Once the accounts are designed and ready, network design is the next most critical component. The accounts are mostly administrative constructs, but the ability to deploy workloads and secure data is done by the network design. Most cloud vendors will have a virtual networking concept that allows for a custom design of the network space needed for various requirements. These virtual networks can then be further divided into subnets that allow for network traffic flow requirements, for example, externally routable traffic (in other words, the public subnet) and internal only (in other words, private subnets). Similar to account design, a virtual network design is critical since, once created, it is hard to modify, and so growth and workload needs should be considered. 

Typically, a single account may contain many virtual networks and these can interact with each other, or even with virtual networks in other accounts. Therefore, they are an additional way of reducing blast radius issues and isolating workloads or data.