1. Library
  2. Advanced Topics
  3. Cloud Networking

AWS Networking

Updated 10 hours ago

Amazon Web Services networking solves an interesting problem: how do you give thousands of customers the experience of having their own private data center when they're all sharing the same physical infrastructure?

The answer is a carefully constructed illusion—and understanding how AWS builds that illusion is the key to using it well.

The VPC: Your Private Lie

A VPC (Virtual Private Cloud) is a lie you tell your servers—and they believe it completely. They think they're alone in a private network, unaware they're running on hardware shared with thousands of strangers.

This lie is useful. Your servers behave exactly as they would in a physical data center. They have private IP addresses. They can talk to each other. They're isolated from everyone else's servers.

When you create a VPC, you claim a block of IP addresses (like 10.0.0.0/16). These addresses are yours within that VPC. Other customers might use the same addresses in their VPCs—it doesn't matter. The isolation is complete.

VPCs span entire AWS regions but don't cross region boundaries. This matters because regions are truly separate—different physical locations, different failure domains.

Subnets and the Availability Zone Game

Within your VPC, you carve out subnets. Each subnet lives in exactly one availability zone—AWS's term for an isolated data center within a region.

This constraint is the foundation of high availability on AWS. If you put all your servers in one availability zone and that zone fails (fire, power outage, network issue), everything dies. Spread across zones, and you survive.

The standard pattern:

AZ-1                    AZ-2                    AZ-3
├── Public: 10.0.1.0/24 ├── Public: 10.0.2.0/24 ├── Public: 10.0.3.0/24
└── Private: 10.0.11.0/24└── Private: 10.0.12.0/24└── Private: 10.0.13.0/24

Public subnets hold things that need to talk to the Internet directly. Private subnets hold everything else.

Getting to the Internet (And Keeping It Out)

Public and private subnets differ in one critical way: their route to the Internet.

An Internet Gateway is the door between your VPC and the public Internet. It's managed by AWS, infinitely scalable, and always available. Public subnets route their default traffic (0.0.0.0/0) through this gateway.

But what about private subnets? Your database servers need to download security patches, but you don't want the Internet reaching back to them.

NAT Gateways solve this. They sit in public subnets and translate outbound traffic from private instances—letting them reach the Internet while remaining invisible to it. Traffic flows out; nothing flows in.

NAT Gateways live in a single availability zone. If that zone fails, private instances in other zones lose Internet access. The solution: deploy a NAT Gateway in each zone. More cost, more resilience.

Elastic Network Interfaces: Network Cards You Can Move

Every EC2 instance has at least one Elastic Network Interface (ENI)—a virtual network card with:

  • A private IP address
  • Optional public IP address
  • Security group memberships
  • A MAC address

The interesting part: ENIs can detach from one instance and attach to another. Your web server fails at 3 AM? Move its ENI (and its IP addresses) to a standby instance. No DNS changes. No waiting for propagation. Service restored in seconds.

Elastic IPs take this further. They're static public IPv4 addresses that belong to your account, not to any instance. Point one at a server today, move it to a different server tomorrow. Your customers never notice.

AWS charges for Elastic IPs that aren't attached to running instances. They're a limited resource (IPv4 addresses are genuinely scarce), so AWS discourages hoarding.

Load Balancers: Three Flavors for Three Problems

AWS offers three load balancer types because traffic comes in different shapes:

Application Load Balancers (ALB) understand HTTP. They can route requests based on URL paths, hostnames, headers, or query strings. They handle WebSockets. They integrate with AWS WAF for security. For web applications, ALBs are usually the answer.

Network Load Balancers (NLB) operate at TCP/UDP level. They don't understand HTTP, but they're blazingly fast—millions of requests per second with microsecond latencies. They provide static IP addresses. For gaming servers, IoT, or anything where raw performance matters more than HTTP smarts, NLBs win.

Gateway Load Balancers (GWLB) route traffic through virtual appliances—firewalls, intrusion detection systems, packet inspection tools. They're for security architectures where all traffic must pass through third-party analysis.

Transit Gateway: Sanity at Scale

Here's a math problem: you have ten VPCs that all need to communicate. How many connections do you need?

Without Transit Gateway: 45. Each VPC peers directly with every other VPC. Add an eleventh VPC? Ten more connections. This is the full mesh problem, and it becomes unmanageable fast.

