Extending cloud-based virtual private networks to radio-based networks

Therefore, the following is claimed: 1. A system, comprising: a radio-based network including a network slice; and a cloud provider network hosting a virtual private cloud network having an associated internet protocol (IP) address range, a first subnet of the virtual private cloud network corresponding to an availability zone in the cloud provider network, the cloud provider network including at least one computing device configured to at least: create a second subnet of the virtual private cloud network in the network slice; register an identifier of a subscriber identity module of a client device in one or both of the network slice and the virtual private cloud network; assign the subscriber identity module to a security group of the virtual private cloud network; in response to a request from the client device to connect to the radio-based network, determine that the identifier presented in the request is authorized to connect to the radio-based network and assign the subscriber identity module an IP address from the second subnet of the virtual private cloud network; and provide the client device with access to a compute instance on the first subnet of the virtual private cloud network through the radio-based network based at least in part on the subscriber identity module being assigned to the security group. 2. The system of claim 1 , wherein one or more resources of the virtual private cloud network are hosted on a provider substrate extension of the cloud provider network, the provider substrate extension located in the radio-based network. 3. The system of claim 2 , wherein an access control list for the virtual private cloud network is used to control access to the one or more resources hosted on the provider substrate extension. 4. The system of claim 1 , wherein the at least one computing device is further configured to at least create the second subnet in the network slice in response to receiving, at the cloud provider network, an API request to create the second subnet in the network slice from a customer account associated with the virtual private cloud network. 5. The system of claim 1 , wherein the at least one computing device is further configured to at least register the identifier of the subscriber identity module in the one or both of the network slice and the virtual private cloud network in response to receiving, at the cloud provider network, an API request to register the identifier of the subscriber identity module in the one or both of the network slice and the virtual private cloud network. 6. The system of claim 1 , wherein the at least one computing device is further configured to at least connect the network slice to another network slice using a virtual router of the cloud provider network, the other network slice having another a third subnet of the virtual private cloud network. 7. The system of claim 1 , wherein at least a portion of a core network for the radio-based network is hosted in the cloud provider network. 8. A computer-implemented method, comprising: creating a subnet of a virtual private cloud network of a cloud provider network in a network slice of a radio-based network; registering an identifier of a subscriber identity module of a client device in one or both of the network slice and the virtual private cloud network; assign the subscriber identity module to a security group of the virtual private cloud network; receiving a request from the client device to connect to the radio-based network, the request presenting the identifier; determining the virtual private cloud network to which the client device is permitted access in response to the identifier in the request; and providing the client device with access to a compute instance on the virtual private cloud network through the radio-based network in response to receiving the request from the client device to connect to the radio-based network based at least in part on the subscriber identity module being assigned to the security group. 9. The computer-implemented method of claim 8 , further comprising: receiving a request from a different client device to connect to the radio-based network, the request from the different client device presenting a different identifier associated with a different subscriber identity module; determining a different virtual private cloud network of the cloud provider network to which the different client device is permitted access in response to the different identifier in the request from the different client device; and providing the different client device with access to the different virtual private cloud network through the radio-based network in response to receiving the request from the different client device to connect to the radio-based network. 10. The computer-implemented method of claim 8 , further comprising assigning a network address to the client device on the radio-based network according to a rule set associated with the virtual private cloud network. 11. The computer-implemented method of claim 8 , further comprising assigning the client device to the network slice of the radio-based network according to a rule set associated with the virtual private cloud network, the network slice being configured to meet a quality-of-service requirement. 12. The computer-implemented method of claim 8 , further comprising encrypting communications sent to or from the client device via the radio-based network. 13. The computer-implemented method of claim 8 , further comprising configuring the client device to use an end-to-end encryption scheme when communicating with one or more other network hosts of the virtual private cloud network. 14. The computer-implemented method of claim 8 , further comprising enabling the client device to communicate with another client device that is on the virtual private cloud network and connected through the radio-based network. 15. The computer-implemented method of claim 8 , further comprising enabling the client device to communicate with a computing resource that is on the virtual private cloud network and connected through the cloud provider network and not the radio-based network. 16. The computer-implemented method of claim 8 , wherein determining the virtual private cloud network to which the client device is permitted access further comprises: identifying the client device based at least in part on the identifier of the subscriber identity module (SIM) or embedded SIM (eSIM) of the client device; and determining the virtual private cloud network based at least in part on the SIM or eSIM. 17. A computer-implemented method, comprising: receiving network traffic from a service executed in a virtual private cloud network of a cloud provider network, the service being on a first subnet of the virtual private cloud network; determining that the network traffic is permitted to be forwarded to a client device based at least in part on a subscriber identity module of the client device being assigned to a security group of the virtual private cloud network, the client device being connected to the virtual private cloud network via a network slice configured for the virtual private cloud network in a radio-based network, the network slice being associated with one or more quality-of-service requirements, the network slice corresponding to a second subnet of the virtual private cloud network; and forwarding the network traffic to the client device. 18. The computer-implemented method of claim 17 , further comprising executing the service in a provider substrate extensio