Networking Across Clouds
Side-by-side comparison of networking across AWS, Azure, GCP, and OCI covering VPC architecture, firewalls, load balancing, DNS, VPN, interconnect, peering, and multi-cloud connectivity patterns.
Prerequisites
- Basic TCP/IP networking knowledge
- Experience with at least one cloud provider's networking
Networking Across Clouds
Networking is the backbone of every cloud deployment, yet each cloud provider implements networking concepts with different architectures, terminology, and capabilities. Understanding these differences is essential for designing multi-cloud architectures, migrating between providers, or simply choosing the right cloud for your networking requirements. This guide provides a comprehensive side-by-side comparison of networking across AWS, Azure, GCP, and OCI.
While the fundamental concepts (virtual networks, subnets, firewalls, load balancers, DNS) exist on every platform, the implementations vary significantly. GCP uses a global VPC model where a single VPC spans all regions, while AWS and Azure use regional networks that must be explicitly connected. OCI provides a unique security list and network security group model. These architectural differences affect everything from network design to cost optimization.
This guide covers virtual network architecture, subnet and IP addressing, firewall and security groups, load balancing services, DNS and domain management, VPN and interconnect options, peering and transit networking, and practical multi-cloud connectivity patterns.
Virtual Network Architecture
| Feature | AWS VPC | Azure VNet | GCP VPC | OCI VCN |
|---|---|---|---|---|
| Scope | Regional | Regional | Global | Regional |
| Subnet Scope | AZ-specific | Regional (span AZs) | Regional | AD-specific or regional |
| Max VPCs/VNets | 5 per region (adjustable) | 1000 per subscription | Shared VPC or standalone | No hard limit (soft limit) |
| CIDR Ranges | /16 to /28, multi-CIDR | /16 to /29, multi-address space | Auto or custom subnets | /16 to /30 |
| IPv6 Support | Dual-stack | Dual-stack | Dual-stack (GA) | Dual-stack (limited) |
| Default Network | Default VPC per region | No default | Default VPC with auto subnets | No default |
GCP Global VPC Advantage
GCP's global VPC is a significant architectural advantage for multi-region deployments. A single VPC spans all regions, and subnets are regional but can communicate with subnets in other regions via Google's internal backbone without VPC peering or transit gateways. On AWS and Azure, you need explicit peering or transit networking between regional networks, adding complexity and cost.
Creating Virtual Networks
# AWS: Create a VPC
aws ec2 create-vpc \
--cidr-block 10.0.0.0/16 \
--tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=my-vpc}]'
# Create subnets in different AZs
aws ec2 create-subnet \
--vpc-id vpc-12345 \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a
aws ec2 create-subnet \
--vpc-id vpc-12345 \
--cidr-block 10.0.2.0/24 \
--availability-zone us-east-1b# Azure: Create a VNet
az network vnet create \
--name my-vnet \
--resource-group my-rg \
--address-prefixes 10.0.0.0/16 \
--location eastus
# Create subnets
az network vnet subnet create \
--name web-subnet \
--vnet-name my-vnet \
--resource-group my-rg \
--address-prefixes 10.0.1.0/24
az network vnet subnet create \
--name app-subnet \
--vnet-name my-vnet \
--resource-group my-rg \
--address-prefixes 10.0.2.0/24# GCP: Create a custom VPC with subnets in multiple regions
gcloud compute networks create my-vpc \
--subnet-mode=custom
gcloud compute networks subnets create web-subnet \
--network=my-vpc \
--region=us-central1 \
--range=10.0.1.0/24
gcloud compute networks subnets create app-subnet \
--network=my-vpc \
--region=europe-west1 \
--range=10.0.2.0/24
# These subnets can communicate directly - no peering needed!# OCI: Create a VCN
oci network vcn create \
--compartment-id COMPARTMENT_OCID \
--cidr-blocks '["10.0.0.0/16"]' \
--display-name my-vcn
# Create a subnet
oci network subnet create \
--compartment-id COMPARTMENT_OCID \
--vcn-id VCN_OCID \
--cidr-block 10.0.1.0/24 \
--display-name web-subnetFirewall and Security Comparison
| Feature | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
| Instance-Level | Security Groups (stateful) | NSGs (stateful) | VPC Firewall Rules (stateful) | Network Security Groups |
| Subnet-Level | NACLs (stateless) | NSGs on subnets | No subnet-level (VPC-level only) | Security Lists (stateful/stateless) |
| Managed Firewall | AWS Network Firewall | Azure Firewall | Cloud NGFW Enterprise | OCI Network Firewall |
| WAF | AWS WAF | Azure WAF (on App GW / Front Door) | Cloud Armor | WAF on LBaaS |
| DDoS Protection | Shield Standard (free) / Advanced | DDoS Protection Basic / Standard | Cloud Armor (built-in) | Built-in DDoS protection |
Load Balancing Comparison
Load balancing is one of the areas where cloud providers diverge most significantly. AWS offers multiple distinct load balancer products, Azure has two main types, GCP offers a unified Cloud Load Balancing service with global reach, and OCI provides flexible load balancers with unique bandwidth pricing.
