting Started
Create a VPC
# Create a VPC with default CIDR
szc vpc create my-vpc
# Create with custom CIDR
szc vpc create my-vpc --cidr 10.0.0.0/16
# Create in specific region
szc vpc create my-vpc --region eu-west
List VPCs
# List all VPCs
szc vpc list
# List with details
szc vpc list --json
Get VPC Details
# Get VPC info
szc vpc get my-vpc
# Get as JSON
szc vpc get my-vpc --json
Delete VPC
# Delete VPC (must have no attached resources)
szc vpc delete my-vpc
# Force delete with attached resources
szc vpc delete my-vpc --force
Subnets
Each VPC is automatically divided into subnets:
| Subnet | Purpose | Default CIDR |
|---|---|---|
| databases | Database instances | /24 |
| kubernetes | Kubernetes pods/services | /20 |
| endpoints | Private endpoints | /28 |
List Subnets
szc vpc subnet list my-vpc
Attaching Resources
Databases
Create databases within a VPC for private access:
# Create database in VPC
szc database create my-db --engine postgres --vpc my-vpc
# Existing databases cannot be moved into a VPC
Kubernetes Namespaces
Connect namespaces to a VPC:
# Create namespace in VPC
szc namespace create my-app --vpc my-vpc
# Resources in the namespace can access VPC databases
Kafka Clusters
Deploy Kafka clusters with VPC networking:
szc kafka create my-kafka --vpc my-vpc
Security Groups
Control traffic flow with security groups:
Create Security Group
# Create security group
szc vpc security-group create my-vpc web-servers --description "Web server rules"
# Add inbound rule
szc vpc security-group rule add my-vpc web-servers \
--direction inbound \
--protocol tcp \
--port 443 \
--source 0.0.0.0/0
# Add rule for specific CIDR
szc vpc security-group rule add my-vpc web-servers \
--direction inbound \
--protocol tcp \
--port 5432 \
--source 10.0.0.0/16
List Security Groups
szc vpc security-group list my-vpc
Default Rules
Each VPC includes default security group rules:
| Direction | Protocol | Port | Source/Dest | Description |
|---|---|---|---|---|
| Inbound | All | All | VPC CIDR | Allow internal traffic |
| Outbound | All | All | 0.0.0.0/0 | Allow all outbound |
VPC Peering
Connect two VPCs for private communication:
Create Peering Connection
# Request peering with another VPC
szc vpc peering create my-vpc peer-vpc \
--peer-organization acme-corp
# Accept peering request (other organization)
szc vpc peering accept peering-id
List Peering Connections
szc vpc peering list my-vpc
Delete Peering
szc vpc peering delete peering-id
VPN Gateway
Connect to on-premises networks via VPN:
Create VPN Gateway
szc vpc vpn create my-vpc my-vpn \
--remote-ip 203.0.113.1 \
--remote-cidr 192.168.0.0/16 \
--psk "your-pre-shared-key"
Configure Routes
# Add route to on-premises network
szc vpc route add my-vpc \
--destination 192.168.0.0/16 \
--target vpn-gateway
VPN Status
szc vpc vpn get my-vpc my-vpn
Private Endpoints
Access Sparbz Cloud services via private IP:
Available Endpoints
| Service | Endpoint |
|---|---|
| S3 Storage | storage.internal.sparbz.cloud |
| Container Registry | registry.internal.sparbz.cloud |
| API | api.internal.sparbz.cloud |
Enable Private Endpoint
# Enable S3 private endpoint
szc vpc endpoint create my-vpc storage
# Enable registry endpoint
szc vpc endpoint create my-vpc registry
List Endpoints
szc vpc endpoint list my-vpc
DNS Resolution
Resources within a VPC can resolve other resources by name:
# Database DNS
<database-name>.databases.<vpc-id>.internal
# Kafka DNS
<cluster-name>.kafka.<vpc-id>.internal
# Example connection string
postgres://user:pass@my-db.databases.vpc-abc123.internal:5432/mydb
Network Architecture
VPC (10.0.0.0/16)
├── Subnet: databases (10.0.0.0/24)
│ ├── PostgreSQL: 10.0.0.10
│ ├── MySQL: 10.0.0.11
│ └── MongoDB: 10.0.0.12
├── Subnet: kubernetes (10.0.16.0/20)
│ ├── Pod CIDR: 10.0.16.0/20
│ └── Service CIDR: 10.0.32.0/20
├── Subnet: endpoints (10.0.1.0/28)
│ ├── Storage endpoint: 10.0.1.1
│ └── Registry endpoint: 10.0.1.2
├── VPN Gateway: vpn.vpc-abc123.sparbz.cloud
└── NAT Gateway: nat.vpc-abc123.sparbz.cloud
Monitoring
Network Metrics
Available metrics:
- Bytes in/out per subnet
- Packets in/out per subnet
- Connection count
- VPN tunnel status
- NAT gateway usage
View Metrics
# Get VPC network metrics
szc vpc metrics my-vpc
# Get VPN status
szc vpc vpn status my-vpc my-vpn
Best Practices
CIDR Planning
- Use private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Plan for growth - start with /16 for large deployments
- Avoid overlapping CIDRs if using VPC peering
- Reserve space for future subnets
Security
- Use security groups to restrict traffic to required ports
- Disable public access for databases in VPCs
- Use VPN or VPC peering for cross-network access
- Enable flow logs for auditing
Performance
- Place related resources in the same VPC
- Use private endpoints for S3/registry access
- Monitor NAT gateway for bottlenecks
- Consider regional placement for latency
Pricing
| Resource | Monthly |
|---|---|
| VPC | Free |
| NAT Gateway | $32 + $0.045/GB processed |
| VPN Gateway | $36 + $0.05/GB transferred |
| VPC Peering | $0.01/GB transferred |
| Private Endpoints | $7.20 per endpoint |
Data transfer within the same VPC is free.
Limitations
| Resource | Limit |
|---|---|
| VPCs per organization | 5 |
| Subnets per VPC | 10 |
| Security groups per VPC | 50 |
| Rules per security group | 50 |
| VPC peering connections | 10 |
| VPN connections per VPC | 5 |
Contact support to increase limits for your organization.