AWS Networking — VPC, CloudFront, Route 53, ELB

Amazon VPC (Virtual Private Cloud)

Isolation: Enables you to launch AWS resources into a virtual network that you’ve defined. Each VPC is logically isolated from others on AWS.

Subnets: Divide your VPC into public and private subnets across different Availability Zones. Public subnet = has route to Internet Gateway. Private subnet = no direct internet route.

Route Tables: Control the routing of traffic within the VPC and to the outside world. Configure which traffic goes to IGW, NAT Gateway, or stays within VPC.

Internet Gateway (IGW): Allows communication between instances in your VPC and the internet. Required for public subnets to reach external hosts.

NAT Gateway: Allows instances in a private subnet to connect to the internet (outbound only) — prevents the internet from initiating inbound connections. NAT Gateway lives in the PUBLIC subnet.

Security Groups and NACLs: Stateful and stateless traffic filtering at instance and subnet levels.

Interview Angle

Security Groups = stateful (return traffic auto-allowed). NACLs = stateless (you must explicitly allow both directions). Classic exam trick — know which one to use for each scenario.

Common Gotchas

• NAT Gateway allows private subnet instances to reach internet (outbound only) — it’s in the PUBLIC subnet
• Default VPC has all subnets public — production workloads should use custom VPCs with private subnets

Amazon CloudFront

Content Delivery Network (CDN): Distributes content globally with low latency and high transfer speeds. 200+ edge locations cache copies of your content to improve access speed.

Origin Servers: Source of the original content (e.g., S3 buckets, HTTP servers). CloudFront pulls from origin and caches at edge locations.

Distribution Types: Web distributions (for HTTP/S content) and RTMP distributions (for media streaming—deprecated).

Security: Supports SSL/TLS, signed URLs, and signed cookies for secure content delivery. Caches responses—if you update your origin, invalidate the CloudFront cache or use versioned URLs.

Interview Angle

CloudFront distribution types: Web = HTTP/S content. RTMP = media streaming (deprecated). S3 origin with CloudFront = serve static assets globally with low latency + signed URLs for access control.

Common Gotchas

CloudFront caches responses — if you update your origin, invalidate the CloudFront cache or use versioned URLs.

Amazon Route 53

DNS Service: Highly available and scalable Domain Name System (DNS) web service. Translates domain names to IP addresses with health checks and failover.

Routing Policies: Simple (one record), Weighted (A/B testing), Latency-based (fastest region), Failover (active-passive HA), Geolocation (by user location), Multi-value (multiple values).

Health Checks: Monitors the health and performance of your applications, with automatic failover to healthy endpoints. Misconfigured health checks cause all traffic to fail.

Interview Angle

Routing policy cheat sheet: Simple (one record), Weighted (A/B testing), Latency-based (fastest region), Failover (active-passive HA), Geolocation (by user location). Know which to use for each interview scenario.

Elastic Load Balancing (ELB)

Load Balancer Types: Application Load Balancer (ALB), Network Load Balancer (NLB), and Classic Load Balancer (CLB). Each targets different use cases.

ALB (Layer 7): Application Load Balancer works at Layer 7—can route based on URL path or hostname. Best for microservices and web applications.

NLB (Layer 4): Network Load Balancer works at Layer 4—use for ultra-low latency or static IP requirements. Handles millions of requests per second.

High Availability: Distributes incoming traffic across multiple targets (EC2, containers, IPs) in multiple Availability Zones. Automatically monitors health and routes only to healthy instances.

Security: Integrates with AWS Certificate Manager (ACM) for SSL/TLS termination. Supports end-to-end encryption between load balancer and targets.

Interview Angle

ALB (Application Load Balancer) works at Layer 7 — it can route based on URL path or hostname. NLB (Network Load Balancer) works at Layer 4 — use for ultra-low latency or static IP requirements.

Common Gotchas

ELB health checks must pass before traffic is routed — misconfigured health checks cause all traffic to fail.

Key Takeaways

Key Takeaways

• Public subnet = has route to Internet Gateway. Private subnet = no direct internet route.
• Security Groups are stateful; NACLs are stateless — this distinction is on every exam
• CloudFront = CDN with 200+ edge locations; caches at the edge to reduce origin load
• Route 53 routing policies: Simple, Weighted, Latency, Failover, Geolocation, Multi-value

Common Gotchas

• NAT Gateway allows private subnet instances to reach internet (outbound only) — it’s in the PUBLIC subnet
• Default VPC has all subnets public — production workloads should use custom VPCs with private subnets
• ELB health checks must pass before traffic is routed — misconfigured health checks cause all traffic to fail
• CloudFront caches responses — if you update your origin, invalidate the CloudFront cache or use versioned URLs