Virtual private cloud is denoted as VPC. A private cloud built within the public cloud, that cloud is referred to as a “virtual private cloud.” Cloudstack supports VPC with a wide range of connecting option and services. A basic component of VPC in cloudstack is the VPC virtual router. It manages routing to and from VPC to private gateway,public gateways vpn, and so-on. In Cloudstack, world vpc is otherwise called as Tier Networks. Vpc Virtual router Interconnect tiers networks.

Core components in Cloudstack VPC are:

  1. VPC Virtual route
  2. Tier

VPC Virtual Router:

A virtual router is a virtual machine created by cloudstack at the time of Vpc create. Those virtual machine have capability of virtual router. It connect the tiers and forward traffic from and to the public gateway, the VPN gateways, and private gateways. The virtual router provides DNS and DHCP services through ips. North-south and east-west traffic are pass through Virtual router.


We denote name Tier as a Network. Tier is nothing but a sub-network inside VPC. Each Tier have network offering. Bundle of network supported services are called as network offering. Admin create Network offering. Those offering are listed for User at the time of Network create. User must choose a network offering and create network. User change network offering at any time without interrupt existing network. In vpc you choose network offering at the time of tier create.

In tiers you can launch VMs in the virtual network that can have private addresses in the range of your choice, for example, if a VPC has the private range, It tier network can have the network ranges of,,, and so on. VPC CIDR must be a super set of all the tier CIDRs and there should not be any overlap among VPC tier CIDRs.


By default cloud-stack provides three-types of network offerings and those are

  1. DefaultIsolatedNetworkOfferingForVpcNetworks (WebTier ):

This default network offering supported services are StaticNat, Dhcp, SourceNat, NetworkACL, UserData, PortForwarding, Dns, Vpn, public-Lb

2.DefaultIsolatedNetworkOfferingForVpcNetworksNoLB (Database Tier):

This default network offering supported services are StaticNat, Dhcp, SourceNat, NetworkACL, UserData, PortForwarding, Dns, Vpn

3.DefaultIsolatedNetworkOfferingForVpcNetworksWithInternalLB (Application Tier):

This Default network offering supported service are Dhcp, SourceNat, NetworkACL, UserData, Dns, Lb

Cloudstack Vpc supported services are:

  1. Source-NAT
    2. Stactic-NAT
    3. Public-Loadbalancer (External Load balancer)
    4. Internal-Loadbalancer
    5. Public-Ipaddress
    6. Port-Forwarding

Cloudstack Vpc connectivity options are:

  1. Site to site Vpn connection
    2. Private gateway with static route
    3. Public-Gateway with source Nat

Cloudstack vpc security options is:

  1. Network -ACL

Accessing the internet:

You control how the instances that you launch into a VPC can access resources outside the VPC.

Your default VPC includes the Public Gateway and the instances in each tier communicate with the Internet through Public Gateway using Source-NAT service provided by VPC VR.

Source-NAT service allows an instance in your VPC to initiate outbound connections to the Internet but prevent unsolicited inbound connections from the Internet. NAT maps multiple private IP addresses to a single public IP address. You can connect an instance in a tier to the internet though the NAT Instance (Public Gateway), which routes traffic from the instance to the internet and routes any response to the instance.

Accessing Corporate Network:

You can optionally connect your VPC to your own corporate data center using Site-to-Site VPN connection, making the VPC cloud an extension of your data center.

A VPN connection consists of a VPN Gateway attached to your VPC and a customer gateway located in your data center. A VPN Gateway is the VPC-Router on the Cloudstack side of the VPN connection. A VPN Customer Gateway is a physical device or software appliance on your data center side of the VPN connection.

VPC Site-to-Site VPN connection provides IPSec vpn to entire VPC. There is no tier based VPN connection. On successful vpn connection establishment, your data center will have access to all the resources in all tiers with in the VPC.

Off late Cloudstack VPC also has support for Site-to-Site vpn between two VPCs in the cloud. Each vpc can be part of separate zone or within the same zone.

Accessing Private Network:

You can optionally connect your VPC to your local site inside Datacenter using VPCs Private Gateway functionality clubbed with Static Routes without using VPCs Public Gateway.

A VPC Private Gateway is a feature the Cloud Admins can leverage to provide a 2nd Gateway out of the VPC Virtual Router.  The connection can be used to connect the VMs running within the VPC to other infrastructure via for example a MPLS Network rather than over the Public Internet.

For example, we can use private gateway to backup virtual machines. We can use static route option to route the traffic to site network using private gateway. This would save your network usage on public gateway by directing site traffic through private gateway.

VPC Security:

Network-ACLs feature in VPC enables the users to control the flow of traffic between each Network Tier and also the Internet. In VPC Network ACL is otherwise called as Network Firewall for Tiers. Traffic to and from VPC is pass through network ACL. User have to create custom network ACL with their choice or User have option to discard Network ACL for their tiers. At any time user can change their Network Acl in Tiers. A typical VPC may contain 3 Network Tiers, Web, App and DB, with only the Web Tier having Internet Access.

In Vpc Public loadbalancer is support for a single Tier only. Similarly Internal-LB is also supported for a single Tier. If a tier in VPC has a public-LB then the other tiers can’t have public-LB. Same goes to internal-LB service as well. In cloudstack term three types of tiers are:


Web Tier supported services are StaticNat, Dhcp, SourceNat, NetworkACL, UserData, PortForwarding, Dns, Vpn, public-Lb
Mostly used service in this tier is public-LB or External-LB


Application Tier supported services are Dhcp, SourceNat, NetworkACL, UserData, Dns, Lb
Mostly used service in this tier is Internal-LB


Database Tier supported services are StaticNat, Dhcp, SourceNat, NetworkACL, UserData, PortForwarding, Dns, Vpn


Internal load balancer is otherwise called as Tier Load balancer. Traffic received at a tier is load balanced across different VMs with-in that tiers using internal-LB. For example, traffic from a Web tier is load balanced to VMs in Application tier.