Networking in AWS
Design secure and reachable networks using VPC, subnets, security controls, internet access, load balancers, and Route 53 DNS.
What Is It? (ELI5)
VPC is your private city in AWS. Subnets are neighborhoods, Security Groups are door guards, NACLs are street-level checkpoints, and Route 53 is your app phonebook.
Why Do We Need It?
- Separate public and private resources safely.
- Control who can reach what.
- Distribute traffic with load balancers for scale and resilience.
How It Works (Technical)
| AWS | Purpose | Azure Equivalent |
|---|---|---|
| VPC | Isolated virtual network | VNet |
| Subnet | Network segment in AZ | Subnet |
| Security Group | Stateful instance-level firewall | NSG |
| NACL | Stateless subnet firewall | Subnet ACL behavior (approx) |
| ALB/NLB | Layer 7 / Layer 4 load balancing | Application Gateway / Load Balancer |
| Route 53 | Managed DNS and routing policies | Azure DNS + Traffic Manager |
Security Group vs NACL
Use Security Groups for most workload-level access control. Use NACLs for subnet-level guardrails and broad deny rules.
Hands-on
# Create security group in a VPC aws ec2 create-security-group --group-name web-sg --description "Web tier SG" --vpc-id vpc-12345678 # Allow HTTPS inbound aws ec2 authorize-security-group-ingress --group-id sg-12345678 --protocol tcp --port 443 --cidr 0.0.0.0/0 # List hosted zones in Route 53 aws route53 list-hosted-zones
Debugging Scenario
Problem
Load balancer health checks fail though app works locally.
- Check target group health check path and port.
- Ensure Security Group allows traffic from load balancer SG.
- Confirm route table and subnet associations are correct.
Interview Questions
Beginner: What is a VPC?
A logically isolated virtual network for your AWS resources.
A logically isolated virtual network for your AWS resources.
Intermediate: Security Group vs NACL?
Security Group is stateful and attached to resources; NACL is stateless and attached to subnets.
Security Group is stateful and attached to resources; NACL is stateless and attached to subnets.
Scenario: Public API cannot reach private DB. What should you check first?
Security groups, subnet routing, and whether DB is intentionally private with no public route.
Security groups, subnet routing, and whether DB is intentionally private with no public route.
Real-world Usage
Typical production setup uses public subnets for ALB and private subnets for app and DB tiers across at least two AZs.
Summary
- Networking is the backbone of secure cloud architecture.
- Use layered controls: SG + NACL + route design + load balancing.
- Route 53 and ALB policies influence reliability and failover behavior.