AWS Network Services

Not sure you’re ready?

Take the ~3-minute readiness diagnostic and see where you stand.

Imagine constructing a corporate headquarters from scratch. You do not place the payroll server on the public sidewalk, nor do you put the customer reception desk in a sealed underground vault. Instead, you build a perimeter wall, divide the interior into secure zones, and carefully control the corridors, doors, and ID checks connecting them. This is the essence of cloud networking. You are taking the infinite, sprawling public cloud and carving out a private, strictly controlled territory. Understanding how data travels—and more importantly, how it is stopped—is not purely an engineering concern. For a project manager, it dictates project feasibility; for finance, it governs data transfer costs; and for sales, it directly impacts the speed and reliability of the customer experience.

Like securing a physical corporate headquarters, cloud networking involves carving out a strictly controlled private territory from the sprawling, public resources of the cloud.

To utilize AWS effectively, you must first establish your territorial boundaries. Amazon Virtual Private Cloud (Amazon VPC) allows a user to provision a logically isolated section of the AWS Cloud. Think of this as purchasing the plot of land and erecting an invisible fence. Inside this boundary, you have complete control over your networking environment.

Geographically, an Amazon Virtual Private Cloud (Amazon VPC) spans all the Availability Zones within a single AWS Region. If your chosen AWS Region is Tokyo, your VPC stretches across every physical data center cluster in that geographic area.

However, you cannot place servers haphazardly into this massive space. You must divide the VPC into manageable neighborhoods. A subnet is a specific range of IP addresses within an Amazon Virtual Private Cloud (Amazon VPC).

A subnet logically divides the primary IP address range of a Virtual Private Cloud into smaller, more manageable blocks.

While the VPC covers the entire Region, subnets are far more geographically restricted. A subnet must reside entirely within one Availability Zone. To be unequivocally clear on this architectural constraint: a single subnet cannot span across multiple Availability Zones. If a power outage or natural disaster compromises an Availability Zone, any subnets contained within it are affected. This is why highly available architectures distribute resources across multiple subnets in different Availability Zones.

An AWS Availability Zone consists of one or more physical data centers, isolated from other zones to prevent localized disasters from causing region-wide failures.

Resources inside a VPC are entirely isolated until you explicitly provide them a path to the outside world.

To bridge the gap to the public internet, you attach an Internet Gateway. An Internet Gateway is a horizontally scaled AWS VPC component that allows communication between instances in a VPC and the public internet. Because it is horizontally scaled, AWS ensures it automatically handles any volume of traffic you throw at it; it will not become a bottleneck.

The presence of a route table entry to this gateway changes the fundamental nature of your subnet:

A subnet is defined as a public subnet if the subnet possesses a route table entry directing traffic to an Internet Gateway. You place external-facing web servers and load balancers here.
Conversely, a subnet is defined as a private subnet if the subnet lacks a route to an Internet Gateway. This is where you hide your sensitive customer databases and internal application servers.

But here arises a practical dilemma: if a database resides in a private subnet, how does it download security patches from the internet without exposing itself to incoming attacks?

The solution is the NAT Gateway (Network Address Translation Gateway). A NAT Gateway enables instances in a private subnet to establish outbound connections to the internet. Crucially, while it acts as a proxy for outgoing requests, a NAT Gateway prevents external entities on the public internet from initiating inbound connections to instances within a private subnet. It functions exactly like a company mailroom—employees can send letters out, but the outside world cannot mail an employee directly at their desk.

A NAT Gateway translates the private IP addresses of internal instances into a single public IP, allowing outbound requests while blocking unsolicited inbound traffic from the internet.

Network security in AWS is governed by layers of defense. You must understand the distinct mechanics of Security Groups and Network Access Control Lists (NACLs), as their differences are foundational.

AWS network security relies on a defense-in-depth strategy, layering the stateless, subnet-level NACLs outside the stateful, instance-level Security Groups.

Security Groups: The Bouncer

A Security Group acts as a virtual firewall for an Amazon EC2 instance to control inbound and outbound traffic.

Security Groups operate at the individual instance level rather than at the subnet level. If your subnet is a neighborhood, the Security Group is the bouncer standing at the front door of one specific house.

Crucial Concept: Statefulness A Security Group is stateful. The stateful nature of a Security Group dictates that return traffic for an allowed inbound connection is automatically allowed outbound. If you request a web page from a server, the server is inherently allowed to send that web page back to you, regardless of outbound rules.

By default, a newly created Security Group prioritizes extreme caution. By default, a newly created Security Group denies all inbound traffic. Conversely, by default, a newly created Security Group allows all outbound traffic, operating on the assumption that if an instance initiates a request, it is trusted.

