Virtual Private Cloud (VPC)
What is VPC, architecture, creating via console and API, CIDR planning, attaching resources, and monitoring.
A Virtual Private Cloud (VPC) is an isolated network environment within NFYio. It gives you full control over IP addressing, subnets, routing, and which resources can communicate with each other.
What is a VPC?
A VPC is a logically isolated section of the NFYio network where you can launch resources such as:
- Storage buckets (S3 proxy)
- AI agents and RAG pipelines
- API gateways
- Databases (PostgreSQL, Redis)
Resources in a VPC can communicate privately using private IP addresses. Traffic stays within your VPC unless you explicitly allow internet or cross-VPC access.
Architecture
┌──────────────────────────────────────────────────────────────────┐
│ NFYio VPC Architecture │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Bucket A │ │ Agent Svc │ │ API GW │ │
│ │ 10.0.2.10 │ │ 10.0.2.11 │ │ 10.0.1.5 │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
│ └────────────────┼────────────────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ Subnets │ │
│ │ Routing │ │
│ └─────┬─────┘ │
│ │ │
│ ┌───────────┼───────────┐ │
│ ▼ ▼ ▼ │
│ Internet GW NAT GW VPC Peering │
└──────────────────────────────────────────────────────────────────┘CIDR Planning
Choose a CIDR block that doesn’t overlap with your on-premises or other cloud networks. Common choices:
RFC 1918 Private Ranges
| CIDR Block | Usable IPs | Use Case |
|---|---|---|
10.0.0.0/16 | 65,536 | Large deployments |
10.0.0.0/20 | 4,096 | Medium deployments |
172.16.0.0/16 | 65,536 | Alternative large range |
172.16.0.0/20 | 4,096 | Alternative medium range |
192.168.0.0/16 | 65,536 | Small/isolated environments |
192.168.0.0/24 | 256 | Single subnet |
Example CIDR Allocation
For a VPC with 10.0.0.0/16:
10.0.1.0/24— Public subnet (AZ-1)10.0.2.0/24— Private subnet (AZ-1)10.0.3.0/24— Public subnet (AZ-2)10.0.4.0/24— Private subnet (AZ-2)
Creating a VPC
Via Console
- Navigate to Networking → VPCs
- Click Create VPC
- Enter a name and description
- Specify the CIDR block (e.g.,
10.0.0.0/16) - Select availability zones
- Click Create
Via API
curl -X POST https://api.yourdomain.com/v1/vpcs \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "production-vpc",
"description": "Production environment VPC",
"cidr_block": "10.0.0.0/16",
"availability_zones": ["us-east-1a", "us-east-1b"]
}'Response:
{
"id": "vpc_abc123xyz",
"name": "production-vpc",
"description": "Production environment VPC",
"cidr_block": "10.0.0.0/16",
"status": "available",
"created_at": "2026-03-01T12:00:00Z"
}Attaching Resources
Buckets
Assign a bucket to a VPC subnet so it’s only accessible from within the VPC:
curl -X PATCH https://api.yourdomain.com/v1/buckets/my-bucket \
-H "Authorization: Bearer $API_KEY" \
-H "Content-Type: application/json" \
-d '{
"vpc_id": "vpc_abc123xyz",
"subnet_id": "subnet_priv_1"
}'Agents
Deploy AI agents in a private subnet for secure RAG pipeline access:
{
"agent_id": "agent_xyz",
"vpc_id": "vpc_abc123xyz",
"subnet_id": "subnet_priv_1"
}APIs and Databases
APIs and databases can be attached to VPC subnets via the console or API. See Networking API Reference for full endpoint details.
Monitoring
Monitor VPC health and traffic:
- Flow logs — Capture IP traffic for troubleshooting
- Metrics — Bytes in/out, packet count, error rates
- Alerts — Configure thresholds for unusual traffic patterns
# List VPC flow logs
curl -X GET "https://api.yourdomain.com/v1/vpcs/vpc_abc123xyz/flow-logs" \
-H "Authorization: Bearer $API_KEY"Next Steps
- Subnet Management — Create and manage subnets
- Security Groups — Control resource-level access
- VPC Peering — Connect multiple VPCs