2. AWS Networking

VPC (Virtual Private Cloud)

Isolated virtual network.

Subnets

Divide VPC; Public (Internet) vs Private (Internal).

Route Tables

Define traffic flow for a subnet.

Internet Gateway (IGW)

Allows public internet access.

NAT Gateway

Allows private instances OUTBOUND internet access.

Security Groups (SG)

Virtual firewall for an instance

Stateful.

Network Access Control Lists (NACLs)

Stateless SUBNET-level firewall.

VPC Peering

Connect two VPCs directly (non-transitive).

Transit Gateway

Central HUB for connecting many VPCs.

PrivateLink / VPC Endpoints

Access AWS services privately (no public internet).

Application Load Balancer (ALB)

Layer 7 (HTTP/HTTPS) load balancing.

Network Load Balancer (NLB)

Layer 4 (TCP/UDP) load balancing; extreme performance.

Route 53

Managed DNS service; routing policies.

How does traffic flow in a 3-tier VPC architecture?

Traffic flows one-way (Public → Private) through subnets

Public Subnet (ALB) → Private Subnet (EC2) → Private Subnet (RDS).

A new private EC2 instance needs to download security patches from the internet but must NOT be accessible directly from the internet. What resource is required?

A NAT Gateway (or NAT Instance).

You need to secure a specific EC2 instance, allowing inbound traffic only on port 80 and 443. Traffic is blocked by default. Which networking construct should you configure?

The Security Group (SG) attached to the instance.

You have five different VPCs in the same region that all need to share access to a central logging server in a sixth VPC. Which service is the most efficient solution?

Transit Gateway.