Core elements of a Virtual Private CloudCore elements of a Virtual Private Cloud

A VPC is made up of several building blocks, each responsible for a specific part of virtual private cloud network operation — addressing, routing, security and integration with external systems. Together, they allow the VPC to function as a complete cloud-based replacement for on-premises infrastructure.

CIDR blocksCIDR blocks

CIDR (Classless Inter-Domain Routing) defines the IP address range available within a VPC. This range, chosen at creation time, becomes the foundation for all virtual machines, containers and services.

Selecting the right range is strategic: too small and you risk running out of addresses; too large and you risk conflicts with other networks in hybrid setups. The safe choice is to plan for growth and use private ranges defined in RFC1918. For ML teams, this is particularly important, as distributed training may require hundreds of nodes and a poorly chosen block can turn into a bottleneck that forces the virtual private cloud network to be rebuilt.

SubnetsSubnets

Subnets divide the address space into logical segments. Depending on the provider, they may be scoped to availability zones (AWS) or entire regions (GCP). Subnets are often used to separate environments. A public subnet might host inference APIs exposed to the internet, while private subnets are reserved for GPU training or data storage. This separation not only improves security but also creates clear boundaries between ML pipeline stages — for example, data prep and experimentation in one subnet, production inference in another.

Routing tablesRouting tables

Routing tables define how traffic flows between subnets and external networks. Each subnet must be linked to at least one table that specifies which destinations are reachable.

Routing is about path selection, not port filtering. Internet access can be cut off by removing the IGW route or by using private endpoints, while fine-grained port control is handled through security groups and NACLs. For ML teams, routing is crucial for connecting training nodes to large datasets stored in S3-compatible buckets or corporate data warehouses, without exposing them to the public internet.

Internet gatewaysInternet gateways

An Internet Gateway connects a VPC to the outside world, but only for resources with public IPs. Servers in private subnets remain isolated unless paired with a NAT gateway or private endpoint. This separation is especially useful for training clusters, which can remain fully closed off while only management or inference services have outbound access.

This setup gives administrators control: one subnet may be allowed outbound internet access for downloading library updates, while others stay fully closed. In ML production systems, gateways are typically used for serving inference APIs, while training environments remain isolated.

Security groupsSecurity groups

Security groups act as stateful firewalls applied to individual servers or interfaces. They allow traffic through by explicit “allow” rules, with no need for denies. Unlike subnet-level ACLs, they provide fine-grained control at the resource level. A common pattern is to restrict database access so that only inference nodes can connect, even if the database sits in a shared subnet. For ML workflows, this ensures that models can read data for predictions while keeping other environments locked out. Security groups also adapt seamlessly to scaling: when dozens of new GPU nodes are added to a training cluster, they can be connected instantly by attaching the appropriate group.

Network ACLs (Access Control Lists)Network ACLs (Access Control Lists)

ACLs act as subnet-level firewalls and are stateless — each rule applies independently to inbound and outbound traffic. They support both allow and deny rules, making them useful as a safety net beneath security groups.

For example, an ACL can block all inbound internet traffic to GPU training subnets, even if a misconfigured security group exists. This layered approach is standard for organizations working with sensitive data.

Elastic Load Balancer (ELB)Elastic Load Balancer (ELB)

A load balancer distributes traffic across servers and ensures requests only reach healthy instances. Application-level balancers (L7) add extra features like HTTP routing, TLS termination and support for blue-green deployments. ELBs integrate tightly with monitoring: if a node becomes unresponsive, the balancer removes it from rotation, keeping services online. For ML inference systems, this is essential for handling unpredictable workloads without downtime.

Virtual Private Network (VPN) connectionsVirtual Private Network (VPN) connections

A VPN connects a VPC to an office network through an encrypted tunnel, typically using IPSec in a “site-to-site” setup. For higher bandwidth or lower latency, providers offer dedicated options such as Direct Connect or Interconnect. Employees can also use client VPNs for secure individual access. This is especially valuable in hybrid environments where some services remain on-premises while others move to the cloud.

With a VPN, cloud resources appear as part of the internal network. For ML teams, this means they can securely work with corporate datasets without duplicating them into the public cloud. Administrators still control access through routing and ACLs, ensuring only approved storage systems are reachable.

In practice, VPNs are often the bridge for cloud adoption. They let organizations gradually migrate workloads while keeping tight integration with on-premises systems. This reduces risk and enables flexible, staged infrastructure strategies.

Unlock the power of VPCs for your businessUnlock the power of VPCs for your business

Virtual Private Cloud has become an essential part of modern cloud infrastructure and its value lies in providing control and security while still enabling rapid growth.

Through logical isolation, VPCs ensure compliance and protection. With flexible configuration, they adapt to diverse needs: separating dev and prod environments, dividing workloads across subnets or scaling GPU clusters for ML training. As your business evolves, the VPC grows with it, without the pain of constant redesign.

For machine learning, these capabilities are essential. Reliable training and inference demand secure, predictable environments. A VPC makes this possible: administrators define routes, rules and monitoring in a way that is simpler, faster and more efficient than managing physical networks.

A VPC is not a one-time setup but a long-term platform for building a cloud ecosystem. That’s why it has become the default choice for organizations seeking both scalability and control.

To explore how VPCs can strengthen your infrastructure, check out Nebius solutions. Our platform offers flexible options for building virtual private cloud network optimized for both performance and ML workloads.

How to get started with VPC in NebiusHow to get started with VPC in Nebius

In Nebius, Virtual Private Cloud is part of the Nebius AI Cloud environment. Compute resources — from GPU instances to clusters — come together with storage systems inside an isolated network. Within it, you can run managed Kubernetes for containers, Slurm-based workloads with Soperator or integrate file and object storage for datasets. Everything operates within one secure environment, accessible through the console or API.

Setup is straightforward: configure compute nodes, define subnets and set up routing rules. Security comes built-in with Nebius access management and policies. As workloads expand, new nodes automatically join the existing network while maintaining isolation.

To help you move faster, Nebius documentation provides step-by-step guides and configuration examples, from GPU training clusters to production inference services. And if you need reassurance, the Trust Center offers clear details on security practices and compliance to standards.