AWS Networking

Amazon VPC Architecture: Subnet Isolation & Tunnels

**Amazon Virtual Private Cloud (VPC)** allows you to provision an isolated virtual network on the AWS global infrastructure. Subnets are divided into **Public Subnets** (which have a route to an Internet Gateway to accept outside traffic) and **Private Subnets** (which host backend app nodes and databases with no direct external route).

Gateway Routing Rules:

Internet Gateway (IGW): A redundant, VPC-attached gateway enabling bidirectional internet routes for public nodes.
NAT Gateway: A one-way egress system placed in the public subnet. Allows private EC2 instances to pull updates/packages without exposing their ports.
Route Tables: A collection of rules mapping CIDR addresses to gateways. Private subnets route local traffic (e.g. 10.0.0.0/16) locally and all public traffic (0.0.0.0/0) through the NAT.

Stateful Security Groups vs Stateless Network ACLs

Network security inside a VPC relies on two firewalls: stateful **Security Groups (SGs)** operating at the instance level, and stateless **Network Access Control Lists (NACLs)** acting at the subnet boundary.

Because Security Groups are stateful, any permitted inbound packet is automatically allowed to return outbound, regardless of outbound rules. NACLs are stateless, meaning you must write explicit rules for both inbound request ports and outbound ephemeral response ports (usually 1024-65535).

Interactive Pipeline: 3-Tier Enterprise Networking Stack

Trace a web request passing through an enterprise VPC. CloudFront caches static CSS/JS, Route 53 resolves the DNS query, and the ALB terminates SSL before forwarding to private instances and DB partitions.

Pipeline Q: 3-Tier VPC Architecture

Edge

Route 53 & CDN

DNS lookup + static cache

Gateway

Public ALB

SSL offloading + routing

App Tier

Private EC2

Route out via NAT Gateway

DB Tier

RDS Multi-AZ

Isolated DB Subnets

Routing & Load Balancing configurations

Below is the VPC routing table layout. Note that the private subnet has NO route to igw-XXXXXX, making it completely unreachable from the public internet:

Route Table	Destination	Target Gateway	Status
rtb-public (10.0.1.0/24)	0.0.0.0/0	igw-0abc1234	Active
rtb-private (10.0.11.0/24)	0.0.0.0/0	nat-0def9876	Active

AI Learning Mentor

Amazon VPC Architecture: Subnet Isolation & Tunnels

Stateful Security Groups vs Stateless Network ACLs

Interactive Pipeline: 3-Tier Enterprise Networking Stack

Pipeline Q: 3-Tier VPC Architecture

Routing & Load Balancing configurations

Lab: Audit Route Tables & Test Private Subnet Egress

Steps to Perform:

3D Flipcards Q&A

What is the primary difference between a public subnet and a private subnet in AWS?

Explain the core difference between stateful Security Groups and stateless Network ACLs.

How does a NAT Gateway differ from a NAT Instance?

Loading Question...

Module Audited Successfully!

AI Learning Mentor

Amazon VPC Architecture: Subnet Isolation & Tunnels

Stateful Security Groups vs Stateless Network ACLs

Interactive Pipeline: 3-Tier Enterprise Networking Stack

Pipeline Q: 3-Tier VPC Architecture

Routing & Load Balancing configurations

Lab: Audit Route Tables & Test Private Subnet Egress

Steps to Perform:

3D Flipcards Q&A

What is the primary difference between a public subnet and a private subnet in AWS?

Explain the core difference between stateful Security Groups and stateless Network ACLs.

How does a NAT Gateway differ from a NAT Instance?

Loading Question...

Module Audited Successfully!

Begin Programming Diagnostic

Compiling Cognitive Telemetry

Your Programming Skill Scan Report