AWS Networking Deep Dive
Direct Connect, VPN, Route 53, CloudFront, Global Accelerator, ELB, and PrivateLink
On-premises ──── Direct Connect (1/10/100 Gbps) ────┐
└── Site-to-Site VPN (IPSec over internet) ──┤
│
AWS Region │
┌─────────────────┘
│ VPC
│ Transit Gateway
│ VPC Endpoints
└──────────────────────────────┐
│
Internet ──── Route 53 (DNS) ──── CloudFront (CDN) ──── ALB/NLB ──── EC2/ECS/Lambda
└── Global Accelerator (Anycast) ────────────────────────────┘
Hybrid
Direct Connect
Hybrid
Site-to-Site VPN
DNS
Route 53
CDN
CloudFront
Global
Global Accelerator
Load Balancing
ELB
Connectivity
PrivateLink
Direct ConnectHybrid
AWS Direct Connect provides dedicated, private network connections from on-premises to AWS, bypassing the public internet. It offers consistent latency and can be used for compliance requirements.
Connection types
| Type | Speed | How to get |
|---|---|---|
| Dedicated connection | 1, 10, 100 Gbps | Order directly from AWS. Physical port at a DX location. Takes weeks to provision. |
| Hosted connection | 50 Mbps – 10 Gbps | Ordered via a DX partner who shares their dedicated port. Faster provisioning. |
Virtual Interfaces (VIFs)
| VIF Type | Connects to | Use case |
|---|---|---|
| Private VIF | VPC (via VGW or TGW) | Access resources in a single VPC using private IPs |
| Transit VIF | Direct Connect Gateway → Transit Gateway | Access multiple VPCs/regions via a single connection |
| Public VIF | AWS public services (S3, DynamoDB, SQS…) | Reach AWS public endpoints over private path — bypasses internet |
Resiliency models
Design
Maximum resiliency (recommended for critical workloads): ├── DX Location A — Connection 1 → VGW/TGW ├── DX Location A — Connection 2 → VGW/TGW ├── DX Location B — Connection 3 → VGW/TGW └── DX Location B — Connection 4 → VGW/TGW High resiliency: ├── DX Location A — Connection 1 → VGW/TGW └── DX Location B — Connection 2 → VGW/TGW Development (non-critical only): └── DX Location A — Connection 1 + VPN backup → VGW/TGW
DX + VPN backup. A common pattern is to use Direct Connect as the primary path and an IPSec VPN as the failover. BGP communities and route preferences control which path is preferred.
Site-to-Site VPNHybrid
AWS Site-to-Site VPN creates encrypted IPSec tunnels between your on-premises network and an AWS VPC over the public internet. Each VPN connection has two tunnels for redundancy.
Components
| Component | Description |
|---|---|
| Virtual Private Gateway (VGW) | AWS-side VPN concentrator attached to a VPC. Supports BGP and static routing. |
| Transit Gateway (TGW) | Alternative to VGW — attach VPN to TGW for hub-and-spoke to multiple VPCs. |
| Customer Gateway (CGW) | AWS resource representing your on-premises VPN device. Contains its public IP and BGP ASN. |
| VPN Connection | The actual IPSec connection between VGW/TGW and CGW. Two tunnels, each to different AWS endpoints. |
Shell
# Create customer gateway aws ec2 create-customer-gateway \ --type ipsec.1 \ --public-ip 203.0.113.10 \ --bgp-asn 65000 # Create VPN connection (BGP) aws ec2 create-vpn-connection \ --type ipsec.1 \ --customer-gateway-id cgw-0abc123 \ --vpn-gateway-id vgw-0abc123 \ --options TunnelOptions='[{PreSharedKey=mysecret1},{PreSharedKey=mysecret2}]' # Download configuration for your device type aws ec2 get-vpn-connection-device-sample-configuration \ --vpn-connection-id vpn-0abc123 \ --vpn-connection-device-type-id 5fb390ba # Check tunnel status aws ec2 describe-vpn-connections \ --vpn-connection-ids vpn-0abc123 \ --query 'VpnConnections[*].VgwTelemetry'
Accelerated VPN
Accelerated Site-to-Site VPN routes traffic through AWS Global Accelerator edge locations to reduce latency and improve reliability. Requires a TGW attachment; not available with VGW.
Route 53DNS
Route 53 is AWS's authoritative DNS service. It supports public and private hosted zones, health checks, and multiple routing policies for traffic management.