| Type | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
| Layer 7 (HTTP/S) | ALB | Application Gateway | Global External App LB | Flexible LB (HTTP) |
| Layer 4 (TCP/UDP) | NLB | Load Balancer | Regional External Proxy Network LB | Network LB |
| Global Reach | Global Accelerator + ALB | Front Door | Native global LB | Regional only |
| Internal LB | Internal ALB/NLB | Internal LB | Internal App/Network LB | Private LB |
| Base Cost | ~$16/month + LCU | ~$18/month + capacity | ~$18/month + data | Bandwidth-based (10 Mbps free) |
GCP Global Load Balancing
GCP's global load balancer uses a single anycast IP address that routes users to the nearest healthy backend across all regions. This is fundamentally different from AWS and Azure where you need separate load balancers per region plus a global routing layer (Global Accelerator or Front Door). GCP's approach is simpler and often cheaper for globally distributed applications.
DNS Services
| Feature | AWS Route 53 | Azure DNS | GCP Cloud DNS | OCI DNS |
|---|---|---|---|---|
| Hosted Zone Cost | $0.50/month | $0.50/month | $0.20/month | Free (included) |
| Query Cost | $0.40/M queries | $0.40/M queries | $0.40/M queries | $0.60/M queries |
| Health Checks | Yes (built-in) | Via Traffic Manager | Via Cloud Load Balancing | Yes (health checks) |
| Traffic Routing | Latency, weighted, geolocation, failover | Via Traffic Manager | Via Cloud Load Balancing | Steering policies |
| Private DNS | Private Hosted Zones | Private DNS Zones | Private Zones | Private DNS |
| DNSSEC | Yes | Yes | Yes | Yes |
VPN and Interconnect Options
Every cloud provider offers both VPN (encrypted tunnel over the internet) and dedicated interconnect (private physical connection) options. The choice depends on bandwidth requirements, latency sensitivity, and budget.
| Feature | AWS | Azure | GCP | OCI |
|---|---|---|---|---|
| Site-to-Site VPN | AWS VPN (~$36/mo) | VPN Gateway (~$27-140/mo) | Cloud VPN HA (~$36/mo per tunnel) | Site-to-Site VPN (free) |
| Dedicated Connect | Direct Connect (1/10/100 Gbps) | ExpressRoute (50 Mbps - 10 Gbps) | Dedicated Interconnect (10/100 Gbps) | FastConnect (1/10 Gbps) |
| Partner Connect | Hosted Direct Connect | ExpressRoute via provider | Partner Interconnect (50 Mbps - 50 Gbps) | FastConnect via partner |
| Transit Networking | Transit Gateway | Virtual WAN | NCC (Network Connectivity Center) | DRG (Dynamic Routing Gateway) |
OCI Free VPN
OCI stands out by offering free Site-to-Site VPN and free FastConnect port hours. You only pay for data transfer. This makes OCI the most cost-effective choice for hybrid connectivity scenarios. On AWS, a single VPN connection costs $36/month before any data transfer. On OCI, the same capability is included at no additional charge.