NACLs: The Perimeter Guard

A Network Access Control List (NACL) acts as a virtual firewall for an Amazon VPC subnet.

Unlike the instance-level Security Group, Network Access Control Lists operate at the subnet level to control traffic entering and exiting the subnet boundary. This is the security checkpoint at the entrance to the neighborhood itself.

A Network Access Control List (NACL) is stateless. This is a profound operational difference. The stateless nature of a Network Access Control List requires explicit rules to allow both inbound and outbound return traffic. If traffic is permitted to enter the subnet, the returning response is evaluated entirely fresh against the outbound rules. If no explicit outbound rule permits the exit, the traffic is dropped.

Feature	Security Group (SG)	Network ACL (NACL)
Scope	Instance-level	Subnet-level
State	Stateful	Stateless
Rules	Explicit allow rules only	Explicit allow and deny rules

Once your internal network is secure, you face the challenge of connecting users to your applications smoothly across the globe.

Amazon Route 53

Before a customer's computer can communicate with your AWS server, it must know the server's numeric address. Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service.

Route 53 serves multiple roles. First, Amazon Route 53 translates human-readable domain names (like example.com) into numeric IP addresses used by computers to connect to each other. Second, Amazon Route 53 functions as a domain registrar for registering new web addresses.

Beyond simple translation, it is highly intelligent. Amazon Route 53 performs automated health checks on resources to route traffic exclusively to healthy endpoints. If your server in London fails, Route 53 will detect the failure and dynamically route your customers to a backup server in Frankfurt.

Amazon Route 53 acts as a DNS resolver, querying name servers to translate human-readable domain names into the numeric IP addresses required for machines to communicate.

Amazon CloudFront

For consumer-facing teams, slow applications mean lost revenue. Amazon CloudFront is a Content Delivery Network (CDN) service built for high performance and security.

Amazon CloudFront caches static and dynamic content at AWS Edge Locations to deliver data to users with low latency. Instead of forcing a user in Sydney to request a video from a server in New York, CloudFront stores a copy of that video at an edge location right in Sydney.

A Content Delivery Network (right) caches data at globally distributed edge locations, significantly reducing distance and latency compared to fetching from a single origin server (left).

AWS Global Accelerator

While CloudFront is brilliant for caching content, what happens when you have dynamic, non-cacheable data—like a live multiplayer game or a real-time financial trading platform?

AWS Global Accelerator is a networking service that improves the availability and performance of applications. Standard internet traffic bounces through countless random routers globally, suffering unpredictable delays. To fix this, AWS Global Accelerator routes user traffic through the dedicated AWS global network infrastructure instead of the congested public internet.

Furthermore, AWS Global Accelerator provides two static Anycast IP addresses that act as fixed entry points to an application. No matter where your user is located, they connect to the same two IP addresses, and AWS handles the physical routing behind the scenes with optimal speed.

As organizations grow, their networking needs scale from a single VPC to complex hybrid architectures connecting multiple VPCs and on-premises corporate data centers.

If you simply need to connect an office to AWS quickly, AWS Virtual Private Network (AWS VPN) provides a secure encrypted connection between an on-premises network and the AWS Cloud over the public internet. It is fast to provision and cost-effective.

However, for enterprise operations, routing business-critical database synchronizations over the public internet is simply too unpredictable. AWS Direct Connect establishes a dedicated physical network connection from an on-premises data center to the AWS Cloud. AWS Direct Connect bypasses the public internet entirely to provide a more consistent network experience, lower latency, and highly predictable data transfer costs.

Within the cloud itself, you will frequently need to link different internal systems. VPC Peering is a networking connection between two VPCs that enables the routing of traffic using private IP addresses. It feels as if the instances are on the same local network.

But there is a catch. VPC Peering connections do not support transitive routing across multiple connected VPCs. If VPC "A" is peered with VPC "B", and VPC "B" is peered with VPC "C", VPC "A" cannot talk to VPC "C" unless you build a brand new peering connection between them. In an enterprise with hundreds of VPCs, drawing thousands of individual peer-to-peer lines becomes an unmanageable administrative nightmare.

The definitive architectural solution is the AWS Transit Gateway, which acts as a central cloud router to connect multiple Amazon VPCs and on-premises networks together. AWS Transit Gateway simplifies network architecture by replacing complex peer-to-peer VPC connections with a hub-and-spoke model. Every VPC and Direct Connect link plugs into the Transit Gateway once, allowing intelligent, centralized routing across your entire global organization.

AWS Transit Gateway replaces complex, unmanageable point-to-point VPC peering networks (top) with a centralized, intelligent hub-and-spoke architecture (bottom).