Networking Summary
Start course
2h 25m

This section of the Solution Architect Associate learning path introduces you to the core networking concepts and services relevant to the SAA-C03 exam. We start with an introduction to the AWS Virtual Private Network (VPC) and networking services. We then understand the options available and learn how to select and apply AWS networking services to meet specific design scenarios relevant to the Solution Architect Associate exam. 

Want more? Try a lab playground or do a Lab Challenge

Learning Objectives

  • Get a foundational understanding of VPCs, their security, and connectivity
  • Understand the basics of networking including Elastic IP addresses, Elastic Network Interfaces, networking with EC2, VPC endpoints, and AWS Global Accelerator
  • Learn about the DNS and content delivery services Amazon Route 53 and Amazon CloudFront

So you've now finished the theory section of networking for the AWS SAA. And some people find networking confusing and complicated but hopefully, you now have a much better understanding of how AWS networking works. We covered everything that could potentially come up in the exam. But in this course, I want to reiterate some of the main things to remember to ensure that you feel more prepared for any networking questions that could make an appearance. Now, remember I'm here to make sure that you know what you need to know and that you feel confident to pass this certification. So please reach out to me on LinkedIn, Twitter or drop us an email and I'll happily discuss any questions you have. 

Anyway, let's take a look starting at VPCs. So first and foremost, you have to have solid grasp of VPCs. You'll definitely come across questions covering VPCs and then networking components and how they all fit together. So let's break this down in its simplest form. So the VPC is your own networking space of AWS that resides within a single region. And within your VPC you can create both public and private subnets. And each subnet resides in a single availability zone. You can control network traffic between subnets using network access control lists or NACLs and to control access between resources such as EC2 instances we use security groups. And these both work at the port and protocol level. 

If we need to connect our VPC to the outside world we must use an internet gateway. And when attached, we can add a route from a subnet to the internet gateway to make that subnet public. If we need private instances to initiate a connection to the internet, then we need to use a NAT gateway and this resides in the public subnet. So if you can grasp those basic principles of network connectivity it will put you in very good stead in breaking down many questions that come up relating to VPCs. Half of the battle is remembering which networking component is used for what purpose. If you get that right you can usually eliminate at least two wrong answers. I find that most people get confused between NACLs and security groups and also when to use internet gateways over NAT gateways.

Okay, so let's now look at some of the connectivity options when working with VPCs, in particular VPN gateways and Direct Connect. Now, both options provide connectivity from your own corporate network to the AWS Cloud but it's a difference differences between them that are important as to when you would use one over the other. So you'd use a VPN solution if you are looking for a solution to connect your corporate network to your VPC that was relatively easy to implement where security didn't really require the use of a private network. And so it could be run across the internet instead. Now with minor configuration of a customer gateway in your network and a virtual private gateway in your VPC it would be set up and running fairly quickly. However, if you require this connection to be fast, stable and private, then a VPN wouldn't be the right choice. Instead, you'd need to use Direct Connect which would provide a private connection between your data center and an AWS region not just your VPC. Now, this uses dedicated lease lines with an AWS partner and you could connect one interface to a virtual gateway in your VPC and another interface to connect to an AWS region allowing access to public AWS resources such as Amazon S3.

Now, we also covered VPC endpoints in this course. Again, this is connection related but it looks at connectivity between your VPC and other AWS services across a private network without exposing data to the internet using AWS private link. Now, this means that you can connect to the services without configuring an internet gateway or a NAT gateway. For the exam, be aware of interface endpoints and Gateway endpoints. Now interface endpoints are effectively ENIs with a private IP address within your subnet and this acts as an entry point to a supported AWS service. Whereas a Gateway endpoint is added as a target in your route table of your subnets which points to either Amazon S3 or DynamoDB.

So we've covered VPC and its components and also network connectivity, but let's now look at some of a smaller networking components, these being ENIs, EIPs and ENAs. They all sound very similar but all perform very different functions. You don't need to know the inner workings of each of them but you do need to know when there might be used and what they are. So you might get asked questions about network latency and how to resolve it or questions relating to persistent public IP addresses to help mask instance failures or the requirements to set up a management network between your EC2 instances, for each of these you would use either an ENA an EIP or ENI. So ENAs are used to provide enhanced networking features to high speeds for your Linux compute instances. So if you receive any questions on enhancing network performance for Linux instances and ENA is an option, it's certainly worth taking note of. 

EIPs provide persistent public IP addresses that you can associate with your instance which can be attached to an instance or an elastic network interface, an ENI. And these can be detached from one instance and reattached to another. And this can mask the failure of a publicly accessible instance. And ENIs are used to give your EC2 instances an additional network interface. And this allows the instance to connect to two different subnets at once, each interface configured with an IP address of each subnet. So this is great if you're creating a management subnet you can then add management network interfaces to each EC2 instance you want to be apart of that management network.

Now we just spoke about networking performance with the ENA but you should also take note of the AWS Global Accelerator too which effectively allows you to get UDP and TCP traffic from your end user clients to your applications faster, quicker and more reliably by using the AWS global infrastructure. And it does this by intelligently routing customer requests across the most optimized path. 

So the ENA provides high-speed performance for your instance, whereas the Global Accelerator provides high speed performance from an end client to your application using the AWS network.

The last two services I want to highlight are Route 53 and CloudFront. So the key points at the high level for Route 53 include, it's a highly available and scalable DNS service that provides secure and reliable routing of requests. Now you have public hosted zones which determine how traffic is routed on the internet and then private hosted zones which determine how traffic is routed within a VPC. Now it uses different routing policies to route traffic and this is important. You need to be aware of those different routing policies. It also supports the most common resource record types as well. 

An alias records act like a CNAME record allowing you to route your traffic to other AWS resources such as ELBs, VPC interface endpoints, et cetera. So make sure you're aware of what an alias record is. So what sort of questions might you see relating to Route 53? Well, I expect your see something relating to routing policies, you will be expected to select the most appropriate routing policy given a particular scenario. So know the difference between the following policies. There's simple, failover, geo-location, geoproximity, latency, multivalue answer and weighted.

Okay, so moving on to CloudFront. So CloudFront is used to speed up the distribution of your static and dynamic content by storing cache data through its global network of edge locations. Now it's fault-tolerant and globally scalable by design and it's AWS's own content delivery service. 

So normally when a user requests content from a web server that you're hosting without a CDN the request is routed back to the source web server which could actually reside in a different country to the user initiating the request. However, if you use CloudFront, the request is routed to the closest edge location to the user's location which would likely provide the lowest latency and therefore deliver the best performance using cached data. 

So when you're looking at questions that ask you about distributing traffic or enhancing the performance for your end users, perhaps to your website you need to think about the different network and solutions available to help you to do this. And CloudFront will usually be one or part of the answers. You should be familiar with the configuration of CloudFront distributions and the information they contain such as the origin information, what an Origin Access Identity is, known as OAI, also brush up on your caching behavior options as well which define how you want the data at the edge location to be cached using various methods and policies.

And that now brings me to the end of another section. So you should now have a solid understanding of AWS networking components and concepts. So let's crack on and tackle the next steps. Again, if you have any questions about any of this please do reach out to me and I'll be more than happy to explain any topic further with you.

About the Author
Learning Paths

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.