Peering and Transit Networking
# AWS: Create VPC Peering
aws ec2 create-vpc-peering-connection \
--vpc-id vpc-11111 \
--peer-vpc-id vpc-22222 \
--peer-region us-west-2
# Accept the peering connection
aws ec2 accept-vpc-peering-connection \
--vpc-peering-connection-id pcx-12345
# AWS: Create Transit Gateway (hub-and-spoke)
aws ec2 create-transit-gateway \
--description "Hub for all VPCs"
aws ec2 create-transit-gateway-vpc-attachment \
--transit-gateway-id tgw-12345 \
--vpc-id vpc-11111 \
--subnet-ids subnet-11111# Azure: Create VNet Peering (bi-directional, two commands)
az network vnet peering create \
--name vnet1-to-vnet2 \
--resource-group rg1 \
--vnet-name vnet1 \
--remote-vnet /subscriptions/SUB_ID/resourceGroups/rg2/providers/Microsoft.Network/virtualNetworks/vnet2 \
--allow-vnet-access
az network vnet peering create \
--name vnet2-to-vnet1 \
--resource-group rg2 \
--vnet-name vnet2 \
--remote-vnet /subscriptions/SUB_ID/resourceGroups/rg1/providers/Microsoft.Network/virtualNetworks/vnet1 \
--allow-vnet-access# GCP: VPC Peering (VPC is global, but peering connects separate VPCs)
gcloud compute networks peerings create vpc1-to-vpc2 \
--network=vpc1 \
--peer-network=vpc2 \
--auto-create-routes
gcloud compute networks peerings create vpc2-to-vpc1 \
--network=vpc2 \
--peer-network=vpc1 \
--auto-create-routesMulti-Cloud Connectivity Patterns
Connecting networks across cloud providers typically involves VPN tunnels between cloud VPN gateways or dedicated interconnect through a colocation facility. The right approach depends on bandwidth, latency, and cost requirements.
Common Multi-Cloud Network Patterns
| Pattern | Bandwidth | Latency | Cost | Best For |
|---|---|---|---|---|
| VPN-to-VPN tunnels | Up to 3 Gbps | Variable (internet) | Low ($72-108/mo) | Development, low-throughput |
| Interconnect via colo | 10-100 Gbps | Low (private) | High ($1K-10K+/mo) | Production, data-intensive |
| SD-WAN overlay | Aggregate links | Optimized | Medium | Branch + multi-cloud |
| Megaport / Equinix Fabric | 1-10 Gbps | Low (private) | Medium ($500-5K/mo) | Multi-cloud interconnect |
# Example: AWS-to-GCP VPN tunnel
# Step 1: Create HA VPN gateway on GCP
gcloud compute vpn-gateways create aws-gcp-gateway \
--network=my-vpc \
--region=us-central1
# Step 2: Create Cloud Router for BGP
gcloud compute routers create aws-gcp-router \
--region=us-central1 \
--network=my-vpc \
--asn=65001
# Step 3: Get GCP gateway IPs, create customer gateway on AWS
aws ec2 create-customer-gateway \
--type ipsec.1 \
--bgp-asn 65001 \
--public-ip GCP_GATEWAY_IP_0
# Step 4: Create VPN connection on AWS
aws ec2 create-vpn-connection \
--type ipsec.1 \
--customer-gateway-id cgw-12345 \
--vpn-gateway-id vgw-12345
# Step 5: Create VPN tunnels on GCP with AWS PSK
gcloud compute vpn-tunnels create aws-tunnel-0 \
--region=us-central1 \
--vpn-gateway=aws-gcp-gateway \
--peer-external-gateway-interface=0 \
--peer-external-gateway=aws-peer-gw \
--shared-secret=AWS_GENERATED_PSK \
--router=aws-gcp-router \
--ike-version=2 \
--interface=0Key Takeaways
- 1GCP uses a global VPC where subnets in different regions communicate without peering; AWS and Azure use regional networks.
- 2OCI offers free Site-to-Site VPN and free FastConnect port hours, making it cheapest for hybrid connectivity.
- 3GCP's global load balancer uses a single anycast IP for worldwide traffic routing; AWS and Azure require per-region load balancers.
- 4Azure subnets span all availability zones in a region; AWS subnets are AZ-specific; GCP subnets are regional.
- 5Cross-cloud connectivity via VPN tunnels provides up to 3 Gbps; dedicated interconnect via colocation provides 10-100 Gbps.
- 6OCI's DRG (Dynamic Routing Gateway) provides a free hub for connecting VCNs, on-premises, and other clouds.
Frequently Asked Questions
Which cloud has the best networking?
How do I connect networks across cloud providers?
What is the difference between VPC peering and transit networking?
Written by CloudToolStack Team
Cloud engineers and architects with hands-on experience across AWS, Azure, and GCP. We write guides based on real-world production patterns, not just documentation rewrites.
Disclaimer: This guide is for educational purposes. Cloud services change frequently; always refer to official documentation for the latest information. AWS, Azure, and GCP are trademarks of their respective owners.