4) Cloud Networking

VPC/VNet (AWS/Azure/GCP), peering & transit, VPN/Direct-Connect/ExpressRoute/Interconnect, load balancers L4/L7, PrivateLink/PSC, DNS privé, observabilité et coûts.

VPC/VNet Transit LB L4/L7 PrivateLink/PSC

Structure

VPC/VNet ↔ Subnets (multi-AZ/zones) ↔ Route Tables.
Sortie Internet: IGW (+ NATGW pour subnets privés). Entrée : LB/ALB/NLB.
IPv6: /56 ou /48 par VPC; /64 par sous-réseau; egress via egress-only IGW.

Patterns

Hub & Spoke (sécurité centrale, inspection).
Shared VPC/Resource groups par env (prod/preprod/dev).

Routage

Routes vers NATGW, TGW/vWAN, endpoints privés, VPC peering.
Pas de transitive routing via peering (sauf via TGW/vWAN).

# AWS — VPC public/privé avec NATGW (extraits)
aws ec2 create-vpc --cidr-block 10.10.0.0/16
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.10.1.0/24 --availability-zone a
aws ec2 create-subnet --vpc-id vpc-xxx --cidr-block 10.10.2.0/24 --availability-zone b
aws ec2 create-internet-gateway
aws ec2 attach-internet-gateway --vpc-id vpc-xxx --internet-gateway-id igw-xxx
# NAT Gateway
aws ec2 allocate-address
aws ec2 create-nat-gateway --subnet-id subnet-public --allocation-id eipalloc-xxx
# Routes
aws ec2 create-route-table --vpc-id vpc-xxx
aws ec2 create-route --route-table-id rtb-public --destination-cidr-block 0.0.0.0/0 --gateway-id igw-xxx
aws ec2 create-route --route-table-id rtb-private --destination-cidr-block 0.0.0.0/0 --nat-gateway-id nat-xxx

# Azure — VNet + Subnets + NSG (extraits)
az network vnet create -g rg-net -n vnet-prod --address-prefix 10.20.0.0/16
az network vnet subnet create -g rg-net --vnet-name vnet-prod -n snet-public --address-prefixes 10.20.1.0/24
az network vnet subnet create -g rg-net --vnet-name vnet-prod -n snet-private --address-prefixes 10.20.2.0/24
az network nsg create -g rg-net -n nsg-web
az network nsg rule create -g rg-net --nsg-name nsg-web -n AllowHTTP --priority 100 \
  --access Allow --protocol Tcp --direction Inbound --destination-port-ranges 80

# GCP — VPC custom mode + subnets
gcloud compute networks create vpc-prod --subnet-mode=custom
gcloud compute networks subnets create prod-eu1 --network=vpc-prod --range=10.30.1.0/24 --region=europe-west1
# Firewall rules (équivalent SG)
gcloud compute firewall-rules create allow-http --network vpc-prod --allow tcp:80 --direction=INGRESS

Security Groups (AWS)

Stateful, attachés ENI/instances/LB; règles ingress/egress.

NSG (Azure)

Stateful, niveau NIC/subnet; priorités; UDR pour le routage.

NACL (AWS) & FW rules (GCP)

Stateless (NACL) vs GCP firewall stateful au niveau VPC.

Peering = lien point-à-point **non transitif** (pas de routage via un 3e VPC).
Inter/Intrerégion variable (latence/coûts inter-région facturés).
Pas de recouvrement d’adresses (CIDR overlap interdit).

# AWS — VPC peering
aws ec2 create-vpc-peering-connection --vpc-id vpc-a --peer-vpc-id vpc-b
aws ec2 accept-vpc-peering-connection --vpc-peering-connection-id pcx-xxx
# Propager routes
aws ec2 create-route --route-table-id rtb-a --destination-cidr-block 10.20.0.0/16 --vpc-peering-connection-id pcx-xxx

# Azure VNet peering
az network vnet peering create -g rg -n peeringAB --vnet-name vnetA --remote-vnet vnetB --allow-vnet-access
# GCP VPC peering
gcloud compute networks peerings create a-to-b --network=vpc-a --peer-network=vpc-b

Shared VPC (GCP) : projets « service » consomment sous-réseaux d’un projet « hôte ».
VPC Endpoints (AWS) pour S3/DynamoDB/privés; évite NAT/egress.

