openskills.info
AWS Networking logo

AWS Networking

itCloud computing

AWS Networking

AWS networking decides which systems can communicate, which path their packets take, and where traffic is allowed to cross a trust boundary. Amazon Virtual Private Cloud, or Amazon VPC, is the foundation. A VPC is a logically isolated virtual network in one AWS Region.

The useful mental model has four parts:

  1. Address the network with non-overlapping IPv4 or IPv6 ranges.
  2. Place resources in subnets tied to Availability Zones.
  3. Route traffic toward a gateway, endpoint, connection, or local destination.
  4. Filter traffic close to resources and, when needed, at subnet boundaries.

Most AWS networking failures come from one broken part of that chain. A route cannot override a security rule. A security rule cannot create a route. DNS can return a correct address while the packet path still fails.

VPCs, subnets, and addresses

A VPC owns one or more CIDR blocks. CIDR notation defines an address range and its prefix length. Plan ranges before connecting networks. VPC peering rejects overlapping CIDR blocks, and shared address space makes later connectivity harder.

A subnet is an address range inside a VPC. Each subnet exists in exactly one Availability Zone. Spread application tiers across subnets in multiple zones when the workload must tolerate a zone failure.

Public and private are routing properties, not labels. A public subnet has a direct route to an internet gateway. A private subnet does not. A resource in a public subnet also needs a public IPv4 address, or an IPv6 address, before it can communicate through the internet gateway.

An elastic network interface is the network attachment used by many VPC resources. It carries addresses and security groups. Think of the interface as the point where a workload joins the VPC data plane.

Route tables choose the path

Every subnet uses one route table. Each route pairs a destination with a target. The VPC router selects the most specific matching destination, also called longest prefix match.

Every route table includes local routes for the VPC address ranges. Other targets include internet gateways, NAT gateways, peering connections, transit gateways, and network interfaces. IPv4 and IPv6 have separate routes. An IPv4 default route does not cover IPv6 traffic.

A route proves only that AWS knows the next hop. Return routes and traffic filters must also allow the flow. When you troubleshoot, check both directions.

Internet and private service access

An internet gateway connects a VPC to the internet. For IPv4, a resource needs a public IPv4 address and a route through the gateway. The internet gateway performs the address translation between the resource's private and public IPv4 addresses.

A public NAT gateway gives resources in private subnets outbound IPv4 internet access. Those external destinations cannot start unsolicited connections back through the NAT gateway. The private subnet routes outbound traffic to the NAT gateway. The NAT gateway sits in a public subnet that routes to an internet gateway.

Private access often removes the need for internet egress. A VPC endpoint connects a VPC to supported services and resources. AWS PrivateLink supports private, service-specific connectivity without requiring an internet gateway, NAT device, public IP address, VPN, or Direct Connect connection.

Security groups and network ACLs

A security group filters allowed inbound and outbound traffic for associated resources. Security groups are stateful. When a rule allows a request, response traffic is allowed automatically. Use narrow sources, destinations, protocols, and ports. Referencing another security group can express workload identity more clearly than a changing set of IP addresses.

A network access control list, or network ACL, filters traffic at a subnet boundary. Its numbered rules can allow or deny traffic. AWS evaluates the lowest rule number first and stops at the first match. Network ACLs are stateless, so you must allow the request and response paths explicitly.

Security groups are the usual resource-level control. Add network ACLs when you need a subnet-level guardrail or an explicit deny. Do not treat either control as a substitute for correct routing.

Connecting networks

Choose a connectivity service from the relationship you need:

  • VPC peering gives direct, private IP connectivity between two VPCs. It is one-to-one and non-transitive.
  • AWS Transit Gateway is a Regional layer-three router for many VPC and on-premises attachments. Its route tables support hub-and-spoke segmentation.
  • AWS PrivateLink exposes a specific service or resource through private endpoints. It does not create general network-to-network reachability.
  • AWS Site-to-Site VPN creates IPsec tunnels between AWS and a remote network. Each VPN connection includes two tunnels.
  • AWS Direct Connect places a dedicated Ethernet connection in the network path and bypasses internet service providers. Virtual interfaces provide access to VPCs or public AWS services.

These services solve different problems. Peering and Transit Gateway provide layer-three reachability. PrivateLink narrows access to a service. VPN provides encrypted hybrid connectivity. Direct Connect provides a dedicated path and is commonly paired with deliberate redundancy and encryption choices.

DNS, load balancing, and observation

Route 53 private hosted zones answer DNS queries for associated VPCs and connected hybrid resolvers. DNS provides names; it does not grant connectivity.

Elastic Load Balancing distributes incoming traffic across healthy registered targets in one or more Availability Zones. A load balancer is an application entry point, not a replacement for subnet routes or security groups.

VPC Flow Logs record metadata about IP traffic at VPC, subnet, or network-interface scope. They can capture accepted traffic, rejected traffic, or both. Use them to test a filtering hypothesis and confirm the observed source, destination, port, and action.

A practical design sequence

Start with the flows, not the products.

  1. List who initiates each connection and which service receives it.
  2. Allocate non-overlapping address space with room for each Availability Zone.
  3. Place public entry points separately from private application and data resources.
  4. Build the route in both directions.
  5. Apply least-privilege security groups, then add network ACL guardrails only where they help.
  6. Prefer private endpoints for supported service access when broad internet egress is unnecessary.
  7. Choose peering, Transit Gateway, PrivateLink, VPN, or Direct Connect from the required connectivity relationship.
  8. Enable flow data and test failure paths before production traffic depends on them.

Limits and tradeoffs

AWS manages the VPC router and many gateway services, but it does not choose a sound address plan or trust model for you. Central routing can reduce connection sprawl while increasing the impact of a bad route. Broad connectivity is easy to create and hard to audit. NAT gateways, endpoints, transit attachments, load balancers, public IPv4 addresses, and data transfer can also affect cost.

The right design is usually the smallest connectivity graph that serves the required flows. Give each path a clear owner, a narrow purpose, and observable evidence.