Overview
This study guide covers the foundational AWS networking concepts required for the AWS Cloud Practitioner certification. Topics include Virtual Private Clouds (VPCs), subnets, routing, security controls, and key AWS networking services. Mastering these concepts will help you understand how AWS resources communicate securely within and outside the cloud.
---
VPC Fundamentals
What is a VPC?
A Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you launch and manage AWS resources within a virtual network you define and control. Think of it as your own private data center within AWS.
Key Concepts
• Default VPC: Automatically created in each AWS region for every new account. Allows immediate resource deployment without manual setup. It has pre-configured subnets, route tables, and an Internet Gateway.
• CIDR Block: Classless Inter-Domain Routing – defines the IP address range for a VPC or subnet using notation like `10.0.0.0/16`. The prefix length (e.g., `/16`) determines the number of available IP addresses.
• Internet Gateway (IGW): A horizontally scaled, redundant VPC component enabling communication between VPC instances and the internet. Must be attached to a VPC and referenced in a route table.
• NAT Gateway: Allows instances in private subnets to initiate outbound internet traffic while blocking unsolicited inbound connections. Deployed in a public subnet and used by private subnet route tables.
• Elastic IP Address: A static, public IPv4 address allocated to your AWS account. Unlike regular public IPs, it persists through instance stops/restarts and can be remapped between instances.
Key Terms
• VPC – Virtual Private Cloud
• CIDR – Classless Inter-Domain Routing
• IGW – Internet Gateway
• NAT – Network Address Translation
• Elastic IP – Static public IPv4 address
Watch Out For
> ⚠️ The NAT Gateway must reside in a public subnet, not a private one. A common mistake is confusing where the NAT Gateway is placed versus where it serves.
>
> ⚠️ An Elastic IP is not free when not associated with a running instance — AWS charges for idle Elastic IPs.
>
> ⚠️ The Internet Gateway alone does not make an instance internet-accessible — you also need a route in the route table and a public IP on the instance.
---
Subnets and Routing
Subnets
Subnets are subdivisions of a VPC's CIDR block, tied to a specific Availability Zone (AZ).
| Feature | Public Subnet | Private Subnet |
|---|---|---|
| Route to Internet Gateway | ✅ Yes | ❌ No |
| Directly reachable from internet | ✅ Yes | ❌ No |
| Typical use case | Web servers, load balancers | Databases, app servers |
• High Availability Rule: Distribute subnets across at least two Availability Zones so that if one AZ fails, resources in another AZ remain operational.
Route Tables
A route table contains rules (routes) that direct network traffic from a subnet or gateway. Every subnet must be associated with a route table.
• A route of `0.0.0.0/0` pointing to an IGW = public subnet behavior
• A route of `0.0.0.0/0` pointing to a NAT Gateway = private subnet with outbound internet access
VPC Connectivity Options
• VPC Peering: A direct, private connection between two VPCs using private IP addresses. Works across different accounts and regions. Important: Non-transitive — if VPC A peers with B and B peers with C, A cannot reach C through B.
• AWS Transit Gateway: A central hub connecting multiple VPCs, accounts, and on-premises networks. Solves the complexity of managing many VPC peering connections by acting as a single transit point.
Key Terms
• Subnet – A segment of a VPC's IP address range within one AZ
• Route Table – Rules directing traffic flow within a VPC
• VPC Peering – Private connection between two VPCs
• Transit Gateway – Centralized hub for complex multi-VPC networking
• AZ – Availability Zone
Watch Out For
> ⚠️ VPC Peering is non-transitive. Traffic cannot pass through a peering connection to reach a third VPC — each pair needs its own peering connection.
>
> ⚠️ Subnets are AZ-specific — a single subnet cannot span multiple Availability Zones.
>
> ⚠️ For high availability, always deploy resources across at least two AZs.
---
Security Groups and NACLs
Security Groups
A Security Group acts as a virtual firewall at the instance (resource) level, controlling inbound and outbound traffic.
• Stateful: Return traffic is automatically allowed, regardless of outbound rules
• Default behavior:
- Inbound: All traffic denied
- Outbound: All traffic allowed
• Rules are allow-only — you cannot create explicit deny rules
• Multiple security groups can be attached to one instance
Network Access Control Lists (NACLs)
A NACL is an optional, stateless firewall operating at the subnet level, affecting all resources within that subnet.
• Stateless: Return traffic must be explicitly allowed by a separate outbound rule
• Rules are evaluated in order by rule number (lowest first)
• Supports both allow and deny rules
• Each subnet can have only one NACL; one NACL can apply to multiple subnets
Security Groups vs. NACLs – Quick Comparison
| Feature | Security Group | NACL |
|---|---|---|
| Level | Instance level | Subnet level |
| Statefulness | Stateful | Stateless |
| Rule types | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated | Rules evaluated in order |
| Default (new) | Deny all inbound, allow all outbound | Allow all inbound and outbound |
Key Terms
• Security Group – Stateful, instance-level firewall
• NACL – Network Access Control List; stateless, subnet-level firewall
• Stateful – Return traffic automatically permitted
• Stateless – Return traffic must be explicitly permitted
Watch Out For
> ⚠️ The stateful vs. stateless distinction is a frequent exam question. Security Groups = stateful. NACLs = stateless.
