AWS Networking Guide: Complete Architecture Reference

Amazon Web Services offers the most comprehensive networking portfolio in the cloud. This guide covers VPC fundamentals through advanced architectures—Transit Gateway, Direct Connect, Global Accelerator, and everything in between.

VPC Fundamentals

The Virtual Private Cloud (VPC) is the foundation of AWS networking. Every resource runs in a VPC, and understanding VPC architecture is essential:

VPC Components

• CIDR Block: Private IP range (e.g., 10.0.0.0/16). Can add secondary CIDRs later.
• Subnets: Subdivisions of the VPC CIDR, each in a single Availability Zone
• Route Tables: Control traffic flow between subnets and to gateways
• Internet Gateway (IGW): NAT and routing for public internet access
• NAT Gateway: Outbound internet for private subnets

VPC Design Best Practices

• Size appropriately: Use /16 for production VPCs; smaller for dev/test
• Plan for peering: Avoid overlapping CIDRs with other VPCs or on-premise networks
• Multi-AZ: Always deploy subnets in at least 2 AZs for high availability
• Tiered architecture: Separate public (LB), private (app), and data (DB) subnets

# Example VPC structure
VPC: 10.0.0.0/16
├── Public Subnets (ALB, NAT GW)
│   ├── 10.0.1.0/24 (AZ-a)
│   └── 10.0.2.0/24 (AZ-b)
├── Private Subnets (App servers)
│   ├── 10.0.10.0/24 (AZ-a)
│   └── 10.0.11.0/24 (AZ-b)
└── Data Subnets (RDS, ElastiCache)
    ├── 10.0.20.0/24 (AZ-a)
    └── 10.0.21.0/24 (AZ-b)

Security Groups and NACLs

Security Groups

Security groups are stateful firewalls attached to ENIs (network interfaces):

• Allow-only rules: No explicit deny; unlisted traffic is denied by default
• Stateful: Return traffic is automatically allowed
• Reference other SGs: "Allow TCP/443 from sg-webservers" for cleaner rules

Network ACLs

NACLs are stateless firewalls at the subnet level:

• Numbered rules: Evaluated in order; first match wins
• Stateless: Must allow return traffic explicitly (ephemeral ports 1024-65535)
• Use sparingly: Complex NACLs are hard to maintain; prefer security groups

See our security checklist for comprehensive security guidance.

Elastic Load Balancing

AWS offers three types of load balancers for different use cases:

Application Load Balancer (ALB)

• Layer 7: HTTP/HTTPS routing based on path, host, headers
• Features: WebSocket, HTTP/2, authentication integration
• Target types: Instances, IP addresses, Lambda functions
• Use for: Web applications, microservices, containerized workloads

Network Load Balancer (NLB)

• Layer 4: TCP/UDP load balancing
• Performance: Millions of requests/second, ultra-low latency
• Static IP: Supports Elastic IPs for fixed entry points
• Use for: TCP services, gaming, IoT, extreme performance requirements

Gateway Load Balancer (GWLB)

• Transparent: Inline appliance insertion for firewalls, IDS/IPS
• Use for: Third-party virtual appliances at scale

For detailed comparison, see L4 vs L7 routing.

Transit Gateway

Transit Gateway (TGW) is a regional network hub that connects VPCs and on-premise networks:

Architecture

• Hub-and-spoke: Replace N² peering connections with N connections to TGW
• Route tables: Control which attachments can communicate
• Cross-region peering: Connect TGWs in different regions
• Multicast: Supports IP multicast across VPCs

                 ┌─────────────────┐
                 │ Transit Gateway │
                 └────────┬────────┘
         ┌───────────┬────┴────┬───────────┐
         ▼           ▼         ▼           ▼
    ┌────────┐ ┌────────┐ ┌────────┐ ┌────────────┐
    │ VPC A  │ │ VPC B  │ │ VPC C  │ │ On-Premise │
    │ (Prod) │ │ (Dev)  │ │ (Test) │ │ (DC)       │
    └────────┘ └────────┘ └────────┘ └────────────┘

Route Table Segmentation

Use multiple TGW route tables for network segmentation:

• Production route table: Prod VPCs + shared services + on-premise
• Development route table: Dev VPCs + shared services only
• Inspection route table: Route through security VPC for firewall

VPC Connectivity Options

VPC Peering

• Direct connection: Non-transitive, point-to-point between two VPCs
• Cross-region: Works across regions (traffic encrypted in transit)
• Limit: No overlapping CIDRs, not transitive (A-B, B-C doesn't mean A-C)
• Best for: Simple two-VPC connectivity, cross-account sharing

PrivateLink (VPC Endpoints)

• Gateway endpoints: For S3 and DynamoDB (free, route table based)
• Interface endpoints: ENIs for other services ($0.01/hour + data)
• Endpoint services: Expose your services to other VPCs via PrivateLink

Hybrid Connectivity

AWS Site-to-Site VPN

• Setup: Virtual Private Gateway (VGW) or Transit Gateway attachment
• Tunnels: Two tunnels per VPN for redundancy
• Routing: Static routes or BGP dynamic routing
• Bandwidth: Up to 1.25 Gbps per tunnel

AWS Direct Connect

Private, dedicated connection to AWS:

• Port speeds: 1 Gbps, 10 Gbps, 100 Gbps
• Virtual interfaces: Private VIF (VPCs), Public VIF (AWS public services), Transit VIF (Transit Gateway)
• Latency: Consistent, lower than internet VPN
• Cost: Port fee + data transfer (cheaper than internet egress)

# Direct Connect + Transit Gateway architecture
On-Premise → Direct Connect Location → Direct Connect Gateway → Transit Gateway(s) → VPCs

For BGP configuration, see BGP best practices.

Global Networking

AWS Global Accelerator

• Anycast IPs: Two static IPs route to nearest AWS edge
• AWS backbone: Traffic travels over Amazon's private network
• Health checks: Automatic failover between regions
• Use for: Global applications, gaming, APIs requiring consistent latency

Amazon CloudFront

• Edge locations: 400+ points of presence worldwide
• Origin types: S3, ALB, EC2, custom origins
• Lambda@Edge: Run code at edge locations
• Use for: Static content, dynamic content acceleration, API caching

Route 53

• Routing policies: Simple, weighted, latency, geolocation, failover, multivalue
• Health checks: HTTP, HTTPS, TCP with configurable thresholds
• Private hosted zones: DNS resolution within VPCs
• Resolver: Hybrid DNS for on-premise integration

Network Performance

Instance Networking

• Enhanced Networking (ENA): Up to 100 Gbps, SR-IOV based
• Elastic Fabric Adapter (EFA): HPC workloads, bypass kernel networking
• Placement Groups: Cluster for low latency, spread for availability

Bandwidth Considerations

• Instance type determines bandwidth: t3.micro: baseline 5 Gbps; p4d: 400 Gbps
• NAT Gateway: 45 Gbps max per gateway
• VPC endpoints: 10 Gbps per endpoint (can be higher with multiple)

Monitoring and Troubleshooting

• VPC Flow Logs: Capture traffic metadata (source/dest IP, port, action)
• Traffic Mirroring: Copy packets to analysis tools
• Reachability Analyzer: Trace path and identify blockers
• Network Access Analyzer: Verify network access matches intent

Key Takeaways

• Design VPCs with non-overlapping CIDRs for future connectivity
• Use Transit Gateway for hub-and-spoke multi-VPC architectures
• Direct Connect provides consistent, lower-cost hybrid connectivity
• Global Accelerator improves global application performance
• Choose ALB for HTTP workloads, NLB for TCP/UDP and extreme performance