Is Your Classic Cloud Network Unsafe? Learn How VPCs Provide True Isolation

Preface

The recent discussion around Alibaba Cloud’s user network highlighted security concerns about the so‑called “classic network” and sparked interest in VPC concepts.

What Does “Isolation” Mean?

Network isolation usually refers to separating traffic at the data‑link layer (OSI Layer 2). Broadcast frames in a Layer 2 domain are received by all devices, similar to everyone in a single classroom being able to see each other.

OpenStack’s Approach

OpenStack Neutron provides networking for virtual machines in a multi‑tenant environment and implements isolation mechanisms to keep tenants separate.

Flat Network

A flat network (type “flat”) places all VMs in the same Layer 2 broadcast domain, offering no isolation. This simplicity can lead to security issues and broadcast storms.

VLAN‑Based Isolation

Creating a network of type “vlan” uses VLANs to provide Layer 2 isolation. Each VLAN forms its own broadcast domain, similar to separating a school’s auditorium into individual classrooms.

However, VLANs require physical switch configuration and are limited to about four thousand IDs, restricting the number of tenants.

Overlay Networks (VXLAN)

Overlay networks encapsulate Layer 2 frames inside UDP packets (VXLAN), allowing virtual networks to span across Layer 3 routed hosts.

Encapsulated packets travel using the host’s IP addresses; as long as hosts can reach each other at Layer 3, the inner frames are delivered.

VXLAN supports over 16 million IDs, allowing many tenants.

Complete isolation lets tenants define overlapping IP ranges.

With Layer 3 routing, tenants can build custom topologies, such as connecting multiple virtual networks to a virtual router.

Virtual Private Cloud (VPC)

VPC (Virtual Private Cloud) is an AWS‑originated product concept that provides fully isolated tenant networks, overlapping IP spaces, and user‑defined routing and topology.

Conclusion

Classic networks were an early, quick‑to‑deploy solution using three‑layer iptables isolation but left Layer 2 broadcast domains unsegmented, making them insecure. VPCs and modern overlay or VLAN solutions offer comprehensive isolation. While classic networks still have historical value, using default security groups adds some Layer 3 protection. The article focuses on OpenStack networking, which mirrors cloud networking patterns, and hints at further custom developments based on Neutron.