Networking & Content Delivery
AWS networking is built around Amazon VPC, which provides logical network isolation. Key components include subnets (public and private), Security Groups (stateful, instance-level), NACLs (stateless, subnet-level), Internet Gateway, and NAT Gateway. CloudFront delivers content globally, Route 53 manages DNS, and Direct Connect or Site-to-Site VPN provides hybrid connectivity.
1. Amazon VPC — Virtual Private Cloud
A VPC is a logically isolated virtual network in AWS. You define the IP address range, divide it into subnets, configure routing, and control traffic using firewalls. Every AWS account gets a default VPC in each Region to get started immediately.
VPC Core Components
| Component | Description |
|---|---|
| CIDR Block | IP address range for the VPC (e.g., 10.0.0.0/16 = 65,536 IPs) |
| Subnets | Subdivisions of the VPC in a single AZ; public or private |
| Route Table | Rules controlling where traffic flows from each subnet |
| Internet Gateway (IGW) | Enables bidirectional internet access for resources with public IPs |
| NAT Gateway | Outbound-only internet for private subnet resources; AWS-managed; charged per hour |
| Security Groups | Stateful instance-level firewall; allow rules only |
| Network ACLs (NACLs) | Stateless subnet-level firewall; allow and deny rules |
| VPC Peering | Private connection between two VPCs |
| VPC Endpoints | Private connection to AWS services without internet or NAT |
| VPC Flow Logs | Capture IP traffic metadata for security monitoring |
2. Security Groups vs Network ACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Applies to | Individual instances (ENI) | Entire subnet |
| State | Stateful — return traffic automatically allowed | Stateless — must explicitly allow inbound AND outbound |
| Rule types | Allow only — no explicit deny | Allow AND Deny |
| Rule evaluation | All rules evaluated together | Rules evaluated in numeric order; first match wins |
| Default behavior | All traffic denied unless a rule allows it | Default VPC NACL allows all traffic in and out |
| Typical use | Whitelist ports per service | Subnet-wide block rules (e.g., block a bad IP range) |
Key exam tip — Stateful vs Stateless:
- Stateful (Security Group): You allow inbound port 443 → AWS automatically allows the response back out. You only write one rule.
- Stateless (NACL): You allow inbound port 443 → you must ALSO explicitly allow outbound ephemeral ports for the response. Two rules needed.
3. VPC Endpoints — Private AWS Service Access
Without VPC Endpoints, traffic from a private subnet to S3 travels: private subnet → NAT Gateway → Internet Gateway → public internet → S3. With endpoints, traffic stays entirely on AWS's private network.
| Endpoint Type | Connects To | Cost |
|---|---|---|
| Gateway Endpoint | Amazon S3 and DynamoDB only | Free |
| Interface Endpoint | 100+ other AWS services via PrivateLink | Small hourly charge |
4. VPC Peering
- Direct private network connection between two VPCs (no internet, no gateway, no VPN)
- Works across different AWS accounts and different Regions (inter-region peering)
- NOT transitive — if VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C automatically
- Use AWS Transit Gateway when you need to connect many VPCs in a hub-and-spoke model
5. Amazon Route 53 — DNS Service
Route 53 Routing Policies:
| Policy | Routes Based On | Use Case |
|---|---|---|
| Simple | Single destination | Basic single-endpoint routing |
| Weighted | Percentage split (e.g., 80%/20%) | A/B testing, gradual traffic shift |
| Latency-based | Lowest latency Region for the user | Global apps with multi-region deployments |
| Failover | Health check — active/passive switch | Disaster recovery |
| Geolocation | User's country or continent | Compliance, localization, language routing |
| Geoproximity | Geographic distance with optional bias | Fine-grained geographic traffic control |
| Multi-value | Multiple healthy IPs returned | Simple load balancing with health checks |
6. Amazon CloudFront — Content Delivery Network
- Global CDN with 400+ edge locations — content served from the location nearest the user
