VPC — Virtual Private Cloud
Your private network in AWS. Logically isolated from other AWS customers. You define the IP address range (CIDR block), create subnets, and control routing. Each region has a default VPC with public subnets already set up.
- CIDR block: e.g.
10.0.0.0/16gives you 65,536 IP addresses to subdivide into subnets. - Subnets: Subdivide the VPC CIDR. Public subnets have a route to the Internet Gateway. Private subnets do not.
- Internet Gateway (IGW): Allows resources in public subnets to reach the internet (bidirectional). One per VPC. Must be attached to the VPC and have a route table entry.
- NAT Gateway: Allows resources in private subnets to initiate outbound internet connections (e.g. software updates) without being reachable inbound. Managed by AWS, deployed per AZ. Costs ~$0.045/hour + data processing.
- VPC Peering: Private connection between two VPCs (same or different account/region). Not transitive — if A peers with B and B peers with C, A cannot reach C via B.
- Transit Gateway: Hub-and-spoke connector for multiple VPCs and on-premises networks. Transitive routing.
- VPC Endpoints: Private connection to AWS services (S3, DynamoDB) without traversing the internet. Gateway endpoints (S3, DynamoDB) are free; Interface endpoints cost per hour.
Security Groups vs NACLs
| Feature | Security Group | NACL |
|---|---|---|
| Level | Instance / ENI | Subnet |
| Stateful? | Yes — return traffic allowed automatically | No — must allow inbound AND outbound explicitly |
| Rule types | Allow only | Allow and Deny, evaluated by rule number order |
| Default | Deny all inbound, allow all outbound | Allow all inbound and outbound |
Exam tip: To block a specific IP address, use a NACL (Security Groups can only allow, not deny). Security Groups protect individual instances; NACLs protect subnets.
Route 53
AWS's DNS service. Supports all standard record types plus AWS-specific Alias records that resolve to AWS resources (ALB, CloudFront, S3) with no CNAME restrictions at the zone apex. Routing policies:
- Simple: Single record pointing to one resource.
- Weighted: Split traffic by percentage. Use for A/B testing or gradual blue/green deployments.
- Latency-based: Route to the region with lowest latency for the user's location.
- Failover: Active-passive HA. Health checks the primary; automatically fails over to secondary if the health check fails.
- Geolocation: Route based on user's country or continent. Use for localisation or compliance (serve EU users from EU).
- Geoproximity: Route based on geographic distance, with optional traffic bias to shift load between regions.
- Multi-value answer: Returns multiple healthy IP addresses; clients choose one. Basic load balancing without an ALB.
CloudFront
CDN with 400+ edge locations (Points of Presence) globally. Caches content close to users, reducing latency and origin load. Also provides DDoS protection (AWS Shield Standard, included free), HTTPS termination, and geo-restriction.
- Origins: S3 buckets, ALBs, EC2 instances, or any HTTP endpoint.
- Origin Access Control (OAC): Locks S3 bucket so only CloudFront can read it — prevents users from bypassing the CDN to hit S3 directly.
- Cache behaviours: Different TTLs and cache key settings per URL path pattern.
- Price Classes: Limit which edge locations serve your distribution (e.g. US/Europe only) to reduce cost.
Load Balancers
- ALB (Application Load Balancer): Layer 7 (HTTP/HTTPS). Path-based and host-based routing. Use with ECS, EC2, Lambda.
- NLB (Network Load Balancer): Layer 4 (TCP/UDP). Extremely high throughput, static IP per AZ. Use for low-latency or non-HTTP traffic.
- CLB (Classic Load Balancer): Legacy. Do not use for new workloads.