With Transit Gateway: 10. Each VPC connects once to the Transit Gateway, which routes traffic between them. Add an eleventh VPC? One more connection.

Transit Gateway is a regional hub. VPCs connect to it. On-premises networks connect to it (via VPN or Direct Connect). Everything talks through the hub. Routing becomes centralized, visible, controllable.

For complex architectures—multiple VPCs, hybrid cloud, shared services—Transit Gateway isn't optional. It's how you stay sane.

Direct Connect: Your Private Highway

The public Internet is shared infrastructure. Your traffic competes with everyone else's. Latency varies. Bandwidth is best-effort.

Direct Connect is a dedicated physical connection between your data center and AWS. No sharing. No variability. Predictable performance.

This matters for:

  • Hybrid architectures where on-premises systems constantly communicate with AWS
  • High-volume workloads where Internet bandwidth costs would be prohibitive
  • Compliance requirements that prohibit traversing public networks

Direct Connect uses Virtual Interfaces (VIFs) to separate traffic. Private VIFs reach your VPCs. Public VIFs reach AWS public services (like S3) without touching the public Internet.

PrivateLink: Services Without Public Exposure

Your application in a private subnet needs to call S3. Does that traffic have to traverse the Internet?

No. PrivateLink creates private endpoints for AWS services inside your VPC. Traffic between your instances and S3 never leaves AWS's network.

Two flavors exist:

Gateway endpoints work with S3 and DynamoDB. They're free and appear as route table entries—your traffic to S3 just... goes there, privately.

Interface endpoints work with everything else. They create ENIs in your subnets with private IP addresses. To your applications, AWS services appear to live inside your VPC.

PrivateLink also enables private connectivity to third-party SaaS services. No public IPs. No Internet exposure. Private network all the way.

Route 53: DNS That Does More

Route 53 is DNS—but DNS with superpowers.

Beyond basic name resolution, Route 53 offers:

  • Health checks that monitor your endpoints and remove unhealthy ones from DNS responses
  • Weighted routing that distributes traffic across endpoints by percentage
  • Latency-based routing that sends users to the lowest-latency region
  • Geolocation routing that directs users based on their location

Route 53 handles both public DNS (for Internet-facing services) and private DNS (for resources inside your VPCs that need friendly names).

Global Accelerator: Better Paths

Internet routing is optimized for cost, not performance. Your traffic takes whatever path ISPs negotiate, hopping through dozens of networks.

Global Accelerator gives you static anycast IP addresses that enter AWS's network at the nearest edge location. From there, traffic travels on AWS's backbone—optimized for performance, not cost.

The result: more consistent latency, better availability, and static IPs that don't change when you failover between regions.

Security: Layers Upon Layers

Security Groups are stateful firewalls attached to ENIs. Allow inbound HTTPS, and the response traffic is automatically allowed out. They're the primary network security control.

Network ACLs are stateless firewalls at the subnet level. They evaluate every packet independently—if you allow inbound traffic, you must explicitly allow the outbound response. They're a second layer, useful for subnet-wide rules.

AWS WAF attaches to Application Load Balancers, protecting against SQL injection, cross-site scripting, and other web attacks.

AWS Shield provides DDoS protection. The standard tier is automatic and free. The advanced tier adds dedicated support, cost protection, and enhanced detection for critical applications.

VPC Flow Logs: Seeing What Happened

When something goes wrong—connection refused, unexpected traffic, security incident—VPC Flow Logs tell you what actually happened on the network.

They capture metadata: source IP, destination IP, ports, protocol, whether traffic was accepted or rejected, and how much data moved. Send them to CloudWatch Logs for analysis or S3 for long-term storage.

Flow logs won't tell you what was in the packets. But they'll tell you who talked to whom, when, and whether it was allowed.

The Shape of It All

AWS networking is about building the network you need from composable pieces. VPCs give you isolation. Subnets give you zones. Gateways give you connectivity. Load balancers give you distribution. Transit Gateway gives you scale.

Each component exists because someone had a real problem. The skill is knowing which problems you have—and which pieces solve them.

Frequently Asked Questions About AWS Networking

Was this page helpful?

😔
🤨
😃
AWS Networking • Library • Connected