AWS Cloud Practitionernetworking-and-content-delivery

Networking and Content Delivery: VPC, Route 53, CloudFront

Virtual networks, DNS, and global content delivery basics for the exam.

AWS networking gives you a private slice of the cloud (a VPC), a way to name and route traffic to it (Route 53), and a way to serve content fast worldwide (CloudFront). The Cloud Practitioner exam does not ask you to configure these services — it asks you to recognize what each one is for and how they fit together. Learn the roles below and the networking questions become quick wins.

Core Idea

  • Amazon VPC is your own isolated virtual network inside AWS, where you control IP ranges, subnets, and routing — the foundation everything else runs on.
  • Route 53 handles DNS and routing policies, CloudFront caches content at edge locations near users, and both improve global performance and availability.
  • Security groups and network ACLs are the two layers of network filtering, while VPN and Direct Connect are the two ways to connect your on-premises network to AWS privately.

Amazon VPC and Subnets

  • A Virtual Private Cloud (VPC) is a logically isolated section of the AWS Cloud where you launch resources into your own private network. It is region-scoped and spans the Availability Zones of that region.
  • A public subnet has a route to an internet gateway, so its resources (like a web server) can reach and be reached from the internet. A private subnet has no direct internet route, protecting resources like databases.
  • An internet gateway (IGW) is attached to the VPC to allow two-way internet communication for public subnets.
  • A NAT gateway lets resources in a private subnet initiate outbound internet traffic (for updates or API calls) while blocking inbound connections from the internet.
  • Route tables control where subnet traffic is directed, determining whether a subnet behaves as public or private.

Security Groups vs. Network ACLs

  • Security groups are stateful firewalls that operate at the instance (resource) level. Because they are stateful, if you allow inbound traffic, the return traffic is automatically allowed. They support allow rules only.
  • Network ACLs (NACLs) are stateless firewalls that operate at the subnet level. Being stateless, they evaluate inbound and outbound traffic separately, and they support both allow and deny rules.
  • A simple memory hook: Security group = Stateful and Server (instance); NACL = subnet-level and stateless.

Route 53 and CloudFront

  • Amazon Route 53 is AWS's scalable, managed Domain Name System (DNS) service. It translates domain names into IP addresses, can register domains, and offers routing policies — such as latency-based, geolocation, weighted, and failover — to control how traffic reaches your resources.
  • Amazon CloudFront is a content delivery network (CDN) that caches copies of your content at edge locations around the world, so users are served from a nearby point of presence. This lowers latency and offloads traffic from your origin.
  • Together they improve global performance: Route 53 directs users to the best endpoint, and CloudFront delivers cached content quickly from the edge.

Connecting Privately and API Gateway

  • AWS Site-to-Site VPN creates an encrypted tunnel over the public internet between your on-premises network and your VPC. It is quick to set up but shares public internet bandwidth.
  • AWS Direct Connect provides a dedicated private physical connection from your data center to AWS. It offers more consistent performance and is chosen when you need a private, high-throughput, low-latency link that bypasses the public internet.
  • Amazon API Gateway is a fully managed service for creating, publishing, and securing APIs (including RESTful and WebSocket APIs) that act as a "front door" for applications to access backend services like Lambda.

High-Yield Exam Patterns

  • "Isolated virtual network in AWS" or "your own private network" points to Amazon VPC.
  • If the question says stateful and instance-level filtering, the answer is a security group; stateless and subnet-level with allow and deny rules is a network ACL.
  • "Managed DNS" or "routing policies" signals Route 53; "cache content at edge locations" or "reduce latency for global users" signals CloudFront.
  • A private, dedicated physical connection to AWS is Direct Connect; an encrypted tunnel over the internet is Site-to-Site VPN.
  • Private subnet needs outbound internet (patches/updates) but no inbound access → NAT gateway.
  • Resources needing internet access must be in a subnet with a route to the internet gateway.

Common Traps to Avoid

  • Confusing security groups (stateful, instance) with NACLs (stateless, subnet) — the exam swaps these constantly.
  • Thinking a VPC spans all regions; a VPC lives in one region (though it covers multiple AZs).
  • Choosing VPN when the scenario stresses dedicated, consistent, private performance — that is Direct Connect.
  • Assuming a NAT gateway allows inbound internet connections; it only enables outbound traffic from private subnets.
  • Picking CloudFront for DNS or Route 53 for caching — CloudFront caches content, Route 53 resolves names.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.