- Supports static content (S3: images, HTML, CSS, JS) and dynamic content (ALB, custom origins)
- Integrates with AWS WAF for application-layer DDoS protection and web exploit filtering
- Integrates with AWS Shield for network-layer DDoS protection
- HTTPS support with SSL/TLS termination at the edge; integrates with ACM
7. Hybrid Connectivity — On-Premises to AWS
| Feature | Site-to-Site VPN | AWS Direct Connect |
|---|---|---|
| Connection type | IPSec tunnel over public internet | Dedicated private fiber |
| Setup time | Hours | Weeks to months |
| Bandwidth | Limited by internet connection | 1 Gbps to 100 Gbps |
| Latency | Variable (shared internet) | Consistent and predictable |
| Cost | Lower — pay per connection hour and data | Higher — port hours plus provider fees |
| Encryption | Yes — IPSec by default | Not encrypted by default (add MACsec or VPN on top) |
| Best for | Quick setup, backup connection, dev/test | High bandwidth, consistent latency, regulated workloads |
8. Amazon API Gateway
- Fully managed service to create, publish, secure, and monitor APIs at any scale
- Supports REST APIs, HTTP APIs, and WebSocket APIs
- Common pattern: client → API Gateway → Lambda (serverless API backend)
- Handles: authentication, rate limiting, caching, request/response transformation, monitoring
9. AWS Transit Gateway
- Central hub for connecting multiple VPCs and on-premises networks
- Replaces complex VPC peering meshes with a single hub-and-spoke topology
- Supports thousands of VPC connections and VPN/Direct Connect attachments
10. CLF-C02 Quick Reference
| Topic | Key Fact |
|---|---|
| VPC | Logically isolated virtual network; you define IP ranges and subnets |
| Public subnet | Has route to IGW; resources can have public IPs and internet access |
| Private subnet | No direct internet; outbound via NAT Gateway only |
| IGW | Bidirectional internet access for public subnet resources |
| NAT Gateway | Outbound-only internet for private subnet; AWS-managed; per-AZ |
| Security Groups | Stateful; instance-level; allow rules only; return traffic automatic |
| NACLs | Stateless; subnet-level; allow and deny; numeric rule order; both directions explicit |
| VPC Endpoint Gateway | Free; private S3 and DynamoDB access without internet |
| VPC Peering | Private VPC-to-VPC; NOT transitive |
| Transit Gateway | Hub for many VPCs and on-premises; replaces peering mesh |
| Route 53 | Managed DNS; health checks; 7 routing policies |
| CloudFront | CDN; 400+ edge locations; caches content near users; WAF and Shield integration |
| Site-to-Site VPN | IPSec over internet; hours to set up; variable latency |
| Direct Connect | Private dedicated fiber; weeks to provision; consistent bandwidth and latency |
| API Gateway | Managed API publishing; REST, HTTP, WebSocket; pairs with Lambda |
Practice Questions7
Q1. What does Amazon VPC (Virtual Private Cloud) provide?
Select one answer before revealing.
Q2. Which VPC component acts as a stateful virtual firewall at the EC2 instance level, controlling inbound and outbound traffic with ALLOW rules only?
Select one answer before revealing.
Q3. What is the key difference between a Security Group and a Network ACL (NACL) in a VPC?
Select one answer before revealing.
Q4. Resources in a private subnet need to download software updates from the internet but should NOT be directly reachable from the internet. Which VPC component enables this?
Select one answer before revealing.
Q5. Which AWS service is a fully managed, global DNS service that also supports routing policies like latency-based routing, failover routing, and geolocation routing?
Select one answer before revealing.
Q6. A company wants a dedicated, private, high-bandwidth connection between their corporate data center and AWS that bypasses the public internet for consistent network performance. Which service should they use?
Select one answer before revealing.
Q7. Which TWO services can establish network connectivity between an on-premises data center and an Amazon VPC? (Select TWO — more than one answer may be correct)
Select one answer before revealing.