Network Architecture
VPC/VNet Design
Virtual Private Cloud (AWS), Virtual Network (Azure), or VPC (GCP) is isolated network environment in cloud. Define IP address range (CIDR block), create subnets, configure routing tables, and set up gateways. Foundation of cloud networking providing network isolation and control.
Classless Inter-Domain Routing notation for IP ranges (e.g., 10.0.0.0/16 = 65,536 IPs). Plan address space for growth, avoid overlaps with on-premises or other VPCs for peering. RFC 1918 private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Larger blocks (smaller prefix) provide more flexibility.
Public subnets have route to internet gateway for direct internet access (web servers, load balancers). Private subnets have no direct internet route (databases, application servers) accessing internet via NAT. Place resources in private subnets by default for security.
Separate tiers into different subnets: web tier (public), application tier (private), data tier (private). Provides defense in depth with network segmentation. Use security groups and NACLs to control traffic between tiers. Standard pattern for secure application deployment.
Deploy subnets across multiple availability zones for high availability. Place load balancer, application instances, and database replicas in different AZs. Protects against AZ failure. Best practice for production workloads requiring 99.99%+ availability.
Private connection between two VPCs enabling resource communication using private IPs. Non-transitive (A-B, B-C doesn't allow A-C). No bandwidth bottleneck or single point of failure. Used for multi-VPC architectures, cross-account access, and connecting dev/prod environments.
Connectivity
Horizontally scaled, redundant, highly available VPC component enabling communication between VPC and internet. Required for public subnets. Performs NAT for instances with public IP addresses. One per VPC. Free to use, pay only for data transfer.
NAT Gateway is managed service providing high bandwidth (45 Gbps), automatic scaling, and high availability within AZ. NAT Instance is self-managed EC2 instance offering more control but requiring manual HA setup and scaling. NAT Gateway preferred for production.
Encrypted IPsec connection between on-premises network and VPC over public internet. Quick to set up (minutes), lower cost than Direct Connect but lower bandwidth (1.25 Gbps) and higher latency. Good for backup connectivity or non-critical workloads.
Dedicated private network connection from on-premises to cloud (AWS Direct Connect, Azure ExpressRoute, GCP Cloud Interconnect). Higher bandwidth (1-100 Gbps), lower latency, more consistent than VPN. Higher cost and longer setup time (weeks/months). For mission-critical workloads.
Cloud router connecting VPCs, VPNs, and Direct Connect with hub-and-spoke model. Simplifies network topology (transitive routing unlike VPC peering). Single gateway scales to thousands of VPCs. Supports inter-region peering. Reduces management overhead for complex networks.
Access AWS services, AWS PrivateLink services, and VPC endpoint services without internet gateway, NAT, VPN, or Direct Connect. Traffic stays on AWS network. Provides secure, private connectivity. Common for accessing S3, DynamoDB, and third-party SaaS privately.
Network Security
Virtual stateful firewalls controlling inbound/outbound traffic at instance/ENI level. Stateful: return traffic automatically allowed. Allow rules only (implicit deny). Up to 5 per instance. Default deny inbound, allow outbound. Best practice: least privilege with specific CIDR ranges.
Stateless subnet-level firewall evaluating inbound/outbound traffic independently. Numbered rules (100-32766) processed in order. Support allow and deny rules. Additional layer of defense after security groups. Default NACL allows all traffic. Useful for deny rules and subnet-level blocking.
Dividing network into multiple segments to limit blast radius of breaches. Use subnets, security groups, and NACLs to control traffic flow. Implement zero-trust principles with least privilege access. Segment by tier (web/app/data), environment (dev/staging/prod), or team.
Perimeter network exposing external-facing services while protecting internal network. Place bastion hosts, web servers, and load balancers in DMZ. Additional firewall layer between DMZ and internal network. Traditional security architecture pattern, less common with cloud security groups.
Hardened instance in public subnet providing secure SSH/RDP access to instances in private subnets. Only entry point for administrative access. Implement MFA, logging, and session recording. Alternative: AWS Systems Manager Session Manager eliminates need for bastion hosts.
