Networking: VPC & Beyond

VPCs, subnets, gateways, security layers, Route 53, and CloudFront — the network vocabulary the exam expects.

11 min read

Your own slice of the cloud: VPC

An Amazon VPC (Virtual Private Cloud) is your logically isolated private network inside AWS. Inside it you create subnets (public ones reachable from the internet, private ones not), attach gateways, and control traffic with security layers.

Core VPC pieces

  • Subnet — a segment of the VPC's IP range living in one AZ; public or private.
  • Internet Gateway (IGW) — lets resources in public subnets reach/be reached from the internet.
  • NAT Gateway — lets *private* subnet resources initiate outbound internet traffic (updates, APIs) while blocking inbound connections.
  • Route tables — decide where traffic from each subnet goes.
  • VPC Peering — private connection between two VPCs.
  • VPC Endpoints — private connections from your VPC to AWS services (like S3) without touching the public internet.
  • VPC Flow Logs — capture network traffic metadata for troubleshooting and security analysis.
Think of it like this

A VPC is a gated office campus. Public subnets are the lobby and storefront (visitors allowed), private subnets are the back offices and server room. The Internet Gateway is the front door; the NAT Gateway is a mail room that lets staff send packages out but accepts no walk-ins.

Security groups vs network ACLs

FeatureSecurity groupNetwork ACL
LevelInstance (ENI)Subnet
StateStateful — return traffic auto-allowedStateless — must allow both directions
RulesAllow rules onlyAllow AND deny rules
EvaluationAll rules evaluatedRules evaluated in number order
Exam tip

This comparison is a guaranteed question. Remember: SG = Stateful, instance-level, allow-only. NACL = Stateless, subnet-level, allow+deny.

Global networking services

Amazon Route 53

Managed DNS: translates names to IPs, registers domains, health-checks endpoints, and routes users by latency, geography, or weights.

Amazon CloudFront

CDN caching content at edge locations worldwide for low-latency delivery and DDoS resilience.

AWS Global Accelerator

Static anycast IPs that route users onto AWS's private backbone for faster, steadier global app performance (no caching).

AWS Direct Connect

Dedicated private fiber link from your data center to AWS.

AWS Site-to-Site VPN & Client VPN

Encrypted tunnels over the internet: site-to-site links networks; Client VPN connects individual users.

Amazon API Gateway

Create, publish, secure, and throttle APIs at any scale — the front door for serverless backends.

Knowledge check
Question 1 of 4

Which service provides a logically isolated section of AWS where you launch resources in a virtual network you define?