Networking services of VPCs

Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.

📘AWS Certified Advanced Networking – Specialty

1. What is Amazon VPC?

A Virtual Private Cloud (VPC) is a logically isolated network in AWS where you can launch and manage resources such as EC2 instances, databases, and applications.

It gives you full control over:

  • IP addressing
  • Routing
  • Security
  • Connectivity

Think of a VPC as your own private network inside AWS, similar to a data center network.

2. Core Networking Components of a VPC

2.1 IP Addressing (CIDR Blocks)

When you create a VPC, you assign an IPv4 CIDR block (and optionally IPv6).

Example:

  • 10.0.0.0/16

Key points:

  • Defines total IP range available in the VPC
  • You can add secondary CIDR blocks
  • AWS reserves 5 IP addresses per subnet

2.2 Subnets

A subnet is a smaller network inside a VPC.

Types:

  • Public subnet
    • Has route to Internet Gateway
  • Private subnet
    • No direct internet access

Key exam concepts:

  • Subnets are AZ-specific (Availability Zone)
  • Used to organize resources by function (e.g., web tier, database tier)

2.3 Route Tables

A route table controls how traffic flows inside the VPC and outside.

Each route contains:

  • Destination (CIDR)
  • Target (where traffic goes)

Common targets:

  • Internet Gateway (IGW)
  • NAT Gateway
  • Virtual Private Gateway (VGW)
  • Transit Gateway (TGW)
  • VPC Peering connection

Important:

  • Every subnet must be associated with a route table
  • There is a main route table

2.4 Internet Gateway (IGW)

An Internet Gateway enables communication between:

  • VPC resources
  • The public internet

Requirements for internet access:

  1. IGW attached to VPC
  2. Route table with 0.0.0.0/0 → IGW
  3. Public IP assigned to resource

2.5 NAT Gateway / NAT Instance

Used to allow private subnet resources to access the internet, but prevent inbound connections.

NAT Gateway (recommended)

  • Managed by AWS
  • Highly available within AZ
  • Scales automatically

NAT Instance

  • EC2-based (manual management)
  • Less preferred

Key exam point:

  • Private subnets use NAT for outbound internet traffic

2.6 Elastic Network Interface (ENI)

An ENI is a virtual network interface attached to an EC2 instance.

Includes:

  • Private IP address
  • Public IP (optional)
  • MAC address
  • Security groups

Key uses:

  • Multiple ENIs per instance
  • Failover setups
  • Network appliances

2.7 Elastic IP Address (EIP)

A static public IPv4 address assigned to:

  • EC2 instance
  • NAT Gateway

Key points:

  • Remains constant even if instance stops
  • Useful for fixed endpoints

3. Security Services in VPC

3.1 Security Groups

  • Instance-level firewall
  • Controls inbound and outbound traffic
  • Stateful (return traffic automatically allowed)

Rules:

  • Allow rules only
  • Evaluated automatically

3.2 Network ACLs (NACLs)

  • Subnet-level firewall
  • Stateless (must allow both directions)

Rules:

  • Allow and deny rules
  • Evaluated in order

3.3 Key Differences (Exam Important)

FeatureSecurity GroupNACL
LevelInstanceSubnet
TypeStatefulStateless
RulesAllow onlyAllow & Deny
OrderNot evaluated in orderEvaluated in order

4. Connectivity Services of VPC

4.1 VPC Peering

  • Connects two VPCs
  • Private communication using private IPs

Limitations:

  • No transitive routing
  • Must not have overlapping CIDR blocks

4.2 AWS Transit Gateway (TGW)

  • Central hub for connecting:
    • Multiple VPCs
    • On-premises networks

Benefits:

  • Simplifies complex architectures
  • Supports transitive routing

4.3 Virtual Private Gateway (VGW)

  • Attached to VPC
  • Used for VPN connections

4.4 AWS Site-to-Site VPN

  • Encrypted connection between:
    • On-premises network
    • AWS VPC

Uses:

  • Secure communication over internet

4.5 AWS Direct Connect

  • Dedicated private connection to AWS

Benefits:

  • Lower latency
  • More consistent performance
  • Higher bandwidth

5. VPC Endpoints (Very Important)

Allow private access to AWS services without using internet.

Types:

5.1 Interface Endpoint (AWS PrivateLink)

  • Uses ENI
  • Provides private IP access

Used for:

  • Most AWS services (e.g., S3, EC2 API)

5.2 Gateway Endpoint

  • Used for:
    • Amazon S3
    • DynamoDB
  • Added to route table

Key exam point:

  • Traffic does NOT go through internet or NAT

6. DNS Services in VPC

Amazon Route 53 Resolver

Provides DNS resolution inside VPC.

Features:

  • Default DNS for VPC
  • Resolves:
    • Public domains
    • Private hosted zones

DNS Settings in VPC

  • enableDnsSupport
  • enableDnsHostnames

Must be enabled for:

  • Public DNS names
  • Internal name resolution

7. Traffic Control & Monitoring

7.1 VPC Flow Logs

Captures information about IP traffic:

  • Accepted or rejected traffic
  • Source and destination IP
  • Ports and protocols

Used for:

  • Troubleshooting
  • Security analysis

7.2 Traffic Mirroring

  • Copies network traffic
  • Sends to monitoring tools

Used for:

  • Deep packet inspection
  • Intrusion detection

8. Load Balancing Integration

VPC works with AWS load balancers:

  • Application Load Balancer (Layer 7)
  • Network Load Balancer (Layer 4)
  • Gateway Load Balancer (for appliances)

These distribute traffic across resources in subnets.

9. Hybrid Connectivity (Exam Critical)

VPC supports hybrid architectures:

  • Site-to-Site VPN
  • Direct Connect
  • Transit Gateway

Important concept:

  • Route propagation between on-premises and VPC

10. High Availability Design

Key practices:

  • Use multiple Availability Zones
  • Deploy NAT Gateways per AZ
  • Use multiple subnets
  • Use load balancers

11. Common Exam Scenarios

Scenario 1

Private subnet cannot access internet
→ Check:

  • NAT Gateway
  • Route table

Scenario 2

Instance cannot receive traffic
→ Check:

  • Security group
  • NACL
  • Route table

Scenario 3

VPCs need communication
→ Choose:

  • VPC Peering (simple)
  • Transit Gateway (scalable)

Scenario 4

Access AWS services privately
→ Use:

  • VPC Endpoints

12. Key Exam Tips

  • Know difference:
    • IGW vs NAT Gateway
    • Security Groups vs NACLs
  • Understand routing behavior
  • Learn when to use:
    • VPC Peering vs Transit Gateway
  • Remember:
    • Private subnet = no direct internet
  • Focus on:
    • VPC Endpoints (very frequently tested)

Final Summary

Networking services of VPC include:

  • Core networking: CIDR, subnets, route tables
  • Internet access: IGW, NAT Gateway
  • Security: Security Groups, NACLs
  • Connectivity: Peering, VPN, Transit Gateway, Direct Connect
  • Private access: VPC Endpoints
  • Monitoring: Flow Logs, Traffic Mirroring
  • DNS: Route 53 Resolver
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by