AWS Networking and Content Delivery
Now that you understand AWS compute, storage, and database services, it's time to connect everything together. In this lesson, you'll learn how AWS networking enables your resources to communicate securely and how content delivery services optimize performance for global users.
Learning Goals:
- Understand AWS Virtual Private Cloud (VPC) fundamentals
- Configure subnets, route tables, and security groups
- Set up internet connectivity through Internet Gateways
- Use Amazon CloudFront for content delivery
- Implement Route 53 for DNS management
AWS Virtual Private Cloud (VPC)
A VPC is your own logically isolated section of the AWS cloud where you can launch AWS resources. Think of it as your private data center within AWS.
Creating a VPC
Let's create a VPC with a CIDR block of 10.0.0.0/16:
aws ec2 create-vpc --cidr-block 10.0.0.0/16
{
"Vpc": {
"CidrBlock": "10.0.0.0/16",
"DhcpOptionsId": "dopt-12345678",
"State": "pending",
"VpcId": "vpc-12345678",
"InstanceTenancy": "default"
}
}
Always plan your CIDR blocks carefully. A /16 VPC gives you 65,536 IP addresses, which should be sufficient for most applications while allowing room for growth.
Subnets and Route Tables
Subnets divide your VPC into smaller networks. You'll typically create both public and private subnets across multiple Availability Zones for high availability.
Creating Subnets
# Public subnet in us-east-1a
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.1.0/24 \
--availability-zone us-east-1a
# Private subnet in us-east-1a
aws ec2 create-subnet \
--vpc-id vpc-12345678 \
--cidr-block 10.0.2.0/24 \
--availability-zone us-east-1a
Configuring Route Tables
# Create custom route table for public subnets
aws ec2 create-route-table --vpc-id vpc-12345678
# Associate public subnet with route table
aws ec2 associate-route-table \
--subnet-id subnet-12345678 \
--route-table-id rtb-12345678
Internet Connectivity
Internet Gateway
To enable internet access for your VPC, you need an Internet Gateway:
# Create Internet Gateway
aws ec2 create-internet-gateway
# Attach to VPC
aws ec2 attach-internet-gateway \
--internet-gateway-id igw-12345678 \
--vpc-id vpc-12345678
# Add default route to Internet Gateway
aws ec2 create-route \
--route-table-id rtb-12345678 \
--destination-cidr-block 0.0.0.0/0 \
--gateway-id igw-12345678
Security Groups and Network ACLs
Security Groups act as virtual firewalls at the instance level, while Network ACLs operate at the subnet level.
Security Group Configuration
# Create security group for web servers
aws ec2 create-security-group \
--group-name web-sg \
--description "Security group for web servers" \
--vpc-id vpc-12345678
# Allow HTTP and HTTPS traffic
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 80 \
--cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress \
--group-id sg-12345678 \
--protocol tcp \
--port 443 \
--cidr 0.0.0.0/0
Security Groups are stateful (return traffic is automatically allowed), while Network ACLs are stateless (you must explicitly allow return traffic).
Amazon CloudFront
CloudFront is AWS's Content Delivery Network (CDN) that delivers content to users with low latency.
Creating a CloudFront Distribution
aws cloudfront create-distribution \
--distribution-config file://dist-config.json
{
"CallerReference": "my-distribution-001",
"Comment": "My first CloudFront distribution",
"Origins": {
"Quantity": 1,
"Items": [{
"Id": "S3-origin",
"DomainName": "my-bucket.s3.amazonaws.com",
"S3OriginConfig": {
"OriginAccessIdentity": ""
}
}]
},
"DefaultCacheBehavior": {
"TargetOriginId": "S3-origin",
"ViewerProtocolPolicy": "redirect-to-https",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"ForwardedValues": {
"QueryString": false,
"Cookies": { "Forward": "none" }
},
"MinTTL": 0
},
"Enabled": true
}
Amazon Route 53
Route 53 is AWS's scalable DNS and domain name registration service.
Creating a Hosted Zone
aws route53 create-hosted-zone \
--name example.com \
--caller-reference $(date +%s)
DNS Record Configuration
aws route53 change-resource-record-sets \
--hosted-zone-id Z123456789ABC \
--change-batch file://record-set.json
{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.example.com",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "Z2FDTNDATAQYW2",
"DNSName": "d123456789.cloudfront.net",
"EvaluateTargetHealth": false
}
}
}]
}
Common Pitfalls
- Overlapping CIDR blocks: Ensure your VPC CIDR doesn't overlap with networks you plan to connect via VPN or Direct Connect
- Misconfigured route tables: Public subnets need routes to Internet Gateways; private subnets typically route through NAT Gateways
- Security group restrictions: Remember that security groups deny all traffic by default; you must explicitly allow required ports
- Costly data transfer: Cross-AZ data transfer incurs charges; design applications to minimize unnecessary data movement between AZs
- DNS propagation delays: Route 53 changes can take time to propagate; plan for this in deployment schedules
Summary
In this lesson, you learned how to build secure, scalable networking foundations in AWS. You now understand how to create VPCs with properly segmented subnets, configure internet connectivity, implement security controls, and optimize content delivery using CloudFront and Route 53. These networking concepts form the backbone that connects all your AWS services together.
Quiz
AWS Networking Fundamentals
What is the primary purpose of an Internet Gateway in AWS VPC?