>
> ⚠️ NACLs evaluate rules in numerical order — a lower-numbered deny rule will block traffic even if a higher-numbered allow rule exists.
>
> ⚠️ Security Groups cannot deny traffic explicitly — only NACLs can block specific IPs or ranges with a deny rule.
>
> ⚠️ NACLs are the first line of defense (subnet level); Security Groups are the second line (instance level).
---
AWS Networking Services
DNS and Traffic Management
• Amazon Route 53: AWS's scalable DNS (Domain Name System) service. Translates domain names to IP addresses and provides routing policies (latency-based, geolocation, failover, weighted).
• AWS Global Accelerator: Routes traffic through AWS's global network backbone to find optimal endpoints, reducing latency and improving availability. Uses static Anycast IP addresses.
Content Delivery
• Amazon CloudFront: A Content Delivery Network (CDN) that caches content at edge locations globally, delivering data with low latency. Works with S3, EC2, load balancers, and custom origins.
Hybrid Connectivity (On-Premises to AWS)
• AWS Direct Connect: A dedicated, private physical connection from an on-premises data center to AWS. Bypasses the public internet for more consistent, reliable, and potentially lower-cost network performance.
• AWS VPN: Creates encrypted tunnels over the public internet.
- Site-to-Site VPN: Connects entire on-premises networks to a VPC
- Client VPN: Connects individual remote users to AWS resources
Direct Connect vs. AWS VPN – Quick Comparison
| Feature | AWS Direct Connect | AWS VPN |
|---|---|---|
| Connection type | Private, dedicated | Encrypted, over public internet |
| Setup time | Weeks (physical) | Minutes |
| Consistency | High | Variable |
| Cost | Higher | Lower |
| Use case | High-bandwidth, consistent needs | Quick setup, lower cost |
Load Balancing
• Elastic Load Balancing (ELB): Distributes incoming traffic across multiple targets (EC2 instances, containers, IPs) to improve availability and fault tolerance. Managed by AWS.
- Application Load Balancer (ALB) – HTTP/HTTPS (Layer 7)
- Network Load Balancer (NLB) – TCP/UDP (Layer 4)
- Gateway Load Balancer (GWLB) – For third-party virtual appliances
Private AWS Service Access
• VPC Endpoint: Enables private connectivity between your VPC and supported AWS services without traversing the public internet, no IGW, NAT, or VPN required.
| Endpoint Type | Powered By | Services | How It Works |
|---|---|---|---|
| Interface Endpoint | AWS PrivateLink | Most AWS services | Creates an ENI with a private IP in your subnet |
| Gateway Endpoint | Route Table Entry | S3 and DynamoDB only | Added as a route in your route table |
Key Terms
• Route 53 – AWS DNS service
• CloudFront – CDN with global edge locations
• Direct Connect – Private dedicated network connection
• VPN – Encrypted tunnel over public internet
• ELB – Elastic Load Balancing
• Global Accelerator – AWS backbone-based traffic optimization
• VPC Endpoint – Private access to AWS services
• PrivateLink – Technology powering Interface Endpoints
• ENI – Elastic Network Interface
Watch Out For
> ⚠️ CloudFront vs. Global Accelerator: CloudFront caches content at edge locations; Global Accelerator routes traffic through the AWS network without caching.
>
> ⚠️ Gateway Endpoints only work for S3 and DynamoDB — everything else uses Interface Endpoints.
>
> ⚠️ Direct Connect does not encrypt traffic by default — you must add a VPN on top for encryption if required.
>
> ⚠️ Route 53 is a global service, not regional — it operates across all AWS regions.
---
Quick Review Checklist
Use this checklist to confirm you're exam-ready:
• [ ] I can define a VPC and explain its purpose as a logically isolated network
• [ ] I understand what a CIDR block is and how it defines IP ranges
• [ ] I can explain the role of an Internet Gateway and why it's needed for public subnets
• [ ] I know that NAT Gateways live in public subnets but serve private subnets
• [ ] I understand Elastic IPs are static and persist through instance stops
• [ ] I can distinguish between public and private subnets based on route table entries
• [ ] I know that high availability requires resources across at least 2 Availability Zones
• [ ] I understand that VPC Peering is non-transitive and requires individual connections
• [ ] I can explain when to use Transit Gateway over VPC Peering
• [ ] I can clearly distinguish Security Groups (stateful, instance-level) from NACLs (stateless, subnet-level)
• [ ] I know Security Groups allow only; NACLs can allow and deny
• [ ] I understand Route 53 as AWS's DNS service
• [ ] I can explain CloudFront as a CDN caching content at edge locations
• [ ] I can compare Direct Connect (private, dedicated) vs. AWS VPN (encrypted, over internet)
• [ ] I know ELB distributes traffic across multiple targets for availability
• [ ] I understand VPC Endpoints provide private access to AWS services without internet routing
• [ ] I can differentiate Interface Endpoints (most services) from Gateway Endpoints (S3 and DynamoDB only)
• [ ] I know Global Accelerator optimizes routing via AWS's network backbone (not caching)
---
Good luck on your AWS Cloud Practitioner exam! Focus especially on the stateful vs. stateless distinction and when to use each connectivity option — these are highly tested concepts.