VPCs
Virtual Private Clouds (VPCs) define isolated private network boundaries for your Skytells infrastructure. Instances placed in the same VPC communicate directly over private IP. No public routing is needed for internal traffic.
A Virtual Private Cloud (VPC) is a logically isolated private network inside Skytells Infrastructure. It defines an address space and a network boundary. Instances placed inside the same VPC see each other as local peers — they can communicate directly over private IP addresses without routing through the public internet, without firewall rules for internal traffic, and without any manual network configuration.
VPCs are the networking primitive that makes multi-instance architectures private and secure by default.
Why VPCs exist
The default public internet is open, observable, and shared. Enterprise-grade systems require the opposite for internal traffic: private, bounded, and controlled. A VPC gives you that boundary without the complexity of managing physical or traditional virtual network infrastructure.
Consider a production environment with a load balancer, application servers, a database replica set, and a caching layer. None of those components need to communicate over the public internet. By placing them all inside the same VPC:
- Internal traffic stays internal — no public IPs needed for node-to-node communication.
- External access is only possible where you explicitly define it through firewall rules.
- Network topology is encapsulated — adding or removing a node does not require reconfiguring the network.
If you are already using Projects, you already benefit from a similar principle: all apps and databases inside a project share a private internal network automatically. VPCs in Infrastructure extend that same model to virtual machines — with explicit control over the network layout.
VPC structure
Each VPC in Skytells Infrastructure has:
| Property | Description |
|---|---|
| Name | A human-readable label for the VPC, used in instance assignment and the Console. |
| Private address space | The IP address range (CIDR block) assigned to this VPC. Instances receive private IPs from this range. |
| Region | VPCs are region-scoped. An instance can only join a VPC in the same region. |
| Member instances | The list of virtual machines currently inside the VPC. |
Managing VPCs
Accessing the VPC list
- Open the Skytells Console and navigate to Infrastructure.
- In the Infrastructure left rail, select VPCs.
- Your VPCs are listed. Each entry shows the name, region, address space, and member instance count.
Creating a VPC
- From the VPC list, select New VPC or the equivalent creation action.
- Enter a name for the VPC.
- Select the region. The VPC will only be available to instances in this region.
- Confirm creation. The VPC is ready immediately and available for instance assignment.
VPCs are region-scoped. An instance in one region cannot join a VPC in a different region. Plan your VPC layout before provisioning instances if your architecture spans multiple regions.
Assigning an instance to a VPC
VPC assignment happens at instance creation time. When you create a new instance, you select the VPC from the available networks in that region. The instance receives a private IP address from the VPC's address space immediately upon provisioning.
VPC assignment cannot be changed after an instance is created. To move an instance to a different VPC, decommission it and provision a new one in the target VPC.
Network isolation between VPCs
Instances in different VPCs cannot communicate with each other over private IP — even if they are in the same region. The VPC boundary is the isolation boundary.
This makes VPCs the right tool for separating environments:
| Use case | VPC layout |
|---|---|
| Production / Staging separation | One VPC per environment; instances in Production cannot reach instances in Staging by private IP. |
| Service domain isolation | Separate VPCs for distinct product areas (e.g., data processing vs. user-facing services). |
| Tenant isolation | Enterprise accounts with multi-tenant infrastructure can assign each tenant's compute to a dedicated VPC. |
VPCs and firewall groups
VPCs control who can talk to whom at the network level — private vs. public routing. Firewall groups control which traffic is permitted at the port and protocol level.
They are complementary:
- A VPC prevents external systems from reaching your instances over private IP routes.
- A firewall group governs what is allowed to reach an instance over its public IP.
For full defense-in-depth, use both: place instances in a VPC for private communication, and attach a firewall group to govern all public inbound traffic.
Related
- Instances — virtual machines that are placed inside a VPC.
- Firewalls — rule groups that control traffic at the port and protocol level.
- Infrastructure Overview — the full picture of Skytells' compute and networking layer.
- Projects — for containerized workloads that use an automatic private network without explicit VPC configuration.
- Security — platform-wide security practices.
How is this guide?
GPU Infrastructure
Skytells provides on-demand and reserved GPU compute across a global network — from individual H100 and A100 nodes to distributed multi-GPU configurations spanning multiple regions. Purpose-built for AI training, inference, and large-scale parallel workloads.
Firewalls
Firewall groups are reusable sets of inbound and outbound rules that control which traffic can reach your Skytells instances. Attach a group to one or many instances to enforce a consistent access policy.