A subnet whose route table has a route to an Internet Gateway. Instances with public IPs in this subnet can receive inbound internet traffic.

A subnet with no direct route to an Internet Gateway. Instances typically reach the internet via a NAT Gateway or do not have internet access at all.

A managed, AZ‑specific service that allows instances in a private subnet to initiate outbound internet connections while blocking unsolicited inbound connections.

VPC endpoint (gateway)

A VPC endpoint type that uses route tables to provide private access to S3 or DynamoDB without traversing the public internet.

VPC endpoint (interface)

An elastic network interface powered by PrivateLink that provides private access to many AWS services and SaaS services over the AWS network.

Classless Inter‑Domain Routing notation that defines an IP address range, such as 10.0.0.0/16.

A managed service that enables instances in a private subnet to connect to the internet or other AWS services but prevents the internet from initiating a connection with those instances.

What is VPC endpoint?

A private connection from your VPC to supported AWS services and VPC endpoint services, without requiring an Internet Gateway, NAT device, or VPN.

Networking and Content Delivery: VPC Design, Connectivity, and Latency — AWS Solutions Architect Associate (SAA‑C03) Exam Prep Blueprint

Q: A gaming company runs latency‑sensitive UDP game servers in two AWS Regions. Players connect from all over the world. The app does NOT use HTTP, and you need static IPs and fast regional failover. Which service is the BEST fit?

AWS Global Accelerator with endpoints in both Regions.. Global Accelerator is designed for TCP/UDP acceleration, static anycast IPs, and multi‑Region failover. CloudFront focuses on HTTP/HTTPS content. VPNs per player are unrealistic, and IGW+EIP does not optimize global routing.

Step 1: Big Picture – VPCs and Latency in AWS

VPC and Latency: The Big Picture

A VPC is your logically isolated section of the AWS network where you place resources like EC2, RDS, and private Lambda. Most networking questions combine VPC internals, hybrid connectivity, and edge services.

Three Layers to Remember

1) Inside the VPC: subnets, route tables, gateways, endpoints. 2) Hybrid connectivity: VPN, Direct Connect, Transit Gateway. 3) Edge and acceleration: CloudFront and Global Accelerator.

What Exams Test

Diagrams test whether you can distinguish public vs private subnets, pick VPN vs Direct Connect vs Transit Gateway, and decide when to use CloudFront or Global Accelerator for latency and availability.

Step 2: Core VPC Building Blocks

CIDR and Subnets

Start with a VPC CIDR like 10.0.0.0/16. Avoid overlap with on‑prem and other VPCs. Subnets are smaller ranges in a single AZ. Plan separate public and private subnets.

Public vs Private Subnets

Public subnets have a route to an Internet Gateway and typically host ALBs or bastion hosts. Private subnets have no IGW route and host app servers, DBs, and internal services.

Gateways and NAT

An Internet Gateway enables internet for public IPs. NAT Gateways in public subnets let private subnets reach the internet for updates while remaining unreachable from the internet.

VPC Endpoints

Use gateway endpoints (S3, DynamoDB) or interface endpoints (PrivateLink) to access AWS services privately, without traversing the public internet or needing a NAT for those services.

Step 3: Designing a Basic 3‑Tier VPC

Scenario: Simple Web App

You need a 3‑tier web app: users hit a website, web servers talk to app servers, and app servers talk to a DB. You want high availability across 2 AZs and minimal internet exposure.

Subnet Layout

Use VPC 10.0.0.0/16. In each AZ, create a public subnet for ALB and NAT, a private app subnet for EC2, and a private DB subnet for RDS. Example: 10.0.1.0/24 public, 10.0.11.0/24 app, 10.0.21.0/24 DB in AZ A.

Routing Design

Public route table sends 0.0.0.0/0 to IGW. Private app route tables send 0.0.0.0/0 to the NAT Gateway in the same AZ. DB route tables have no internet route, only internal VPC routes.

Private Service Access

Add a gateway VPC endpoint for S3 and interface endpoints for SSM or other services. This lets instances access AWS services without internet and reduces NAT costs and attack surface.

Step 4: Thought Exercise – Overlapping CIDR and Peering

You have two existing VPCs:

VPC‑A: `10.0.0.0/16` (production).
VPC‑B: `10.0.0.0/16` (dev, accidentally chosen the same range).

Your on‑prem network is `192.168.0.0/16`. You now need:

VPC‑A to connect to on‑prem via VPN.
VPC‑B to connect to VPC‑A using VPC peering.

Questions (think before peeking at hints):

Why is VPC peering between VPC‑A and VPC‑B a problem?
If you try to route `10.0.0.0/16` over the VPN to on‑prem from both VPCs, what breaks?
What are realistic remediation options?