Managed stateful firewall service (AWS Network Firewall, Azure Firewall) providing traffic filtering at VPC level. Supports IDS/IPS, domain filtering, and custom rules. Centralized inspection point for east-west and north-south traffic. Complements security groups and NACLs.
DNS Architecture
Highly available and scalable DNS web service. Supports multiple routing policies (simple, weighted, latency, failover, geolocation). Health checking and failover. Domain registration and DNSSEC. 100% uptime SLA. Foundation for disaster recovery and global traffic management.
Simple (single resource), Weighted (percentage split), Latency (lowest latency), Failover (active-passive DR), Geolocation (by user location), Geoproximity (by resource location), Multi-value (random healthy), IP-based (CIDR routing). Choose based on requirements.
DNS zones for VPC internal domains not accessible from internet. Enables custom domain names for internal resources (db.internal.company.com). Associated with one or more VPCs. Supports split-horizon DNS (different resolution inside/outside VPC).
Different DNS responses based on query source (internal vs external). Internal queries resolve to private IPs, external to public IPs. Useful for hybrid environments and API endpoints needing different resolution. Implemented with public and private hosted zones.
Route 53 monitors endpoint health (HTTP, HTTPS, TCP) and removes unhealthy from DNS responses. Supports calculated health checks (AND/OR of child checks). Enables automatic DNS failover to DR site. Critical component of multi-region DR strategy.
How long DNS resolvers cache records (in seconds). Lower TTL (60s) enables faster changes but more DNS queries. Higher TTL (3600s) reduces DNS load but slower propagation. Use low TTL before planned changes, increase after. Balance responsiveness vs cost/load.
Network Topologies
Central hub network (VPC/VNet) connecting to multiple spoke networks. Hub contains shared services (firewall, VPN, Active Directory). Spokes are isolated workloads communicating through hub. Common with Transit Gateway or Virtual WAN. Centralizes management and security.
Every network directly connected to every other (full mesh). Simple routing but complex management (N*(N-1)/2 connections). Doesn't scale beyond small number of networks. More common with partial mesh allowing some direct connections while others route through hub.
Central node connected to all other nodes (similar to hub-and-spoke). Simple to add new nodes and troubleshoot. Central node is single point of failure unless redundant. Common in enterprise networks with core/distribution/access layers.
Resources deployed in multiple geographic regions connected via VPN, Direct Connect, or cloud backbone. Provides disaster recovery, compliance (data residency), and performance (lower latency). Complexity in data synchronization and failover orchestration.
Advanced Topics
OSI 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application) vs TCP/IP 4 layers (Network Interface, Internet, Transport, Application). Understanding layer functions helps troubleshooting. Security groups (Layer 4), WAF (Layer 7), load balancers (Layer 4/7).
Protocol for exchanging routing information between autonomous systems. Used with Direct Connect for dynamic routing and failover. Advertise prefixes to control traffic flow. Support for AS_PATH prepending to influence routing. Complex but powerful for enterprise hybrid architectures.
128-bit addresses solving IPv4 exhaustion. All VPCs support dual-stack (IPv4 + IPv6). IPv6 is globally routable (no NAT needed). Use egress-only internet gateway for outbound IPv6. Adoption growing but IPv4 still dominant. Plan IPv6 strategy for future-proofing.
Access cloud services without internet traversal. VPC/VNet endpoints for PaaS services (S3, DynamoDB, Azure Storage). Keep traffic on cloud backbone. Improves security (no internet exposure) and performance (lower latency). Supported for many managed services.
Placement groups for low-latency HPC (cluster), high availability (spread), or balanced (partition). Enhanced networking (SR-IOV) for high bandwidth. Jumbo frames (MTU 9000) for large data transfers. TCP tuning for long-distance connections. Understand bandwidth limits per instance type.
Content Delivery Network caches content at edge locations close to users. CloudFront (AWS), Azure CDN, Cloud CDN (GCP) reduce latency and origin load. Supports static and dynamic content, streaming, and APIs. DDoS protection and WAF integration. Critical for global applications.