Module 5 - Networking

This module covers the core networking concepts in AWS, including Virtual Private Clouds, subnets, security controls, and global networking services.

Introduction to Networking

AWS networking lets you control access to your resources precisely. The key concepts are:

A VPC (Virtual Private Cloud) is an isolated network that you create within an AWS region. It limits access from the outside world to your resources.
Subnets divide your VPC into smaller segments. You configure each subnet as either public or private.
Public subnets have a route to the internet, making them suitable for customer-facing resources such as web servers.
Private subnets do not have a direct route to the internet, making them suitable for internal resources such as databases that only your application should access.

A VPC has a private IP range that you define when you create it.
For a VPC to accept traffic from the internet, you must attach an Internet Gateway.
A Virtual Private Gateway restricts access to your VPC, allowing only authorised connections from on-premises networks.
AWS Direct Connect establishes a dedicated, high-bandwidth network connection between your on-premises infrastructure and AWS.

AWS offers a range of connectivity options depending on your requirements:

AWS Client VPN — Connects remote workers securely to your AWS resources over the internet.
AWS Site-to-Site VPN — Creates an encrypted connection between your on-premises network and your VPC.
AWS PrivateLink — Provides private connectivity between VPCs or between your network and AWS services, without routing traffic over the public internet.
AWS Direct Connect — Establishes a dedicated network connection from your premises to AWS. It is well suited to high-bandwidth, low-latency workloads and provides a more consistent network experience for hybrid cloud architectures.
AWS Transit Gateway — Acts as a central hub that connects multiple VPCs and on-premises networks, simplifying network management at scale.
NAT Gateway — Allows instances in a private subnet to initiate outbound connections to the internet whilst preventing inbound traffic from reaching them directly.
AWS API Gateway — Lets you create, publish, maintain, monitor, and secure APIs at any scale.

AWS provides two layers of network security within a VPC:

Security Groups operate at the instance level. They deny all inbound traffic by default and allow all outbound traffic. You create rules to permit specific inbound traffic based on protocol, port, and source.
Network ACLs (Access Control Lists) operate at the subnet level. They act as a virtual firewall, analysing traffic as it enters or leaves the subnet and allowing or denying it based on the rules you define.

Both security groups and Network ACLs fall under customer responsibility in the AWS Shared Responsibility Model.

Amazon Route 53 is a highly available and scalable DNS service. It supports geolocation routing, latency-based routing, and weighted routing, allowing you to direct users to the most appropriate endpoint. Route 53 can also register and manage domain names.
Amazon CloudFront is a content delivery network (CDN) that delivers content with low latency and high transfer speeds by caching it at edge locations around the world.
AWS Global Accelerator improves the availability and performance of your applications for users across the globe by routing traffic over the AWS global network.

When designing architectures that span multiple regions, choose your connectivity option based on your needs:

Use a VPN when you need an encrypted connection and can tolerate the latency of routing traffic over the public internet.
Use Direct Connect when you need high bandwidth, low latency, and a consistent network experience — particularly for hybrid architectures where on-premises and cloud workloads communicate regularly.