AWS networking is about how resources are isolated, connected, and exposed.
Region Selection
Common factors:
- Compliance
- Proximity to users
- Service availability
- Pricing
High Availability
High availability is often achieved through multi-AZ deployment. Availability Zones are isolated from each other, reducing single points of failure.
Multi-Region architecture improves disaster recovery further, but adds cost and complexity.
Edge Locations
Edge locations cache content closer to users. CloudFront is AWS's CDN service.
VPC
A VPC is a virtual private network in AWS. Inside a VPC, you configure subnets, route tables, gateways, and security rules.
Subnets
Public subnets usually access the internet through an Internet Gateway.
Private subnets usually do not expose resources directly to the internet and use NAT Gateway for outbound access.
Gateways
Internet Gateway connects a VPC to the internet.
Virtual Private Gateway connects on-premises networks to a VPC.
Transit Gateway connects multiple VPCs and on-premises networks.
NAT Gateway lets private subnets access the internet without allowing inbound internet access.
Security Groups and Network ACLs
Security groups are instance-level, stateful firewalls.
Network ACLs are subnet-level, stateless firewalls.
Security groups are more commonly used. Network ACLs are useful for coarse subnet-level control.
Deeper Notes
When reviewing this topic, do not memorize names only. Focus on Region selection, edge locations, CloudFront, Route 53, Global Accelerator, and cross-region availability. If this stays at the definition level, it becomes hard to explain in interviews or apply in projects. A stronger way to study it is to place it in a concrete scenario: who calls it, where the input comes from, what happens on failure, and whether data or state can be processed twice.
- AWS review should connect services into architecture: entry point, compute, networking, storage, permissions, monitoring, and cost.
- For each service, ask what problem it solves, who operates it, and what the blast radius is when it fails.
- Both exams and real projects care about boundaries: Region vs AZ, managed vs self-managed, stateful vs stateless resources.
In a real project, use it as a decision framework: identify inputs, constraints, failure modes, and observability before choosing a specific tool or pattern. If a solution looks simple, keep asking whether it still works when scale grows, permissions change, recovery matters, and more people collaborate on it.
Practical Checklist
- Identify where this concept sits in the system: development-time constraint, runtime behavior, infrastructure capability, or collaboration workflow.
- Write one minimal working example and one failure example; only knowing the happy path is usually not enough.
- Record common misuses: edge cases, permission assumptions, performance assumptions, sync/async differences, or environment differences.
- Connect the concept to a project experience so that an interview answer can be grounded in real tradeoffs.
- End with one sentence about tradeoff: what it gives up and what it buys.
Self-Check Questions
- What core problem does this topic solve?
- What alternatives exist, and what are their costs?
- Where are the most likely edge cases?
- How would code, tests, or monitoring prove that it is reliable?
Applied Scenario
A practical way to study this topic is to place it inside a small SaaS deployment: users enter through a domain, CloudFront or a load balancer receives traffic, the app runs on EC2, ECS, or Lambda, databases and caches live in private subnets, logs go to CloudWatch, permissions are controlled by IAM, and static assets are stored in S3. For every AWS service, ask where it sits in this chain: entry, compute, network, storage, security, monitoring, or cost control.
Common Pitfalls:
- Memorizing service names without being able to draw the request path.
- Ignoring network boundaries and exposing databases publicly.
- Not estimating cost or failure blast radius.