AWS networking services give you complete control over your cloud network topology — from defining private IP address ranges and routing rules inside a Virtual Private Cloud, to distributing content globally via CloudFront edge locations and routing DNS queries with Route 53. A solid understanding of VPC architecture, the difference between security groups and network ACLs, and the available connectivity options is essential for the CLF-C02 exam.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/roxsross/aws-cloud-practitioner-complete-guide/llms.txt
Use this file to discover all available pages before exploring further.
Amazon VPC
Isolated virtual network with full control over subnets, routing, and security
Amazon CloudFront
Global CDN with 400+ edge locations for ultra-low-latency content delivery
Amazon Route 53
Highly available managed DNS with health checks and multiple routing policies
Elastic Load Balancing
Automatically distribute traffic across EC2, containers, Lambda, and IP targets
Core Networking Services
Amazon VPC (Virtual Private Cloud)
Amazon VPC (Virtual Private Cloud)
Amazon VPC lets you provision a logically isolated network within the AWS Cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways.
Subnets
- Public Subnet — A subnet whose route table contains a route to an Internet Gateway. Resources here can receive inbound traffic from the internet (e.g., web servers, load balancers).
- Private Subnet — No direct route to the internet. Resources here (e.g., databases, application servers) communicate outbound through a NAT Gateway.
VPC Components
| Component | Purpose |
|---|---|
| Internet Gateway (IGW) | Connects a VPC to the public internet (bidirectional) |
| NAT Gateway | Allows private subnet instances to initiate outbound internet traffic while blocking inbound |
| Route Tables | Define where network traffic is directed; each subnet must be associated with one |
| Security Groups | Stateful, instance-level virtual firewall — allow rules only |
| Network ACLs (NACLs) | Stateless, subnet-level firewall — both allow and deny rules |
| VPC Peering | Private, direct network connection between two VPCs (same or different accounts/regions) |
| VPC Endpoints | Private connection to AWS services (e.g., S3, DynamoDB) without traversing the internet |
VPC Endpoints
VPC Endpoints eliminate the need for an Internet Gateway, NAT device, or VPN connection to access supported AWS services. There are two types:- Gateway Endpoints — For S3 and DynamoDB (free)
- Interface Endpoints (AWS PrivateLink) — For most other AWS services (hourly charge)
Amazon CloudFront
Amazon CloudFront
Amazon CloudFront is AWS’s Content Delivery Network (CDN). It accelerates the delivery of static and dynamic web content, APIs, video streams, and applications by caching copies of content at 400+ globally distributed edge locations, bringing data closer to your end users and reducing latency.
How CloudFront Works
- A user requests content (e.g., an image or video)
- CloudFront routes the request to the nearest edge location
- If the content is cached, it is delivered immediately (cache hit)
- If not cached, CloudFront fetches from the origin (S3, EC2, ALB, or custom HTTP server) and caches it for future requests
Key Features
- Origins: S3 buckets, EC2 instances, Application Load Balancers, on-premises HTTP servers
- HTTPS/TLS support with custom SSL certificates via AWS Certificate Manager
- DDoS protection automatically via AWS Shield Standard (included at no extra cost)
- Lambda@Edge / CloudFront Functions — Run custom logic at edge locations (A/B testing, request rewriting, auth)
- Signed URLs / Signed Cookies — Restrict access to private content
Amazon Route 53
Amazon Route 53
Amazon Route 53 is a highly available, scalable Domain Name System (DNS) web service. It translates human-readable domain names (e.g.,
www.example.com) into IP addresses. Route 53 also supports domain registration and health checks for DNS-based failover.DNS Routing Policies
| Policy | Description | Use Case |
|---|---|---|
| Simple | Returns a single resource | Single-server setups |
| Weighted | Splits traffic by percentage across resources | A/B testing, gradual rollouts |
| Latency-based | Routes to the region with lowest latency | Global applications |
| Failover | Active/passive: routes to standby if primary fails | Disaster recovery |
| Geolocation | Routes based on user’s geographic location | Regulatory compliance, localization |
| Geoproximity | Routes based on proximity with optional traffic bias | Fine-grained geographic routing |
| Multi-Value Answer | Returns multiple healthy records | Simple load balancing |
Health Checks
Route 53 can monitor the health of your endpoints (web servers, email servers, etc.) and automatically route traffic away from unhealthy resources when failover routing is configured.AWS Direct Connect
AWS Direct Connect
AWS Direct Connect establishes a dedicated, private network connection between your on-premises data center and AWS — bypassing the public internet entirely. This provides more consistent network performance, lower latency, and reduced bandwidth costs for high-volume data transfers.
Key Benefits
- Consistent performance — No contention with public internet traffic
- Reduced bandwidth costs — Lower data transfer costs compared to internet-based transfer
- Private connectivity — Data does not traverse the public internet
- Connection speeds from 50 Mbps to 100 Gbps
When to Use Direct Connect
- High-throughput workloads (large data transfers, backups)
- Real-time data feeds requiring consistent latency
- Compliance requirements mandating that data not traverse the public internet
- Hybrid cloud architectures with frequent on-premises-to-AWS communication
AWS VPN
AWS VPN
AWS provides two managed VPN services for encrypted connectivity between your network and AWS:
Site-to-Site VPN
Creates an encrypted IPSec tunnel over the public internet between your on-premises network (or data center) and your AWS VPC. It is faster and cheaper to set up than Direct Connect, but subject to internet variability.- Uses a Virtual Private Gateway on the AWS side and a Customer Gateway on the on-premises side
- Supports BGP for dynamic routing
- Setup time: minutes to hours
AWS Client VPN
A managed, client-based VPN service that lets individual remote users securely connect to AWS or on-premises networks from any location using an OpenVPN-based client.Direct Connect vs VPN: Direct Connect is the preferred option when consistent performance and high bandwidth are required. AWS Site-to-Site VPN is a faster-to-deploy, lower-cost alternative for moderate-bandwidth or backup connectivity scenarios.
Elastic Load Balancing (ELB)
Elastic Load Balancing (ELB)
Elastic Load Balancing automatically distributes incoming application traffic across multiple targets — such as EC2 instances, containers, Lambda functions, and IP addresses — in one or more Availability Zones.
Load Balancer Types
| Type | Layer | Protocol | Best For |
|---|---|---|---|
| Application Load Balancer (ALB) | Layer 7 | HTTP / HTTPS / gRPC | Web apps, microservices, path/host-based routing |
| Network Load Balancer (NLB) | Layer 4 | TCP / UDP / TLS | Extreme performance, static IP, low latency |
| Gateway Load Balancer (GWLB) | Layer 3 | IP | Third-party virtual appliances (firewalls, IDS) |
ALB Advanced Routing
ALBs support content-based routing rules: route/api/* to one target group and /images/* to another. They also support weighted target groups for canary deployments and integrate natively with AWS WAF for web application security.Security Groups vs Network ACLs
| Feature | Security Groups | Network ACLs |
|---|---|---|
| Level | Instance (ENI) | Subnet |
| State | Stateful — return traffic automatically allowed | Stateless — must explicitly allow both inbound and outbound |
| Rule Types | Allow rules only | Both allow and deny rules |
| Rule Evaluation | All rules evaluated together | Rules evaluated in number order (lowest first) |
| Default Behavior | Deny all inbound; allow all outbound | Allow all inbound and outbound |
| Association | Applied to individual instances | Applied to all instances in a subnet |
A common exam scenario: if traffic is blocked, the question will test whether you know that Security Groups handle instance-level filtering and NACLs handle subnet-level filtering. Always check both layers when troubleshooting connectivity.
