Learn how AWS networking works for the SAA-C03 exam. This deep dive covers VPCs, public and private subnets, route tables, internet access, NAT Gateway, Security Groups, Network ACLs, VPC endpoints, and common networking exam scenarios.
What is Amazon VPC?
Amazon Virtual Private Cloud, commonly called Amazon VPC, allows you to create an isolated virtual network inside AWS. You can choose your IP address range, create subnets, configure route tables, control internet access, and apply network security rules.
For the AWS Solutions Architect Associate exam, VPC is one of the most important topics. Many architecture questions include networking requirements such as public access, private access, secure database placement, internet connectivity, hybrid connectivity, and traffic control.
VPC Deep Dive Topics
Use the cards below to study AWS networking step by step.
VPCs and Subnets
Understand how a VPC is divided into public and private subnets across Availability Zones.
Route Tables
Learn how route tables control where network traffic goes inside and outside a VPC.
Internet Gateway and NAT Gateway
Compare public internet access for public subnets and outbound-only access for private subnets.
Security Groups vs NACLs
Understand the difference between instance-level and subnet-level network security.
VPC Endpoints
Learn how private access to AWS services works without using the public internet.
Exam Scenarios
Review the common keywords that appear in AWS networking questions.
1. VPCs and Subnets
A VPC is your private network boundary in AWS. Inside a VPC, you create subnets. A subnet is a smaller network range within the VPC and is placed in one Availability Zone.
Subnets are usually designed as either public or private.
| Subnet Type | Meaning | Common Use Case |
|---|---|---|
| Public subnet | Has a route to an Internet Gateway. | Load balancers, bastion hosts, public web servers. |
| Private subnet | Does not have a direct route to an Internet Gateway. | Application servers, databases, internal services. |
Multi-AZ Subnet Design
For high availability, you normally create subnets in more than one Availability Zone. For example, a common architecture may include public subnets in two AZs for a load balancer and private subnets in two AZs for application servers and databases.
2. Route Tables
A route table controls where traffic is sent. Each subnet must be associated with a route table. If you do not explicitly associate a subnet with a custom route table, it uses the main route table.
A route table contains routes. Each route has a destination and a target.
| Route Example | Meaning |
|---|---|
| 10.0.0.0/16 → local | Traffic inside the VPC stays within the VPC. |
| 0.0.0.0/0 → Internet Gateway | Traffic can go to the internet from a public subnet. |
| 0.0.0.0/0 → NAT Gateway | Private subnet resources can make outbound internet requests. |
3. Internet Gateway and NAT Gateway
Internet Gateway
An Internet Gateway allows communication between resources in a VPC and the public internet. It is attached to a VPC and used by public subnets.
For an EC2 instance to be reachable from the internet, it generally needs:
- A public IP address or Elastic IP address
- A subnet route table with a route to an Internet Gateway
- Security Group rules allowing the required inbound traffic
- Network ACL rules allowing the required traffic
NAT Gateway
A NAT Gateway allows resources in a private subnet to access the internet for outbound requests, such as downloading software updates, while preventing the internet from initiating connections directly to those private resources.
NAT Gateway is commonly used when private EC2 instances need outbound internet access but should not be publicly reachable.
| Service | Used For | Typical Placement |
|---|---|---|
| Internet Gateway | Direct internet access for public resources. | Attached to the VPC. |
| NAT Gateway | Outbound internet access for private subnet resources. | Created in a public subnet. |
4. Security Groups vs Network ACLs
AWS provides two important network security controls inside a VPC: Security Groups and Network ACLs.
Security Groups
A Security Group acts like a virtual firewall for resources such as EC2 instances, load balancers, and RDS databases. Security Groups are stateful, which means return traffic is automatically allowed.
Network ACLs
A Network ACL, or NACL, acts at the subnet level. NACLs are stateless, which means inbound and outbound rules must both be configured.
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Resource or instance level | Subnet level |
| State | Stateful | Stateless |
| Rules | Allow rules only | Allow and deny rules |
| Return traffic | Automatically allowed | Must be explicitly allowed |
| Common exam use | Control access to EC2, ALB, RDS, and other resources | Block or allow traffic at subnet boundary |
5. VPC Endpoints
A VPC endpoint allows resources inside a VPC to privately connect to supported AWS services without using the public internet, NAT Gateway, VPN, or Direct Connect.
This is important when the exam asks for private access to AWS services such as Amazon S3, DynamoDB, Systems Manager, Secrets Manager, or CloudWatch.
Gateway Endpoints
Gateway endpoints are used for Amazon S3 and DynamoDB. They are added as route table targets.
Interface Endpoints
Interface endpoints use AWS PrivateLink. They create elastic network interfaces in your subnets and provide private connectivity to supported AWS services.
| Endpoint Type | Used For | How It Works |
|---|---|---|
| Gateway endpoint | Amazon S3 and DynamoDB | Route table target |
| Interface endpoint | Many AWS services through AWS PrivateLink | Elastic network interface with private IP addresses |
Public vs Private Architecture Example
A common AWS architecture uses both public and private subnets:
- A public Application Load Balancer is placed in public subnets.
- EC2 application servers are placed in private subnets.
- An RDS database is placed in private subnets.
- Private EC2 instances use NAT Gateway for outbound internet access.
- Private resources use VPC endpoints for private access to AWS services.
VPC and Networking Exam Scenarios
| Scenario | Best AWS Networking Choice |
|---|---|
| Web application must be reachable from the internet | Public subnet, Internet Gateway, public load balancer, correct Security Group rules |
| Database must not be publicly accessible | Private subnet with restricted Security Group access |
| Private EC2 instances need outbound internet access | NAT Gateway in a public subnet |
| Private EC2 instances need private access to S3 | S3 Gateway VPC endpoint |
| Need to block a specific IP address at subnet level | Network ACL deny rule |
| Need instance-level firewall control | Security Group |
| Need high availability across data centers | Use subnets in multiple Availability Zones |
VPC Exam Checklist
- Know that a VPC is a virtual network inside AWS.
- Know that a subnet belongs to one Availability Zone.
- Use multiple AZs for high availability.
- Public subnets route to an Internet Gateway.
- Private subnets do not have direct routes to an Internet Gateway.
- Use NAT Gateway for outbound internet access from private subnets.
- Use VPC endpoints for private access to supported AWS services.
- Security Groups are stateful and work at the resource level.
- NACLs are stateless and work at the subnet level.
- Security Groups allow rules only; NACLs support allow and deny rules.
- Databases should normally be placed in private subnets.
- Route tables decide where traffic goes.
Quick Exam Tips
- If the question says public access, look for Internet Gateway and public subnet.
- If the question says private subnet outbound internet, look for NAT Gateway.
- If the question says private access to S3, look for VPC endpoint.
- If the question says stateful firewall, think Security Group.
- If the question says stateless subnet firewall, think Network ACL.
- If the question says deny a specific IP, think Network ACL.
- If the question says high availability, think multiple Availability Zones.
Final Takeaway
AWS networking is a foundation topic for the Solutions Architect Associate exam. You must understand how VPCs, subnets, route tables, internet gateways, NAT gateways, Security Groups, NACLs, and VPC endpoints work together.
The exam usually tests networking through scenarios. Always identify whether the workload needs public internet access, private access, outbound-only internet access, subnet-level security, instance-level security, or high availability across Availability Zones.
0 Comments