Task Statement 2.2: Design highly available and/or fault-tolerant architectures.
📘AWS Certified Solutions Architect – (SAA-C03)
1. What is Networking in AWS?
In AWS, networking is mainly done using a Virtual Private Cloud (VPC).
A VPC is:
- A logically isolated network in AWS
- Where you launch your resources (EC2, databases, etc.)
Inside a VPC, you control:
- IP address ranges
- Subnets
- Routing
- Internet access
- Security
2. Key Networking Components You MUST Know
Before understanding route tables, you need to know these:
2.1 Subnets
A subnet is a smaller network inside a VPC.
- Each subnet belongs to one Availability Zone
- Subnets are categorized as:
- Public subnet → has internet access
- Private subnet → no direct internet access
2.2 Internet Gateway (IGW)
An Internet Gateway allows communication between:
- Your VPC
- The internet
Without an IGW:
- No resource in your VPC can access the internet
2.3 NAT Gateway
A NAT Gateway allows:
- Private subnet → access internet (outbound only)
- Internet → cannot initiate connection back
Used for:
- Updates, API calls, external communication from private resources
2.4 Virtual Private Gateway (VGW)
Used for:
- VPN connections between:
- On-premises network
- AWS VPC
3. What is a Route Table?
A Route Table controls how network traffic is directed inside a VPC.
It contains a set of rules (routes) that determine:
- Where traffic should go
3.1 Structure of a Route Table
Each route has:
- Destination → IP range (CIDR block)
- Target → where traffic goes
Example:
| Destination | Target |
|---|---|
| 10.0.0.0/16 | local |
| 0.0.0.0/0 | Internet Gateway |
3.2 Important Terms
CIDR Block
- Defines IP ranges (e.g.,
10.0.0.0/16) /16= size of the network
0.0.0.0/0
- Means all IPv4 addresses
- Used for internet traffic
4. Types of Route Tables
4.1 Main Route Table
- Default route table for the VPC
- Automatically associated with subnets (unless changed)
4.2 Custom Route Table
- User-created
- Used to control traffic more precisely
5. Route Table Behavior (VERY IMPORTANT FOR EXAM)
5.1 Local Route (Always Exists)
Every route table has:
- Destination: VPC CIDR (e.g.,
10.0.0.0/16) - Target:
local
This allows:
- Communication between subnets inside the VPC
5.2 Public Subnet Routing
A subnet is public if:
- Its route table has:
- Destination:
0.0.0.0/0 - Target: Internet Gateway
- Destination:
5.3 Private Subnet Routing
A subnet is private if:
- It does NOT have direct internet route
- It may have:
0.0.0.0/0 → NAT Gateway
6. Route Table Associations
Each subnet must be associated with:
- Exactly one route table
A route table can be associated with:
- Multiple subnets
7. Longest Prefix Match Rule (EXAM CRITICAL)
When multiple routes match a destination:
👉 AWS chooses the most specific (longest prefix) route.
Example:
| Destination | Target |
|---|---|
| 10.0.1.0/24 | NAT Gateway |
| 10.0.0.0/16 | local |
Traffic to 10.0.1.5 will:
- Use
/24(more specific) - NOT
/16
8. Common Routing Scenarios
8.1 Internet Access (Public Subnet)
Requirements:
- Route table →
0.0.0.0/0 → IGW - Instance has public IP
- Security group allows traffic
8.2 Private Subnet with Internet Access
Requirements:
- Route table →
0.0.0.0/0 → NAT Gateway - NAT Gateway in public subnet
- IGW attached to VPC
8.3 Internal Communication Only
- Route table has only:
- VPC CIDR → local
- No internet access
8.4 Hybrid Connectivity (VPN)
- Route table includes:
- On-prem network CIDR → Virtual Private Gateway
9. Route Table Targets (YOU MUST REMEMBER)
Common targets in AWS:
- Internet Gateway (IGW)
- NAT Gateway
- Virtual Private Gateway (VGW)
- VPC Peering Connection
- Transit Gateway
- Local (default)
- Network Interface (ENI)
10. VPC Peering and Routing
When connecting two VPCs:
- Add route:
- Destination: other VPC CIDR
- Target: VPC Peering Connection
Important:
- No overlapping CIDR blocks allowed
11. Security vs Routing (Common Exam Confusion)
Route Tables
- Control where traffic goes
Security Groups / NACLs
- Control whether traffic is allowed
👉 Both must allow traffic for communication to work
12. Exam Tips (VERY IMPORTANT)
Tip 1:
If a resource cannot access the internet:
- Check:
- Route table
- IGW/NAT
- Public IP
Tip 2:
Public subnet requires:
- Route to IGW
Tip 3:
Private subnet with outbound internet:
- Must use NAT Gateway
Tip 4:
If two routes match:
- Longest prefix wins
Tip 5:
Each subnet:
- Must have one route table
Tip 6:
No route → No communication
Even if security groups allow it
13. Quick Summary (Revision)
- Route table = traffic direction rules
- Each route:
- Destination + Target
- Subnets must be associated with route tables
- Public subnet:
- Route to IGW
- Private subnet:
- Route to NAT (optional)
- Longest prefix match decides routing
- Local route allows internal VPC communication
