DEV Community

Cover image for Identify AWS Network Services
AWS Community Builders profile image Ntombizakhona Mabaso
Ntombizakhona Mabaso Subscriber for AWS Community Builders

Posted on

Identify AWS Network Services

#aws #cloud #cloudcomputing #cloudpractitioner

🌐Exam Guide: Cloud Practitioner
Domain 3: Cloud Technology & Services
📘Task Statement 3.5

🎯 What Is This Task Testing?

  • Amazon VPC components (Subnets, Gateways, Routing)
  • VPC security controls (Security Groups and Network ACLs)
  • The purpose of Amazon Route 53
  • Edge networking services (Amazon CloudFront, AWS Global Accelerator)
  • Connectivity options to AWS (AWS Site-to-Site VPN, AWS Direct Connect)

1) 🧱 Amazon VPC

The Foundation of AWS Networking

An Amazon Virtual Private Cloud (VPC) is a logically isolated network in AWS where you launch resources.

Key VPC components to recognize

  • Subnets

    • A subnet is a range of IP addresses within a VPC.
    • Subnets Are Often Described As:
    • Public Subnet: has a route to the internet (typically through an internet gateway)
    • Private Subnet: no direct route to the internet

  • Route Tables: Determine where network traffic is directed (e.g., to the internet, to a VPN, to another subnet).

  • Gateways

    • Internet Gateway (IGW): enables internet connectivity for resources in public subnets.
    • NAT Gateway: allows resources in private subnets to access the internet outbound for updates and downloads while preventing inbound internet-initiated connections.

“private subnet needs outbound internet access but should not be publicly reachable”NAT Gateway.

2) 🔐 VPC Security

Security Groups

  • Firewall at the resource or instance level (commonly for EC2).
  • Controls inbound and outbound rules.
  • Generally stateful which means return traffic is automatically allowed.

Use Security Groups When: you need to control traffic to/from a specific instance or resource.

Network ACLs (NACLs)

  • Firewall at the subnet level.
  • Controls inbound and outbound traffic for a subnet.
  • Generally stateless which means return traffic must be explicitly allowed.

Use NACLs When: you need subnet-wide rules, including explicit deny rules.

Private access to Amazon Inspector using AWS PrivateLink (Interface Endpoints)

Although Amazon Inspector is a security service not a VPC firewall, it was mentioned in the Exam Guide so, we might as well touch upon it.
So you can connect to it privately from inside your VPC.

  • With AWS PrivateLink, you can set up a private connection from your VPC to Amazon Inspector so traffic stays on the AWS network.
  • This lets you reach Inspector as if it were inside your VPC, without needing an internet gateway, NAT device, VPN, or Direct Connect.
  • Your instances can access Inspector without public IP addresses.

How?

  1. You create an interface VPC endpoint (powered by PrivateLink).
  2. AWS places endpoint network interfaces in each subnet you enable for that endpoint.
  3. Those endpoint network interfaces act as the entry point for traffic going from your VPC to Amazon Inspector.

3) 🧭 Amazon Route53

Domain Name System

Amazon Route53 is AWS’s Domain Name System (DNS) service.

Purpose of Amazon Route53:

  • translates domain names (like example.com) into IP addresses
  • routes end users to applications (often by directing them to load balancers or endpoints)
  • supports routing policies for controlling how traffic is directed.

“DNS,” “domain registration,” “route users to endpoint”Route 53.

4) ⚡Edge Services

Amazon CloudFront

Amazon CloudFront is a content delivery network (CDN) that caches and delivers content from locations close to users.

Use Amazon CloudFront When:

  • you want faster delivery of websites, static assets, and streaming/media content
  • you want reduced latency for global users

AWS Global Accelerator

AWS Global Accelerator improves performance by routing traffic onto the AWS global network and directing users to the optimal endpoint.

Use AWS Global Accelerator When:

  • you want improved global performance and availability for internet-facing applications
  • you want intelligent routing to the best performing regional endpoint

CloudFront: caching/content delivery
Global Accelerator: network traffic acceleration and routing to endpoints

5) 🔌 Network Connectivity Options to AWS

AWS Site-to-Site VPN

AWS Site-to-Site VPN creates an encrypted VPN tunnel over the public internet between your on-premises network and AWS.

Use AWS Site-to-Site VPN When:

  • you need a relatively quick connectivity option
  • you can tolerate internet-based variability
  • encryption over the public internet is acceptable

AWS Direct Connect

AWS Direct Connect is a dedicated, private network connection between your on-premises environment and AWS.

Use AWS Direct Connect When:

  • you need more consistent network performance
  • you want private connectivity (not traversing the public internet)
  • you have higher bandwidth requirements or steady traffic patterns

“dedicated connection,” “consistent latency,” “private link to AWS”Direct Connect.

✅ Quick Exam-Style Summary

  • VPC contains subnets, route tables, and gateways.
  • Internet Gateway enables internet access for public subnets
  • NAT Gateway enables outbound internet for private subnets.
  • Security groups (resource or instance-level, stateful) vs NACLs (subnet-level, stateless).
  • PrivateLink/interface endpoints can provide private access to AWS services (example: Amazon Inspector) without public IPs or internet-based connectivity.
  • Route 53: DNS and traffic routing to endpoints.
  • CloudFront: CDN caching near users
  • Global Accelerator: improved global routing to endpoints.
  • Connectivity: VPN (encrypted over internet) vs Direct Connect (dedicated private connection).

Additional Resources

  1. Networking and content delivery
  2. Access Amazon Inspector using an interface endpoint (AWS PrivateLink)

Top comments (0)