SkarpSkarp

Chapter 13 of 20

Network Services on AWS: Connecting and Securing Your Cloud

Trace how data actually flows in and out of AWS by examining the fundamental network services that connect users, applications, and on‑premises environments.

27 min readen

Big Picture: How Data Flows In and Out of AWS

Why Networking Matters

Network services are the roads and intersections that let your compute and storage talk to users and other systems. For Cloud Practitioner, you need the big building blocks, not low-level router configs.

4 Key Networking Questions

AWS networking answers: 1) Where are my resources located? 2) How do users reach them? 3) How do I control and secure traffic? 4) How do I improve performance and reliability globally?

Physical vs Logical Location

Physically, resources live in Regions and Availability Zones. Logically, you place them in Virtual Private Clouds (VPCs) and subnets that you design and control.

Shared Responsibility Reminder

Under the AWS shared responsibility model, AWS secures the global network, but you are responsible for VPC design, routing rules, and access controls like security groups.

Regions, Availability Zones, and the Global Network

What Is a Region?

An AWS Region is a physical location in the world where we cluster data centers. You pick Regions based on latency, data residency, services, and cost.

What Is an Availability Zone?

An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region. Regions have multiple AZs.

Design Implications

You place subnets in a single AZ and spread resources across AZs for high availability. Subnets never span AZs, and data does not move between Regions unless you configure it.

Global Network Backbone

AWS connects Regions and edge locations with a private global backbone, engineered for low latency and redundancy, underpinning services like CloudFront and Route 53.

Inside a VPC: Your Private Virtual Network

What Is a VPC?

A Virtual Private Cloud (VPC) is your isolated virtual network in AWS. You control IP ranges, subnets, routing, and security, similar to a private data center network.

CIDR and IP Ranges

You assign a CIDR block like 10.0.0.0/16 to the VPC, then carve it into subnets. For hybrid setups, pick ranges that do not overlap with your on-premises network.

Public vs Private Subnets

A public subnet has a route to an Internet Gateway. A private subnet does not; if instances need outbound internet, they use a NAT gateway or similar.

Route Tables and Isolation

Subnets use route tables to decide where traffic goes. VPCs are isolated; they only talk to other VPCs if you configure VPC peering or Transit Gateway.

Walkthrough: A Simple Three-Tier VPC Design

Scenario Overview

You host a three-tier student web app: web front end, app layer, and database. You want low latency, high availability, and limited internet exposure.

Region, VPC, Subnets

In eu-west-1 you create VPC 10.0.0.0/16 and split it: public subnets for load balancers, private app subnets for EC2, and private DB subnets for RDS, spread across two AZs.

Internet Gateway and Routes

Attach an Internet Gateway and add 0.0.0.0/0 routes from public subnets to the IGW. Now only public subnet resources can have direct internet access.

NAT Gateways and Isolation

Place NAT gateways in public subnets. Private app subnets route outbound internet via NAT, while DB subnets stay isolated. Users see only the public load balancer.

Controlling Traffic: Security Groups, NACLs, and Route Tables

Three Layers of Control

Route tables choose where traffic goes. Security groups protect individual resources. Network ACLs protect entire subnets. Each has a distinct role.

Security Groups

Security groups are stateful firewalls on network interfaces. If inbound is allowed, the response is allowed. You filter by protocol, port, and source (CIDR or SG).

Network ACLs

NACLs are stateless, subnet-level rules. You must allow both directions explicitly. Rules are numbered and evaluated in order, with an implicit deny at the end.

Exam Traps

Do not confuse SGs (stateful, instance-level) with NACLs (stateless, subnet-level). Route tables do routing only; they do not enforce port-based security.

Reaching the Internet: IGWs, NAT, and Load Balancing

Internet Gateways

An Internet Gateway lets your VPC talk to the internet. Public subnets send 0.0.0.0/0 traffic to the IGW, making resources reachable if security allows.

Elastic IPs and NAT

Elastic IPs are static public IPv4 addresses. NAT gateways with EIPs give private instances outbound internet access without making them directly reachable.

