Networking: VPC & Beyond
VPCs, subnets, gateways, security layers, Route 53, and CloudFront — the network vocabulary the exam expects.
Your own slice of the cloud: VPC
An Amazon VPC (Virtual Private Cloud) is your logically isolated private network inside AWS. Inside it you create subnets (public ones reachable from the internet, private ones not), attach gateways, and control traffic with security layers.
Core VPC pieces
- Subnet — a segment of the VPC's IP range living in one AZ; public or private.
- Internet Gateway (IGW) — lets resources in public subnets reach/be reached from the internet.
- NAT Gateway — lets *private* subnet resources initiate outbound internet traffic (updates, APIs) while blocking inbound connections.
- Route tables — decide where traffic from each subnet goes.
- VPC Peering — private connection between two VPCs.
- VPC Endpoints — private connections from your VPC to AWS services (like S3) without touching the public internet.
- VPC Flow Logs — capture network traffic metadata for troubleshooting and security analysis.
A VPC is a gated office campus. Public subnets are the lobby and storefront (visitors allowed), private subnets are the back offices and server room. The Internet Gateway is the front door; the NAT Gateway is a mail room that lets staff send packages out but accepts no walk-ins.
Security groups vs network ACLs
| Feature | Security group | Network ACL |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful — return traffic auto-allowed | Stateless — must allow both directions |
| Rules | Allow rules only | Allow AND deny rules |
| Evaluation | All rules evaluated | Rules evaluated in number order |
This comparison is a guaranteed question. Remember: SG = Stateful, instance-level, allow-only. NACL = Stateless, subnet-level, allow+deny.
Global networking services
Managed DNS: translates names to IPs, registers domains, health-checks endpoints, and routes users by latency, geography, or weights.
CDN caching content at edge locations worldwide for low-latency delivery and DDoS resilience.
Static anycast IPs that route users onto AWS's private backbone for faster, steadier global app performance (no caching).
Dedicated private fiber link from your data center to AWS.
Encrypted tunnels over the internet: site-to-site links networks; Client VPN connects individual users.
Create, publish, secure, and throttle APIs at any scale — the front door for serverless backends.
Which service provides a logically isolated section of AWS where you launch resources in a virtual network you define?