Record types
| Type | Use |
|---|---|
| A | IPv4 address. Use Alias for AWS resources (ELB, CloudFront, S3, API GW). |
| AAAA | IPv6 address. |
| CNAME | Canonical name. Cannot be used at zone apex (use Alias instead). |
| Alias | Route 53 extension — points to AWS resources. Free queries, works at apex, follows IP changes. |
| MX | Mail exchange. |
| TXT | Text records — SPF, DKIM, domain verification. |
| NS | Name server records — delegation. |
| SRV | Service location — port and priority. |
Routing policies
| Policy | Behaviour | Use case |
|---|---|---|
| Simple | Returns all values; client picks randomly | Single resource, no health checks |
| Weighted | Distributes traffic by weight (0–255) | Blue/green deployments, canary releases |
| Latency | Returns record from region with lowest RTT for the client | Multi-region active-active |
| Failover | Primary record; health-checked. Falls back to secondary if unhealthy. | Active-passive DR |
| Geolocation | Routes based on client's geographic location (continent/country) | Data residency, regional content |
| Geoproximity | Routes based on distance with configurable bias | Shift traffic toward/away from a region |
| Multi-value answer | Returns up to 8 healthy records randomly | Simple client-side load balancing |
| IP-based | Routes based on client IP CIDR blocks | Route ISP traffic to specific endpoints |
Shell
# Create a private hosted zone aws route53 create-hosted-zone \ --name corp.internal \ --vpc VPCRegion=us-east-1,VPCId=vpc-0abc123 \ --caller-reference $(date +%s) # Upsert a weighted record (blue/green) aws route53 change-resource-record-sets \ --hosted-zone-id Z1234 \ --change-batch '{ "Changes": [{ "Action": "UPSERT", "ResourceRecordSet": { "Name": "api.example.com", "Type": "A", "SetIdentifier": "blue", "Weight": 90, "AliasTarget": { "DNSName": "blue-alb.us-east-1.elb.amazonaws.com", "EvaluateTargetHealth": true, "HostedZoneId": "Z35SXDOTRQ7X7K" } } }] }' # Health check aws route53 create-health-check \ --caller-reference $(date +%s) \ --health-check-config Type=HTTPS,FullyQualifiedDomainName=api.example.com,Port=443,ResourcePath=/health
CloudFrontCDN
CloudFront is AWS's global CDN with 450+ Points of Presence. It caches content at the edge, terminates TLS, and can run code at the edge via Lambda@Edge and CloudFront Functions.
Key concepts
| Concept | Description |
|---|---|
| Distribution | A CloudFront deployment with one or more origins and cache behaviours. |
| Origin | The source of content: S3 bucket, ALB, API Gateway, custom HTTP origin, or origin group. |
| Cache behaviour | Rules matching URL path patterns to origins, with cache policies and TTLs. Default (*) is required. |
| Cache policy | Controls what's included in the cache key (headers, cookies, query strings) and TTLs. |
| Origin request policy | Controls what CloudFront forwards to the origin (separate from cache key). |
| OAC | Origin Access Control — allows CloudFront to authenticate to private S3 buckets (replaces OAI). |
Common patterns
Design
Static site (S3 + CloudFront + OAC): S3 bucket (no public access) ← OAC ← CloudFront ← users API + static assets: /api/* → ALB origin (no caching or short TTL) /* → S3 origin (long TTL for versioned assets) Multi-origin failover: Origin group: primary ALB + failover ALB Triggers on HTTP 5xx or 4xx from primary
Shell
# Invalidate cached paths aws cloudfront create-invalidation \ --distribution-id E1ABCDEF \ --paths "/index.html" "/assets/*" # Check distribution status aws cloudfront get-distribution \ --id E1ABCDEF \ --query 'Distribution.{Status:Status,Domain:DomainName}' # Enable real-time logs aws cloudfront create-realtime-log-config \ --end-points StreamType=Kinesis,KinesisStreamConfig={RoleARN=arn:...,StreamARN=arn:...} \ --fields timestamp c-ip sc-status cs-uri-stem time-taken \ --name my-realtime-logs \ --sampling-rate 100
Lambda@Edge vs CloudFront Functions
| CloudFront Functions | Lambda@Edge | |
|---|---|---|
| Runtime | JS (ECMAScript 5.1) | Node.js, Python |
| Max execution | 1ms | 5s (viewer), 30s (origin) |
| Max memory | 2MB | 128MB–10GB |
| Triggers | Viewer request/response | Viewer + origin request/response |
| Network access | No | Yes |
| Use case | URL rewrites, header manipulation, simple auth | A/B testing, SSR, auth with external calls |
Global AcceleratorGlobal
Global Accelerator provides two static anycast IP addresses that route user traffic to the nearest AWS edge location, then via the AWS backbone to the endpoint — reducing latency and improving availability.
CloudFront vs Global Accelerator
| CloudFront | Global Accelerator | |
|---|---|---|
| Protocol | HTTP/HTTPS only | TCP, UDP (any port) |
| Caching | Yes — content cached at edge | No — traffic routed, not cached |
| Use case | Web content, APIs, media | Non-HTTP (gaming, IoT, VoIP), static IPs needed |
| IP addresses | Changes (use DNS) | 2 static anycast IPs — whitelistable |
| Health checks | Origin failover per distribution | Automatic failover across endpoint groups |
Shell
# Create accelerator aws globalaccelerator create-accelerator \ --name my-app \ --ip-address-type IPV4 \ --enabled # Add listener (port 443) aws globalaccelerator create-listener \ --accelerator-arn arn:aws:globalaccelerator::123456789:accelerator/xxx \ --protocol TCP \ --port-ranges FromPort=443,ToPort=443 # Add endpoint groups per region aws globalaccelerator create-endpoint-group \ --listener-arn arn:aws:globalaccelerator::... \ --endpoint-group-region us-east-1 \ --traffic-dial-percentage 100 \ --endpoint-configurations EndpointId=arn:aws:elasticloadbalancing:...,Weight=100
Elastic Load BalancingLoad Balancing
AWS offers three load balancer types, each optimised for different use cases and protocols.