Coûts data-transfer **inter-AZ/région**; surveiller métriques sur peering.
VPC Flow Logs par interface; Reachability Analyzer (AWS) pour path.

Centraliser le routage & l’inspection dans un **hub** (firewalls, NAT egress, DNS, proxies).
Routage **dynamique** (BGP) vers sites/SD-WAN/DC; segmentation par VRF/Route tables.

# AWS Transit Gateway (extraits)
aws ec2 create-transit-gateway --description "Core TGW"
aws ec2 create-transit-gateway-vpc-attachment --transit-gateway-id tgw-xxx --vpc-id vpc-a --subnet-ids subnet-1 subnet-2
# Tables de routes TGW (isolation par domaine)
aws ec2 create-transit-gateway-route-table --transit-gateway-id tgw-xxx

# Azure vWAN/Hub (extrait)
az network vwan create -g rg -n vwan-core
az network vhub create -g rg --name hub-eu --address-prefix 10.255.0.0/23 --vwan vwan-core --location westeurope

# GCP — Cloud Router + HA VPN
gcloud compute routers create cr-eu --network vpc-prod --asn 65010 --region europe-west1
gcloud compute vpn-tunnels create ha-tunnel \
  --peer-address=X.X.X.X --router=cr-eu --ike-version=2 --shared-secret=... --region=europe-west1

Modèle « inspection VPC » avec **Gateway Load Balancer** (AWS) pour FW virtuels.
Azure Firewall Manager / GCP FW rules centralisées; hairpin/egress design.

VPN IPsec rapide à déployer, débit variable; liens dédiés = SLA & coûts fixes, latence moindre.
Public/Private VIF (DX), ER peering (Azure), Partner Interconnect (GCP).

# Exemple strongSwan + BGP (FRR) côté on-prem
# IPsec fixe, BGP pour routes dynamiques
vtysh -c "conf t" -c "router bgp 65000" -c "neighbor 169.254.1.1 remote-as 64512" \
      -c "address-family ipv4 unicast" -c "network 10.0.0.0/16"

# AWS Direct Connect — création VIF privé (extrait CLI)
aws dx create-private-virtual-interface --connection-id dxcon-xxx --new-private-virtual-interface-location region \
 --new-private-virtual-interface-asn 65010 --vlan 101 --address-family ipv4

Clamp MSS pour encapsulations (WireGuard/OpenVPN/IPsec GRE).
Deux tunnels/liaisons **multi-AZ**; tests de bascule réguliers.

L4 (TCP/UDP) latence basse, L7 (HTTP/S) routage avancé (path/host, WAF, TLS offload).
Global (anycast) vs regional; public vs interne.

# AWS — ALB (extraits)
aws elbv2 create-load-balancer --name alb-web --subnets subnet-a subnet-b --security-groups sg-web
aws elbv2 create-target-group --name tg-web --protocol HTTP --port 80 --vpc-id vpc-xxx
aws elbv2 register-targets --target-group-arn arn:... --targets Id=i-xxx Id=i-yyy

# Azure — Application Gateway (extrait)
az network application-gateway create -g rg -n appgw --vnet-name vnet --subnet snet-appgw --capacity 2 --sku Standard_v2

# GCP — HTTP(S) Global LB (extrait)
gcloud compute backend-services create be-web --global --health-checks hc-http
gcloud compute url-maps create web-map --default-service be-web
gcloud compute target-http-proxies create web-proxy --url-map web-map

Checks courts mais prudents; **cross-zone** activé; session stickiness si nécessaire.
Prévoir limites **SNAT ports** sur NLB/ILB lors de gros volumes egress.

Accéder à un service **sans IP publique**, via interfaces privées (ENI/NIC) dans le VPC du client.
Modèle **producer/consumer** (partage inter comptes/projets).

