Task Statement 3.1: Maintain routing and connectivity on AWS and hybrid networks.
📘AWS Certified Advanced Networking – Specialty
AWS provides different ways to connect to its services. Understanding these methods is crucial for designing secure, efficient networks. There are two main types of access: private access and public access.
1. Public Access to AWS Services
Public access means your resources access AWS services over the internet.
How it Works
- Services like S3, DynamoDB, API Gateway, and others have public endpoints.
- Your VPC or on-premises network connects via the internet.
- Security is enforced using IAM policies, VPC security groups, and NACLs.
Key Components
- Internet Gateway (IGW)
- A VPC component that allows resources in your VPC to communicate with the internet.
- Public subnets must have a route to the IGW.
- Elastic IP (EIP)
- A public IP that allows your EC2 instances or NAT gateways to communicate with AWS services over the internet.
- NAT Gateway / NAT Instance
- Used for private subnets to access the internet without exposing resources directly.
Example Scenario
- An EC2 instance in a public subnet accesses Amazon S3 to download patches.
- Routes in the VPC route table point to the Internet Gateway.
Pros
- Simple to set up.
- No special AWS services required beyond the IGW and routing.
Cons
- Traffic goes over the internet — slightly less secure.
- Requires careful security controls (firewalls, IAM policies).
2. Private Access to AWS Services
Private access means resources access AWS services without using the internet. This is more secure and common in enterprise environments.
AWS provides a few ways to do this:
A. AWS PrivateLink
- Connects to AWS services privately using Elastic Network Interfaces (ENIs) in your VPC.
- The service appears as a private IP address in your VPC.
- Traffic never leaves the AWS network.
Key Points:
- Works with AWS services like S3, DynamoDB, or your own services.
- You create a VPC endpoint (interface endpoint for PrivateLink services).
- Supports security via VPC endpoint policies.
Pros:
- Secure: no internet traffic.
- Easy to manage, works across VPCs.
Example:
- Your EC2 instance accesses S3 privately using a VPC endpoint without needing an IGW or NAT gateway.
B. VPC Endpoints for S3 and DynamoDB
AWS provides gateway endpoints specifically for S3 and DynamoDB.
- Gateway endpoints add routes in your VPC route table.
- Traffic stays on the AWS network.
Differences from PrivateLink:
| Feature | Gateway Endpoint | PrivateLink (Interface Endpoint) |
|---|---|---|
| Services | S3, DynamoDB | Most AWS services + custom |
| Network Interface | No | Yes (ENI in your subnet) |
| Routing | Route table entry | DNS + ENI |
| Internet required? | No | No |
C. VPN (Virtual Private Network)
A VPN lets your on-premises network connect securely to AWS over the internet but in an encrypted way.
- Commonly used for hybrid networks.
- Traffic goes over a secure IPSec tunnel.
- Requires Customer Gateway (on-premises) and Virtual Private Gateway (AWS side).
Pros:
- Secure encrypted connection.
- Easy for extending on-premises networks to AWS.
Cons:
- Internet-dependent; subject to internet latency.
- Can have bandwidth limitations.
D. AWS Direct Connect
- A dedicated private connection between your data center and AWS.
- Avoids the internet entirely.
- Higher bandwidth and lower latency than VPN.
Key Points:
- Can be used with Transit Gateway or Direct Connect Gateway.
- Often combined with private VIF (Virtual Interface) to access AWS services privately.
- Works well for large-scale enterprise environments.
Pros:
- High performance, predictable network.
- Private: traffic never goes over the public internet.
Cons:
- More expensive.
- Takes time to provision.
3. Choosing Private vs Public Access
| Requirement | Use Public Access | Use Private Access |
|---|---|---|
| Security is top priority | No | Yes |
| Latency matters (low) | No | Yes |
| Cost sensitive | Yes | Varies (PrivateLink/Direct Connect cost) |
| Ease of setup | Simple | Moderate to complex |
| Hybrid environment (on-prem + AWS) | Possible | Recommended (VPN/Direct Connect) |
Exam Tip: AWS often tests your understanding of PrivateLink, VPC endpoints, VPN, and Direct Connect and asks which service provides private connectivity to AWS services.
4. Key Exam Points to Remember
- Internet Gateway + NAT Gateway → public access.
- VPC endpoints (gateway and interface) → private access without using the internet.
- PrivateLink → connect to AWS services or your custom services privately.
- VPN → encrypted private connection over the internet.
- Direct Connect → dedicated private connection, lower latency, high bandwidth.
- Routing matters: Proper route table entries are required for both private and public access.
- Security matters: Always configure IAM policies, security groups, and endpoint policies for controlling access.
✅ Summary in Plain IT Terms
- Public access: Use IGW/NAT to reach AWS over the internet.
- Private access: Use PrivateLink, VPC endpoints, VPN, or Direct Connect to keep traffic inside AWS or encrypted.
- Always check your routes and security rules—even if you pick the right service, incorrect routing or firewall rules will block access.
