AWS Certified Solutions Architect Associate
Study Guide: Chapter 3 – Networking in AWS
1. Networking Foundations: The OSI Model
The blueprint for network communication, dividing processes into 7 distinct layers.
The 7 Layers
L1: Physical (Cables, Hubs)
L2: Data Link (MAC, Frames)
L3: Network (IP, Routers)
L4: Transport (TCP/UDP)
L5: Session (Sockets)
L6: Presentation (Encryption, FTP)
L7: Application (HTTP, DNS)
TCP/IP vs OSI
- TCP/IP: Practical, real-world model.
- Application Layer: Combines OSI L5, L6, L7.
- Network Access: Combines OSI L1, L2.
Key Protocol: HTTPS
Ensures CIA: Confidentiality (Encryption), Integrity (No changes), Authentication (Certificates).
Ensures CIA: Confidentiality (Encryption), Integrity (No changes), Authentication (Certificates).
2. Deep Dive: Amazon VPC
Your logically isolated section of the AWS Cloud.
Subnetting
Public Subnet: Has a route to an Internet Gateway (IGW).
Private Subnet: No direct internet route; uses NAT Gateways for outbound traffic.
IP Addressing
- IPv4: 32-bit, limited to 4.3B addresses.
- IPv6: 128-bit, virtually unlimited.
- CIDR: Defines network/host portions (e.g., /16, /24).
Security Layers
Security Groups: Stateful, instance-level, “Allow” rules only.
NACLs: Stateless, subnet-level, “Allow” and “Deny” rules.
Security Groups vs. NACLs
| Feature | Security Groups (SG) | Network ACLs (NACL) |
|---|---|---|
| Scope | Instance Level | Subnet Level |
| Rules | Allow only | Allow and Deny |
| Statefulness | Stateful (Return traffic auto-allowed) | Stateless (Return traffic needs explicit rule) |
| Evaluation | All rules evaluated | Evaluated in numerical order |
3. VPC Connectivity & Best Practices
VPC Peering
Direct connection between two VPCs. No transitive peering. Works across regions/accounts.
VPC Endpoints
Interface: Uses ENI (PrivateLink).
Gateway: For S3 and DynamoDB only.
Transit Gateway
Hub-and-spoke model for connecting hundreds of VPCs and on-premises networks.
4. Elastic Load Balancing (ELB)
| Type | OSI Layer | Best For… |
|---|---|---|
| ALB (Application) | Layer 7 | HTTP/HTTPS, Path-based routing, Microservices. |
| NLB (Network) | Layer 4 | Ultra-high performance, Static IPs, TCP/UDP/TLS. |
| GLB (Gateway) | Layer 3 | Third-party virtual appliances (Firewalls/IDS). |
5. DNS & Content Delivery
Route 53 Routing Policies
- Simple: One resource.
- Weighted: % of traffic to different resources.
- Latency: Lowest latency for user.
- Failover: Active-Passive health checks.
- Geolocation: Based on user location.
- Multi-value: Up to 8 healthy records.
Amazon CloudFront
Global Content Delivery Network (CDN) using Edge Locations.
- Caching: Reduces load on origin (S3/EC2).
- Security: Integrates with WAF and Shield.
- Lambda@Edge: Run code closer to users.
Exam Pro-Tips:
- Remember: NACLs are Stateless; SGs are Stateful.
- VPC Flow Logs are for monitoring/troubleshooting IP traffic.
- Global Accelerator uses the AWS Global Network for performance, providing 2 Static IPs.
- Use Direct Connect for dedicated, private physical links to AWS.