# AWS — Interface Endpoint (ex: SSM)
aws ec2 create-vpc-endpoint --vpc-id vpc-xxx --vpc-endpoint-type Interface \
  --service-name com.amazonaws.eu-west-1.ssm --subnet-ids subnet-a subnet-b --security-group-ids sg-ep

# GCP Private Service Connect — endpoint consommateur (extrait)
gcloud compute forwarding-rules create psc-endpoint --network vpc --subnet snet \
  --address x.x.x.x --target-service-attachment projects/svcproj/regions/xx/serviceAttachments/sa-name --region xx

# Azure Private Endpoint (extrait)
az network private-endpoint create -g rg -n pe-storage --vnet-name vnet --subnet snet \
  --private-connection-resource-id /subscriptions/.../storageAccounts/mystorage --group-ids blob

Bloquer egress Internet par défaut; autoriser endpoints/PL/PSC; proxy NAT géré.
DNS privé pointant vers endpoints; éviter sorties via NATGW coûteuses.

Zones privées par environnement; **resolver endpoints** pour on-prem ↔ cloud.
Split-horizon via vues/forwarding conditionnel (ex: *.corp.local → on-prem).

# Route53 — resolver inbound/outbound (extraits)
aws route53resolver create-resolver-endpoint --name inbound --direction INBOUND --ip-addresses SubnetId=subnet-a,Ip=10.10.1.10
aws route53resolver create-resolver-rule --rule-type FORWARD --domain-name corp.local --target-ips Ip=10.0.0.10

# Azure — Private DNS + link
az network private-dns zone create -g rg -n corp.local
az network private-dns link vnet create -g rg -n link1 -z corp.local -v vnet-prod -e true

# GCP — DNS policy & forwarding
gcloud dns policies create corp-fwd --networks=vpc-prod --target-name-servers=10.0.0.10 --alternative-name-server-config-enable-logs

# AWS — VPC Flow Logs
aws ec2 create-flow-logs --resource-type VPC --resource-ids vpc-xxx --traffic-type ALL --log-destination-type cloud-watch-logs --log-group-name vpc-logs
# GCP — VPC Flow Logs (subnet)
gcloud compute networks subnets update prod-eu1 --enable-flow-logs --region europe-west1

# AWS Reachability Analyzer
aws ec2 create-network-insights-path --source i-xxx --destination alb-arn --protocol tcp --destination-port 443

# Packet mirroring (GCP)
gcloud compute packet-mirrorings create pm1 --network vpc-prod --collector-ilb COLLECTOR \
  --mirrored-subnets prod-eu1 --region europe-west1

Exporter logs vers SIEM (parquet/object storage) + règles d’alerting (p.ex. ports scannés, drops anormaux).
Surveiller **data transfer** inter-AZ/région; tagger pour showback/chargeback.

# Terraform — module VPC (extrait HCL)
module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  name    = "prod"
  cidr    = "10.10.0.0/16"
  azs             = ["eu-west-1a","eu-west-1b"]
  public_subnets  = ["10.10.1.0/24","10.10.2.0/24"]
  private_subnets = ["10.10.11.0/24","10.10.12.0/24"]
  enable_nat_gateway = true
}

# AWS Organizations — SCP (exemple JSON)
{
 "Version":"2012-10-17",
 "Statement":[{"Effect":"Deny","Action":"ec2:CreateInternetGateway","Resource":"*","Condition":{"StringNotEquals":{"aws:PrincipalOrgID":"o-XXXX"}}}]
}
# Azure Policy — deny public IP à la création (extrait)
{
 "policyRule":{"if":{"field":"Microsoft.Network/publicIPAddresses/publicIPAllocationMethod","exists": "true"},
 "then":{"effect":"Deny"}}
}

Tags: env, app, owner, cost-center; vues **FinOps** par tag.
Budget/alerts; showback par projet/équipe; dashboards coûts réseau.

4) Cloud Networking

VPC/VNet — Subnets & Routage

Peering & Partage de VPC

Transit Gateway & vWAN

Hybride : VPN & Liaisons dédiées

Load Balancers L4/L7

PrivateLink / PSC / Endpoints

DNS privé & Résolution

Flow Logs & Troubleshooting

Perf, Limites & Coûts

IaC Terraform & Guardrails