AWS VPC and Networking in depth: Learn practically !

Download course slides from the resources section of this lecture or by visiting the link shown in the video.

[Skip this section if you already have a working AWS account and you want to use the same account for performing hands-on exercises]

In this section we are going to:

1. Create a new AWS account so that you can use $100 credits provided by AWS under Free Tier (note: Accounts created after 15th July 2025 will get $100 credits instead of 12 months free tier services)

2. Setup AWS Budget to get notified when usage exceeds say $5 monthly cost

3. Create an IAM user

4. Create a SSH key pair

5. Buy a Public domain name and configure the DNS

[Skip this lecture if you already have active AWS account]

In this lecture, let's dive deep into VPC subnets, Route table and Internet gateway. This lecture will build the foundation for designing the network architecture.

Try to play around with Network ACL rules and see how it impacts the inbound and outbound traffic.

In this lecture, I will demonstrate few scenarios by modifying different Network ACL rules. There is an assignment for this at the end of the next section.

Understand what is NAT and importance of NAT in network design. NAT provides outbound internet access for the EC2 instances launched in the Private subnet. In this way, your instances are not exposed to the internet and they can still access outbound internet.

AWS creates a default VPC in every region so that you can launch EC2 instances and other VPC resources easily. However, in real-world you may not want to use default VPC for your workloads but rather you should create custom VPC and configure the routing and security as per your application need.

This is our first exercise and its very simple. Make sure you follow each step carefully and remember what we did so that while doing next exercises, it will be easy for you to set the things up quickly.

In this exercise, learn how to setup VPC with Public Subnet and connect to EC2 instance launched in this Subnet.

Here, we are not using default VPC. In the real world scenario, when you would require a Web application to be accessible over internet, typically you will create this kind of the setup. Optionally, you may choose to assign Elastic IP to EC2 instance instead of Public IP as Elastic IPs remains associated with the instance even after instance restart or you can detach and re-attach to another EC2 instance.

In this exercise, learn how to setup VPC with Public and Private subnets. We then create EC2 instances in each subnet and connect to Private EC2 instance via EC2 instance in Public Subnet.

In real life, you would have Web server or public facing instances in Public subnets and Application servers/Database servers in private subnet. You can build your network as explained in this video and achieve the desired network security and isolation.

In this exercise, learn how to NAT Gateway to allow EC2 instances in Private subnet to access internet.

In real life, you will have Application servers/Database servers in private subnet but still need to have internet connectivity to download packages from the internet. For this NAT can be used where it allows instances in private subnet to access internet but we can not reach to these instances from over the internet

In this exercise, learn how to setup VPC peering between 2 VPCs across AWS Regions. VPC Peering is very important feature of AWS networking by which you can create private connectivity between 2 VPC. The EC2 instances in these VPCs can communicate with each other over Private IP addresses.

With VPC Peering, you don't require to have VPN connection and no need to expose your applications over internet if only other customers in AWS need to access it securely.

In this lecture, let's understand the VPC endpoint and VPC PrivateLink features. We will also see when and where to use these networking components.

In this exercise, we will see how to use VPC Endpoint gateway which enables a private connection between VPC and another AWS service (currently only S3 and DynamoDB). If enabled, you do not require IGW or NAT when EC2 needs to access S3 or DynamoDB in same AWS region. The traffic between VPC & AWS service does not leave the Amazon network.

VPC endpoint gateway scales automatically and provides consistent bandwidth for S3 or DynamoDB access. Using VPC endpoint gateway instead of internet to access S3. It saves you considerable data transfer cost (and NAT charges). Also VPC endpoint gateway scales automatically as more bandwidth is required.

In this lab, we will create VPC interface endpoint to privately access Amazon SQS service (PutMessage). We can access more than 80 such AWS services privately using VPC interface endpoint without requiring outbound Internet connectivity through IGW or NAT Gateway.

In this lab, we will understand the VPC privatelink architecture and create a sample Customer service which we will expose via the PrivateLink.

By definition, AWS PrivateLink simplifies the security of data shared with cloud-based applications by eliminating the exposure of data to the public Internet. AWS PrivateLink provides private connectivity between VPCs, AWS services, and on-premises applications, securely on the Amazon network. AWS PrivateLink makes it easy to connect services across different accounts and VPCs to significantly simplify the network architecture.

In this exercise, we will host a Webserver service in one of the VPC in private subnet and will expose this service to service consumer in other VPC.

In this lab (Part2), we will create a PrivateLink for the Customer service that we created in the Part 1 and then access the Customer service from the consumer VPC over the VPC PrivateLink.

Let's understand the basics of Hybrid connectivity in AWS and when and where you use Site-to-Site VPN connections.

Download the setup instructions PDF from the resources section of this lecture.

Download the setup instructions PDF from the resources section of this lecture.

In this lecture, let's understand the functionality of the Transit Gateway and what problem does it solve.

Let's see how Transit gateway routes traffic across the attachments and how default route table routes are propagated

AWS Transit Gateway is a service that enables customers to connect their Amazon Virtual Private Clouds (VPCs) and their on-premises networks to a single gateway. As you grow the number of workloads running on AWS, you need to be able to scale your networks across multiple accounts and Amazon VPCs to keep up with the growth. Today, you can connect pairs of Amazon VPCs using peering. However, managing point-to-point connectivity across many Amazon VPCs, without the ability to centrally manage the connectivity policies, can be operationally costly and cumbersome. For on-premises connectivity, you need to attach your AWS VPN to each individual Amazon VPC. This solution can be time consuming to build and hard to manage when the number of VPCs grows into the hundreds.

In this exercise, instead of using default route table of Transit Gateway we will create attachment specific route table and manually add routes in these route tables to selectively allow the connectivity between the VPCs.

Launch a simple web server using EC2 and then allocate and assign Elastic IP to this EC2 instance. At this point you can access your website using the static Public IP.

Let's access this webserver using our own public domain name. For this, we will be using Amazon Route53 DNS service.

In this exercise, we will see how to use Route53 to achieve AWS Region level failover. As you already know we can use ELB with backend EC2 instances to achieve high availability within same AWS region. However many a times its required to distribute your workloads across AWS regions e.g for failover, country specific regulations, providing lower latency to endusers etc. In this case, we need to manage the traffic at DNS level and its done using different AWS Route53 routing policies.

In this exercise, we will be using Failover routing policy where we configure the Primary and Secondary sites in different AWS regions and then simulate the primary site failure which results in DNS switching to secondary site.

In this lecture, we will see how to host static website on S3. However AWS provides custom aws dns names for website hence we need to map our own domain name to AWS provided dns name. This is done using AWS Route53 service. Here for this exercise, I have got my domain from Godaddy and I updated godaddy DNS to resolve to AWS Route53 DNS. Then added record set in AWS Route53 to point the my custom domain to S3.

Note that AWS S3 does not provide a single IP address for websites hosted on S3, hence we have to use Route53 Alias record set to point our domain name to S3 DNS.

In this lecture, we will see how to enable HTTPS for websites hosted on S3. In the last lecture we hosted static website on S3 however we can't make it HTTPS as S3 does not support uploading SSL certificates. For this we need to have CloudFront (CDN) which acts as a front end for our website. We can deploy SSL certificate on CloudFront and it also caches the static contents like Pictures/Media giving user better experience by serving the contents from the nearest edge location.

For this exercise, we need to have your own domain name. You can buy that either from AWS or from any other domain registrar like Godaddy or namecheap etc. To know how to redirect your DNS queries from domain registrar to AWS Route53, please refer to the Pre-requisites section.