Hints to guide your thinking (do not look until you have an answer):

Hint 1: How do routers decide where to send a packet when two destinations have the same prefix?
Hint 2: What does AWS require about overlapping CIDR blocks for VPC peering?
Hint 3: Consider creating a new VPC with a non‑overlapping CIDR and migrating, or using NAT/Proxy patterns instead of direct routing.

Take 2–3 minutes and sketch a diagram with CIDRs and routes. Mark which IP ranges overlap and where ambiguity occurs.

Step 5: Hybrid Connectivity – VPN, Direct Connect, Transit Gateway

Site‑to‑Site VPN

VPN uses encrypted IPsec tunnels over the public internet. It is quick to set up and cheap but has internet‑style latency and jitter. Common as a starter solution or backup to Direct Connect.

AWS Direct Connect

Direct Connect is a dedicated or hosted physical link from your data center to AWS. It offers predictable, lower latency and higher throughput than VPN, but is not encrypted by default.

Transit Gateway as a Hub

Transit Gateway connects many VPCs and on‑prem networks in a hub‑and‑spoke model. It simplifies routing compared to full‑mesh VPC peering and can receive attachments from VPN and Direct Connect.

Choosing Among Them

Use VPN or DX with a VGW for simple, single‑VPC setups. Use Transit Gateway when you have many VPCs or accounts. Use Direct Connect when you need high bandwidth and stable latency, often with VPN backup.

Step 6: Example – Multi‑VPC, Multi‑Account with Transit Gateway

Scenario: Many VPCs and On‑Prem

You have Shared Services, Prod, and Dev/Test VPCs in multiple accounts, plus an on‑prem data center. You need centralized, secure connectivity without a mesh of peerings.

Transit Gateway Design

Create a Transit Gateway, attach each VPC, and attach on‑prem via VPN or Direct Connect. Use TGW route tables to control which VPCs can talk to each other and to on‑prem.

Routing Changes

In each VPC subnet route table, send on‑prem CIDRs to the TGW attachment. In TGW route tables, add routes for each VPC CIDR and the on‑prem CIDR, applying segmentation where needed.

Why Not Peering?

VPC peering is non‑transitive and becomes unmanageable in large environments. Transit Gateway scales better and centralizes routing and policy control.

Step 7: Content Delivery – CloudFront vs Global Accelerator

CloudFront Basics

CloudFront is AWS's CDN. It caches static and dynamic HTTP/HTTPS content at edge locations near users, pulling from origins like S3 or ALB. It also supports HTTPS termination and WAF.

Global Accelerator Basics

Global Accelerator provides static anycast IPs and routes user traffic over the AWS backbone to the nearest healthy AWS endpoint. It works for TCP and UDP, not only HTTP.

When to Use Which

Use CloudFront for caching, content protection, and web acceleration. Use Global Accelerator for low latency and high availability across Regions, especially for non‑HTTP or latency‑sensitive apps.

Combining Services

You can front your app with CloudFront for caching and WAF, while Global Accelerator directs users to the optimal Region or ALB, giving both network and application‑layer acceleration.

Step 8: Quick Check – VPC and Connectivity

Answer this question to check your understanding of VPC internet access and endpoints.

You have a private subnet with EC2 instances that must download patches from S3 and reach the public internet for OS updates. You want to minimize data transfer through NAT and keep S3 traffic on the AWS network. What is the BEST design?

Add an Internet Gateway to the VPC and assign public IPs to the instances.
Create a NAT Gateway in a public subnet and route all 0.0.0.0/0 traffic from the private subnet to the NAT Gateway.
Create a NAT Gateway in a public subnet for general internet traffic and a gateway VPC endpoint for S3, then update the private subnet route table accordingly.
Use VPC peering to connect to another VPC that already has a NAT Gateway and send all traffic there.

Show Answer

Answer: C) Create a NAT Gateway in a public subnet for general internet traffic and a gateway VPC endpoint for S3, then update the private subnet route table accordingly.

Option 3 is correct: use a NAT Gateway for general outbound internet and a gateway VPC endpoint for S3 so S3 traffic stays on the AWS network and bypasses NAT. Option 1 exposes instances directly. Option 2 sends S3 via NAT, increasing cost and latency. Option 4 misuses VPC peering and adds complexity.

Step 9: Quick Check – CloudFront vs Global Accelerator

Test your understanding of when to use CloudFront versus Global Accelerator.

A gaming company runs latency‑sensitive UDP game servers in two AWS Regions. Players connect from all over the world. The app does NOT use HTTP, and you need static IPs and fast regional failover. Which service is the BEST fit?

Amazon CloudFront in front of the game servers.
AWS Global Accelerator with endpoints in both Regions.
A Site‑to‑Site VPN from each player to AWS.
An Internet Gateway with Elastic IPs in each Region.