Load Balancers

Elastic Load Balancing spreads traffic across targets in multiple AZs. ALB works at HTTP/HTTPS (Layer 7); NLB works at TCP/UDP (Layer 4) for extreme performance.

Secure Internet Design

Expose only load balancers or carefully chosen public instances. Keep app and DB tiers in private subnets and use NAT for their outbound-only needs.

Hybrid Connectivity: VPN, Direct Connect, Transit Gateway, and VPC Peering

Why Hybrid Connectivity?

Many companies run both on-prem and AWS. They need secure, reliable links between data centers and VPCs, and between multiple VPCs themselves.

Site-to-Site VPN vs Direct Connect

VPN uses encrypted tunnels over the internet: quick and cheap but variable performance. Direct Connect is a private dedicated link: more consistent and lower latency.

Transit Gateway

AWS Transit Gateway acts as a central hub to connect many VPCs and on-prem networks, simplifying large topologies compared with many VPC peering links.

VPC Peering

VPC peering links two VPCs directly using private IPs. It is non-transitive and best for simple, small-scale inter-VPC connectivity needs.

Edge Networking: Route 53, CloudFront, and Global Performance

Route 53 Basics

Amazon Route 53 is AWS’s DNS service. It maps names like app.example.com to IPs or AWS resources and supports routing policies like latency-based and failover.

CloudFront as a CDN

Amazon CloudFront caches content at edge locations near users, reducing latency and offloading your origins like S3 buckets or load balancers.

Global Accelerator Snapshot

AWS Global Accelerator offers static anycast IPs and routes TCP/UDP traffic over the AWS backbone to the nearest healthy endpoint for better performance.

Global Design Pattern

A common pattern: Route 53 → CloudFront → ALB → EC2/RDS in your VPC. Route 53 handles naming, CloudFront handles caching, ALB spreads traffic across AZs.

Thought Exercise: Tracing a User Request

Mentally walk through the path of a single HTTPS request from a student’s laptop to your AWS-hosted app. This will reinforce how the pieces fit together.

Scenario: Your app uses the three-tier design from earlier, with global edge services.

  1. A user types `https://app.myskills.com` in their browser.
  2. DNS resolution happens via Route 53, which returns the address of a CloudFront distribution.
  3. The user’s request goes to the nearest CloudFront edge location. If the content is cached and still valid, CloudFront returns it directly.
  4. If not cached, CloudFront forwards the request to an Application Load Balancer (ALB) in your public subnets.
  5. The ALB forwards the request to an EC2 instance in a private app subnet (in one AZ).
  6. The app server reads/writes data to Amazon RDS in private DB subnets.
  7. The response travels back through the same path: app server → ALB → CloudFront → user.

Now, pause and answer for yourself:

  • At which points is traffic public internet vs AWS private network?
  • Which components provide high availability?
  • Which components provide security controls?

Suggested answers (compare with your thinking):

  • Public internet: user to CloudFront edge; CloudFront to ALB may use public or private paths depending on configuration, but still terminates at AWS infrastructure. Inside the VPC (ALB → EC2 → RDS) is on private IPs.
  • High availability: multi-AZ ALB, EC2 Auto Scaling across AZs, RDS Multi-AZ, CloudFront and Route 53 globally distributed.
  • Security: TLS termination (CloudFront/ALB), security groups on ALB/EC2/RDS, NACLs on subnets, IAM for app-to-database access, WAF at CloudFront/ALB if configured.

Quick Check: VPC and Subnet Basics

Test your understanding of core VPC concepts.

Which statement best describes a public subnet in an Amazon VPC?

  1. A subnet that can communicate with any other subnet in the same VPC
  2. A subnet associated with a route table that has a route to an Internet Gateway
  3. A subnet that allows all inbound traffic from the internet by default
  4. A subnet that spans multiple Availability Zones for high availability
Show Answer

Answer: B) A subnet associated with a route table that has a route to an Internet Gateway

A public subnet is defined by routing: its route table has a route to an Internet Gateway. It does not automatically allow all inbound traffic; security groups and NACLs still control access. Subnets never span multiple AZs.

Quick Check: Hybrid Connectivity and Security Controls

Reinforce hybrid and security concepts.

