Secure VPC Architecture Examples
The following examples illustrate recommended VPC design patterns in CloudRaya.
These diagrams are logical representations, intended to help you understand network structure, traffic flow, and security boundaries.
They do not represent exact UI layouts or required configurations.
Use these patterns as guidance when designing your own VPC architecture.
1️⃣ Simple VPC Design (Small Project)
Suitable for
- Personal projects
- MVPs or prototypes
- Internal tools
- Single-application workloads
- Minimal security requirements
Characteristics
- One VPC
- One subnet
- Public IP attached directly to the VM
- Default ACL rules
Logical Diagram
Cloud Zone
│
VPC: default-vpc (10.10.0.0/24)
│
└─ Subnet: default-subnet (10.10.0.0/24)
│
└─ VM: app-01
- Private IP: 10.10.0.10
- Public IP: Enabled
- ACL:
Allow: TCP 22 (SSH)
Allow: TCP 80 / 443
Deny: All other trafficNotes
- Networking is automatically managed by CloudRaya
- Suitable for users who want to deploy quickly
- Not recommended for sensitive data or production workloads
2️⃣ Production-Ready VPC Design
Suitable for
- Production environments
- Public-facing applications
- Workloads requiring stronger isolation
- Scalable architectures
Characteristics
- One VPC
- Multiple subnets
- Load Balancer with Public IP
- Backend VMs without Public IPs
- Clear, layered traffic flow
Logical Diagram
Cloud Zone
│
VPC: prod-vpc (10.20.0.0/19)
│
├─ Subnet: public-web (10.20.0.0/24)
│ │
│ └─ Load Balancer
│ - Public IP
│ - Ports:80 /443
│ - Algorithm: Round Robin
│
├─ Subnet: private-app (10.20.1.0/24)
│ │
│ ├─ VM: app-01 (Private IP only)
│ └─ VM: app-02 (Private IP only)
│
├─ Subnet: private-db (10.20.2.0/24)
│ │
│ └─ VM: db-01 (Private IP only)
│
└─ VPN
- Admin access to private-app and private-dbTraffic Flow
Internet
↓
Load Balancer (Public IP)
↓
Application Subnet
↓
Database SubnetACL Design (Conceptual)
- public-web
- Allow: TCP 80 / 443 from Internet
- private-app
- Allow: traffic from public-web subnet
- private-db
- Allow: traffic from private-app subnet
- VPN access
- Allow: administrative IP ranges only
3️⃣ Multi-Environment VPC Design (Development / Staging / Production)
Suitable for
- Team collaboration
- CI/CD pipelines
- Environment isolation
- Growing startups or enterprise workloads
Characteristics
- Separate VPC per environment
- Identical subnet structure across environments
- No cross-environment traffic
- Consistent operational patterns
Logical Diagram
Cloud Zone
│
├─ VPC: dev-vpc (10.30.0.0/19)
│ ├─ Subnet: dev-web
│ ├─ Subnet: dev-app
│ └─ VPN (Developer access)
│
├─ VPC: staging-vpc (10.40.0.0/19)
│ ├─ Subnet: staging-web
│ ├─ Subnet: staging-app
│ └─ VPN (Staging access)
│
└─ VPC: prod-vpc (10.50.0.0/19)
├─ Subnet: prod-web
│ └─ Load Balancer (Public IP)
├─ Subnet: prod-app
├─ Subnet: prod-db
└─ VPN (Restricted admin access)Key Principles
❌ No direct traffic between VPCs
✅ Consistent subnet naming across environments
✅ Unique CIDR ranges per VPC
✅ Production access tightly controlled
Recommended Access Model
Developer Laptop
│
├─ VPN → dev-vpc
├─ VPN → staging-vpc
└─ Restricted VPN →prod-vpc📌 Design Pattern Summary
| Scenario | Recommended Pattern |
|---|---|
| Personal or small project | Simple VPC |
| Production application | Production-ready VPC |
| Team & CI/CD workflows | Multi-environment VPC |
Final Notes
These examples demonstrate secure-by-design networking patterns using CloudRaya’s VPC, subnet, ACL, Load Balancer, and VPN features.
You do not need to implement all patterns at once.
Start simple, and evolve your architecture as your workload grows.