Task Statement 2.2: Implement routing and connectivity across multiple AWS
accounts, Regions, and VPCs to support different connectivity patterns.
📘AWS Certified Advanced Networking – Specialty
1. Understanding VPC Networking Basics
A Virtual Private Cloud (VPC) is a logically isolated network in AWS where you launch resources like EC2 instances.
Each VPC includes:
- IP address range (CIDR block)
- Subnets
- Route tables
- Network gateways
- Security controls
2. Single-VPC Architecture
What is a Single-VPC Design?
A single-VPC architecture means all resources are deployed inside one VPC.
Common Use Cases
- Small applications
- Simple environments
- Development/testing workloads
Components in a Single-VPC Design
2.1 Subnets
Subnets divide a VPC into smaller networks.
Types:
- Public subnet → has route to Internet Gateway
- Private subnet → no direct internet access
2.2 Route Tables
A route table determines where network traffic is sent.
Each route includes:
- Destination (CIDR)
- Target (gateway, ENI, etc.)
Example:
0.0.0.0/0 → Internet Gateway(for internet access)
2.3 Internet Gateway (IGW)
- Enables internet access for public subnets
- Must be attached to the VPC
2.4 NAT Gateway
- Allows private subnet resources to access the internet
- Prevents inbound internet connections
2.5 DHCP Options Set
DHCP (Dynamic Host Configuration Protocol) provides configuration to instances.
By default, AWS provides:
- DNS server
- Domain name
You can customize DHCP options:
- Domain name (e.g., internal.company.local)
- DNS servers (e.g., custom DNS)
2.6 Security Groups
- Act as stateful firewalls
- Applied at instance level
- Allow rules only (no deny rules)
Key points:
- Return traffic is automatically allowed
- Rules evaluated together (no order)
2.7 Network ACLs (NACLs)
- Stateless firewall at subnet level
- Supports allow and deny rules
Key points:
- Rules evaluated in order (lowest number first)
- Both inbound and outbound rules required
3. Multi-VPC Architecture
What is Multi-VPC Design?
Multiple VPCs are used to separate environments, applications, or teams.
Why use Multi-VPC?
- Isolation
- Security boundaries
- Scalability
- Multi-account strategy
4. Connectivity Options Between VPCs
4.1 VPC Peering
Features:
- Direct connection between two VPCs
- Uses private IP addresses
- No transitive routing
Requirements:
- Non-overlapping CIDR blocks
- Manual route configuration
Limitations:
- Poor scalability in large environments
- No centralized routing
4.2 AWS Transit Gateway (TGW)
What is it?
A central hub that connects multiple VPCs and on-premises networks.
Benefits:
- Scalable hub-and-spoke architecture
- Supports transitive routing
- Centralized control
Key Concepts:
- Attachments (VPC, VPN, Direct Connect)
- Route tables (TGW route tables)
- Route propagation
4.3 AWS PrivateLink
Purpose:
Provides private access to services without exposing traffic to the internet.
Components:
- Endpoint service (provider)
- Interface endpoint (consumer)
Use Case:
- Access shared services across VPCs securely
4.4 VPC Endpoints
Used to connect to AWS services privately.
Types:
- Gateway endpoints
- S3, DynamoDB
- Route table-based
- Interface endpoints
- Uses ENIs
- Supports most AWS services
4.5 Site-to-Site VPN
- Connects on-premises network to VPC
- Uses IPsec tunnels
4.6 AWS Direct Connect
- Dedicated private connection to AWS
- Lower latency and consistent performance
5. Routing in Multi-VPC Architectures
Key Concepts
Static Routing
- Manually defined routes
Dynamic Routing
- Uses BGP (for VPN/Direct Connect)
Important Exam Concepts
5.1 Route Propagation
- Automatically adds routes from TGW/VPN
5.2 Blackhole Routes
- Routes with no valid target
- Traffic is dropped
5.3 Longest Prefix Match
Routing decisions use the most specific route.
Example:
/16vs/24→/24is preferred
6. Security in VPC Connectivity
Layered Security Approach
6.1 Security Groups
- Instance-level protection
- Stateful
6.2 NACLs
- Subnet-level protection
- Stateless
6.3 Route Tables
- Control traffic flow paths
6.4 VPC Endpoints
- Reduce exposure to internet
7. Multi-Account Networking
In enterprise environments, multiple AWS accounts are used.
Common Patterns
7.1 Hub-and-Spoke Model
- Central networking account (hub)
- Application VPCs (spokes)
- Uses Transit Gateway
7.2 Shared Services VPC
- Centralized services (DNS, logging, authentication)
7.3 AWS Resource Access Manager (RAM)
- Share resources like Transit Gateway across accounts
8. DNS and DHCP in Multi-VPC
DNS Resolution
Options:
- AmazonProvidedDNS
- Route 53 Resolver
Route 53 Resolver Endpoints:
- Inbound endpoint → resolve external DNS queries
- Outbound endpoint → forward DNS queries
DHCP in Multi-VPC
- Each VPC can have its own DHCP options set
- Ensures consistent DNS/domain configuration
9. Design Considerations for Exam
9.1 CIDR Planning
- Avoid overlapping CIDR blocks
- Plan for future growth
9.2 Scalability
- Use Transit Gateway instead of multiple peering connections
9.3 High Availability
- Use multiple AZs
- Redundant NAT Gateways/VPN tunnels
9.4 Security Best Practices
- Least privilege rules in Security Groups
- Use private subnets where possible
- Avoid exposing services to the internet unnecessarily
9.5 Cost Optimization
- NAT Gateway costs
- Data transfer costs between VPCs
- Prefer VPC endpoints over NAT where possible
10. Key Differences (Exam Quick Revision)
| Feature | VPC Peering | Transit Gateway |
|---|---|---|
| Routing | Non-transitive | Transitive |
| Scalability | Low | High |
| Architecture | Mesh | Hub-and-spoke |
| Management | Complex at scale | Centralized |
11. Exam Tips
- Understand when to use VPC Peering vs Transit Gateway
- Know difference between Security Groups and NACLs
- Remember DHCP options affect DNS settings
- Understand route table behavior and longest prefix match
- Be clear on VPC endpoints vs NAT Gateway
- Focus on multi-account and multi-region connectivity patterns
Final Summary
To succeed in this exam section, you must understand:
- How to design single-VPC vs multi-VPC architectures
- How to configure routing, DHCP, and security controls
- How to connect VPCs using Peering, Transit Gateway, VPN, and PrivateLink
- How to ensure secure, scalable, and highly available networking