Your company needs a fast, consistent, private connection from its data center to AWS for a latency-sensitive application. Which option is the BEST fit?

  1. Site-to-Site VPN over the internet
  2. AWS Direct Connect
  3. VPC Peering
  4. AWS CloudFront
Show Answer

Answer: B) AWS Direct Connect

AWS Direct Connect provides a dedicated, private network connection with more consistent bandwidth and lower latency than an internet-based VPN. VPC peering connects VPCs, and CloudFront is a CDN, not a data center link.

Key Term Review: AWS Networking

Flip through these cards to reinforce core terms before moving on.

AWS Region
An AWS Region is a physical location in the world where we cluster data centers.
Availability Zone (AZ)
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
Virtual Private Cloud (VPC)
A logically isolated virtual network in AWS where you control IP ranges, subnets, routing, and security, similar to a private data center network.
Public subnet
A subnet whose route table has a route to an Internet Gateway, allowing resources to have direct internet connectivity (subject to security controls).
Private subnet
A subnet with no direct route to an Internet Gateway; resources typically use NAT for outbound-only internet access and are not directly reachable from the internet.
Security group
A stateful virtual firewall for network interfaces that controls inbound and outbound traffic based on rules for protocol, port, and source/destination.
Network ACL (NACL)
A stateless, subnet-level firewall that uses ordered allow/deny rules to control inbound and outbound traffic.
Internet Gateway (IGW)
A horizontally scaled, redundant component that allows communication between resources in a VPC and the internet.
AWS Direct Connect
A dedicated, private network connection between your data center and AWS, offering more consistent performance than internet-based VPN.
AWS Transit Gateway
A central hub service that simplifies connecting multiple VPCs and on-premises networks, reducing complex peering meshes.
Amazon Route 53
AWS’s scalable DNS service that translates domain names into IP addresses or AWS resource aliases and supports advanced routing policies.
Amazon CloudFront
AWS’s Content Delivery Network (CDN) that caches and serves content from edge locations close to users to reduce latency.

Key Terms

Subnet
A segment of a VPC’s IP address range that resides in a single Availability Zone and groups resources with similar routing and security needs.
AWS Region
An AWS Region is a physical location in the world where we cluster data centers.
NAT gateway
A managed network address translation service that allows instances in a private subnet to connect to the internet for outbound traffic only.
Route table
A set of rules in a VPC that determines where network traffic from subnets is directed (for example, to an Internet Gateway, NAT, VPN, or Transit Gateway).
VPC peering
A private networking connection between two VPCs that enables traffic using private IP addresses and is non-transitive.
Security group
A stateful virtual firewall for network interfaces that controls inbound and outbound traffic using rules based on protocol, port, and source/destination.
Amazon Route 53
A highly available and scalable DNS service that routes end users to internet applications by translating names to IP addresses or AWS resources.
Amazon CloudFront
A Content Delivery Network (CDN) service that securely delivers data, videos, applications, and APIs to users globally with low latency.
Availability Zone
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
AWS Direct Connect
A dedicated, private network connection from your premises to AWS for consistent bandwidth and lower latency than public internet connections.
Network ACL (NACL)
A stateless, subnet-level firewall that uses ordered allow and deny rules to control inbound and outbound traffic.
AWS Transit Gateway
A central hub that simplifies connecting multiple VPCs and on-premises networks using a hub-and-spoke model.
AWS Global Accelerator
A service that improves the availability and performance of applications with static anycast IP addresses and routing over the AWS global network.
Internet Gateway (IGW)
A component that allows communication between resources in a VPC and the internet, used by public subnets.
Virtual Private Cloud (VPC)
A logically isolated virtual network in AWS where you control IP ranges, subnets, routing, and security.
Elastic Load Balancing (ELB)
A service that automatically distributes incoming application traffic across multiple targets (such as EC2 instances) in one or more Availability Zones.
AWS Well-Architected Framework
The AWS Well-Architected Framework describes the key concepts, design principles, and architectural best practices for designing and running workloads in the cloud.
AWS shared responsibility model
Security and compliance are shared responsibilities between AWS and the customer.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself