1. Home
  2. Training Library
  3. Serverless, Component Decoupling, and Solution Architectures (SAP-C02)

Connectivity Within The VPC


Course Introduction
Utilizing Managed Services and Serverless Architectures to Minimize Cost
Decoupled Architecture
Amazon API Gateway
Advanced API Gateway
PREVIEW11m 29s
Amazon Elastic Map Reduce
Introduction to EMR
Amazon EventBridge
Design considerations

The course is part of this learning path

Start course
4h 43m

This section of the AWS Certified Solutions Architect - Professional learning path introduces common AWS solution architectures relevant to the AWS Certified Solutions Architect - Professional exam and the services that support them. These services form a core component of running resilient and performant architectures. 

Want more? Try a Lab Playground or do a Lab Challenge!

Learning Objectives

  • Learn how to utilize managed services and serverless architectures to minimize cost
  • Understand how to use AWS services to process streaming data
  • Discover AWS services that support mobile app development
  • Understand when to utilize serverless services within your AWS solutions
  • Learn which AWS services to use when building a decoupled architecture

- [Man] So how do instances in our VPC access the internet? 

Well, the first way is that we can assign a public IP address to that machine. So first we assign a public IP address or an Elastic IP address or EIP to the instances that we want to have internet access. 

That gives those instances the ability to send and receive traffic from the internet, i.e. for web service, we want to have that ability. So how do instances without public IP addresses access to the internet? Instances without a public IP address can route their traffic through what we call a NAT Gateway or a NAT Instance. Now, NAT stands for Network Address Translation. And essentially, NAT instances or services, traverse IP ranges, internet protocol number ranges. And so allow instances and private or public subnets to access the internet via Network Address Translation. So if a machine is in a subnet and it doesn't have an EIP address, then it's not going to be visible through the internet gateway. But if we use a NAT gateway, we can have that machine topped outbound to the internet via this Network Address Translation. So the NAT Gateway or NAT Instance allows outbound communication, but it doesn't allow machines on the internet outside of the VPC to initiate a connection to that privately addressed instance. Okay, so let's look at another concept of connectivity, which is highly available NAT Gateways instead of NAT Instances. Remember, NAT stands for Network Address Translation and NAT Gateways offer major advantages in terms of deployment, availability and maintenance. 

So rather than running a NAT Instance, which is basically a machine that we have provisioned and managed and we set up that routing rule, which allows machines in a public or private subnet who do not have an Elastic IP address, who do not have an internet address to connect outbound through the NAT instance through the internet gateway, outbound to the internet. So they are basically a hopping host to get out through the internet. So remember that in terms of highly available NAT Gateways are way more available because they're a managed service. So they scale very well and designed to deal with burst activity, et cetera. Now, another form of connectivity we can have to our VPC is using a VPN. So if you have a hardware VPN connection or direct connection, instances can route their internet traffic down the virtual private gateway to your own internet connection. Now, note the difference there. There's the internet gateway and there's the virtual private gateway. So a VPN connection uses a virtual private gateway. Your internet in and outbound traffic uses the Internet Gateway. You can also have services within your VPC access the internet via your existing egress points using a VPN connection. Now, a couple of things to remember with VPC design is that always makes sure you leave spare capacity for additional subnets. So always make sure that your IP addressing contains additional capacity so that you can scale it.

About the Author
Learning Paths

Danny has over 20 years of IT experience as a software developer, cloud engineer, and technical trainer. After attending a conference on cloud computing in 2009, he knew he wanted to build his career around what was still a very new, emerging technology at the time — and share this transformational knowledge with others. He has spoken to IT professional audiences at local, regional, and national user groups and conferences. He has delivered in-person classroom and virtual training, interactive webinars, and authored video training courses covering many different technologies, including Amazon Web Services. He currently has six active AWS certifications, including certifications at the Professional and Specialty level.