ALB vs NLB vs GWLB
| ALB | NLB | GWLB | |
|---|---|---|---|
| Layer | 7 (HTTP/HTTPS/gRPC/WebSocket) | 4 (TCP/UDP/TLS) | 3/4 (GENEVE) |
| Routing | Path, host, header, query, IP, method | Port-based | All traffic to appliances |
| Static IP | No (use Global Accelerator) | Yes — per-AZ static IPs | N/A |
| TLS termination | Yes + SNI | Yes (TLS passthrough also) | No |
| Use case | HTTP APIs, microservices, web apps | TCP apps, static IP, ultra-low latency | Firewalls, IDS/IPS, packet inspection |
ALB routing rules
Shell
# Create ALB aws elbv2 create-load-balancer \ --name my-alb \ --type application \ --subnets subnet-public-1a subnet-public-1b \ --security-groups sg-alb # Create HTTPS listener with certificate aws elbv2 create-listener \ --load-balancer-arn arn:aws:elasticloadbalancing:... \ --protocol HTTPS --port 443 \ --certificates CertificateArn=arn:aws:acm:... \ --default-actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:... # Add path-based routing rule aws elbv2 create-rule \ --listener-arn arn:aws:elasticloadbalancing:... \ --priority 10 \ --conditions Field=path-pattern,Values="/api/*" \ --actions Type=forward,TargetGroupArn=arn:aws:elasticloadbalancing:.../api-tg # Enable access logs aws elbv2 modify-load-balancer-attributes \ --load-balancer-arn arn:... \ --attributes Key=access_logs.s3.enabled,Value=true \ Key=access_logs.s3.bucket,Value=my-alb-logs
PrivateLinkConnectivity
AWS PrivateLink exposes services to consumers via Interface VPC Endpoints, without requiring VPC peering, public IPs, or internet traversal. The service provider deploys an NLB; consumers create interface endpoints.
Provider setup
Shell
# Step 1: Create an NLB in front of your service aws elbv2 create-load-balancer --name my-svc-nlb --type network ... # Step 2: Create an endpoint service aws ec2 create-vpc-endpoint-service-configuration \ --network-load-balancer-arns arn:aws:elasticloadbalancing:... \ --acceptance-required # require manual approval per consumer --no-acceptance-required # auto-accept # Step 3: Allow consumer accounts aws ec2 modify-vpc-endpoint-service-permissions \ --service-id vpce-svc-0abc123 \ --add-allowed-principals arn:aws:iam::987654321:root
Consumer setup
Shell
# Create interface endpoint to the provider's service
aws ec2 create-vpc-endpoint \
--vpc-id vpc-consumer \
--vpc-endpoint-type Interface \
--service-name com.amazonaws.vpce.us-east-1.vpce-svc-0abc123 \
--subnet-ids subnet-private-1a subnet-private-1b \
--security-group-ids sg-endpoints \
--private-dns-enabled
PrivateLink works across accounts and VPCs regardless of CIDR overlap — unlike VPC peering. It's the recommended pattern for sharing internal services at scale.
Cheat SheetReference
Hybrid connectivity decision tree
Decision
Need private connectivity to AWS?
├── Consistent SLA, high bandwidth, low latency → Direct Connect
│ ├── Single VPC → Private VIF + VGW
│ └── Multiple VPCs/regions → Transit VIF + DXGW + TGW
└── Quick setup, cost-sensitive, internet OK → Site-to-Site VPN
└── Latency sensitive → Accelerated VPN (via TGW)
Exposing a service to consumers without VPC peering?
└── PrivateLink (NLB-backed endpoint service)
Global traffic routing?
├── HTTP content, caching needed → CloudFront
├── Non-HTTP or static IP needed → Global Accelerator
└── DNS-level routing (failover, geo, weighted) → Route 53
Direct Connect
Dedicated: 1/10/100 Gbps
Hosted: 50 Mbps–10 Gbps
VIF types: private, transit, public
Max resiliency: 2 locations × 2 connections
Route 53
Alias records — free, works at apex
Weighted for canary deploys
Latency for multi-region active-active
Failover with health checks for DR
CloudFront
OAC for private S3 origins
Invalidate: aws cloudfront create-invalidation
Functions for <1ms edge logic
Lambda@Edge for heavier processing
ELB
ALB: L7, path/host routing, HTTP
NLB: L4, static IP, TCP/UDP
GWLB: firewall/IDS appliances
Enable access logs to S3