AWS - Networking

1. Foundational Virtual Networking

These services are the core building blocks for creating your own private network within the AWS cloud.

Amazon VPC (Virtual Private Cloud): This is the fundamental service that lets you carve out a logically isolated section of the AWS Cloud. You define your own virtual network, control your IP address range, create subnets, and configure route tables and network gateways, giving you complete control over your virtual networking environment.
Subnets, Route Tables, and Gateways: Within a VPC, you create Subnets (public or private ranges of IP addresses) to segment your resources. Route Tables determine where network traffic from your subnets is directed. An Internet Gateway allows public subnets to communicate with the internet, while a NAT Gateway enables instances in a private subnet to initiate outbound traffic to the internet without being directly reachable.

These services connect your VPCs to each other and to your on-premises data centers.

AWS Direct Connect: Establishes a dedicated, private physical network connection from your on-premises data center directly to AWS. This provides a more consistent, low-latency, and secure connection than internet-based connections.
AWS Site-to-Site VPN: Creates a secure, encrypted connection (a VPN tunnel) between your on-premises network and your VPCs over the public internet. It's a cost-effective and quick way to establish a hybrid network.
AWS Transit Gateway: Acts as a central cloud router to simplify your network architecture. Instead of creating complex peering connections between many VPCs and on-premises networks, you connect them all to a single Transit Gateway, dramatically simplifying management and scalability.
AWS PrivateLink: Provides secure, private connectivity between your VPCs, AWS services, and on-premises applications without exposing your traffic to the public internet. Traffic stays entirely within the AWS network, enhancing security.

These services are focused on routing users to your applications and delivering content with high performance globally.

Amazon Route 53: A highly available and scalable Domain Name System (DNS) web service. It translates human-readable domain names (like www.example.com) into IP addresses. It can also perform health checks on your resources and supports advanced routing policies, such as latency-based or geolocation-based routing, to direct users to the best-performing endpoint.
Amazon CloudFront: A global Content Delivery Network (CDN) that dramatically speeds up the delivery of your websites, APIs, and video content. It caches content in edge locations around the world, so users get data from a location closer to them, resulting in lower latency and higher transfer speeds.

These services automatically distribute incoming traffic across multiple targets to ensure high availability and fault tolerance.

Elastic Load Balancing (ELB): The collective name for the service, which offers three main types:
- Application Load Balancer (ALB): Operates at the application layer (Layer 7) and is best for HTTP/HTTPS traffic. It can make intelligent, content-based routing decisions for modern architectures like microservices.
- Network Load Balancer (NLB): Operates at the transport layer (Layer 4) and is designed for extreme performance. It's ideal for TCP/UDP traffic where ultra-low latency is critical.
- Gateway Load Balancer (GWLB): Allows you to easily deploy, scale, and manage third-party virtual network appliances like firewalls and intrusion detection systems.

These services are designed to protect your VPCs, resources, and applications from threats.

Security Groups and Network ACLs (NACLs): These are the two primary virtual firewalls. Security Groups are stateful and control traffic at the instance level. NACLs are stateless and control traffic at the subnet level, acting as an additional layer of defense.
AWS WAF (Web Application Firewall): Protects your web applications from common web exploits like SQL injection and cross-site scripting. It inspects incoming HTTP/HTTPS requests before they reach your application.
AWS Shield: A managed Distributed Denial of Service (DDoS) protection service. Shield Standard is enabled by default for all customers at no extra cost, while Shield Advanced offers more sophisticated protections for a fee.
VPC Flow Logs: Captures information about the IP traffic going to and from network interfaces in your VPC, providing valuable data for security monitoring and troubleshooting.