Networking & CDN
Build AWS networking infrastructure — VPCs, subnets, load balancers, CloudFront CDN, and Route 53 DNS management.
Virtual Private Cloud
A VPC is an isolated network within AWS. Define IP ranges with CIDR blocks (10.0.0.0/16). Create public subnets (internet access via Internet Gateway) and private subnets (no direct internet access).
Place application servers in private subnets. Place load balancers and NAT Gateways in public subnets. Use security groups (stateful firewall) and NACLs (stateless subnet firewall) for traffic control.
- Default VPC is created automatically — create custom VPCs for production
- NAT Gateway enables outbound internet from private subnets
- VPC Peering connects two VPCs for cross-VPC communication
# VPC architecture # VPC: 10.0.0.0/16 # Public subnet: 10.0.1.0/24 (AZ-a) — ALB, NAT Gateway # Public subnet: 10.0.2.0/24 (AZ-b) — ALB, NAT Gateway # Private subnet: 10.0.10.0/24 (AZ-a) — App servers # Private subnet: 10.0.20.0/24 (AZ-b) — App servers # Private subnet: 10.0.30.0/24 (AZ-a) — Databases
Load Balancing
Application Load Balancer (ALB) routes HTTP/HTTPS traffic with path and host-based routing. Network Load Balancer (NLB) handles TCP/UDP with ultra-low latency. Gateway Load Balancer inserts security appliances.
ALB supports target groups pointing to EC2, ECS, Lambda, and IP addresses. Configure health checks, SSL termination, and sticky sessions.
# ALB listener rule # Host: api.example.com → Target Group: api-servers # Path: /static/* → Target Group: static-assets (S3) # Default → Target Group: web-servers aws elbv2 create-load-balancer \ --name my-alb \ --subnets subnet-public-a subnet-public-b \ --security-groups sg-alb \ --scheme internet-facing
Amazon CloudFront
CloudFront is a global CDN that caches content at edge locations worldwide. Reduce latency and origin load by serving static assets, API responses, and streaming media from edge caches.
Configure origins (S3, ALB, EC2, custom), cache behaviors (TTL, headers, cookies), and security (HTTPS, signed URLs, WAF integration). Use Origin Access Control for secure S3 origins.
# CloudFront distribution with S3 origin # 1. Create S3 bucket for static assets # 2. Create CloudFront distribution pointing to bucket # 3. Configure cache behavior: TTL 86400 for static, 0 for API # 4. Enable HTTPS with ACM certificate # 5. Update DNS to point to CloudFront domain
Route 53 DNS
Route 53 is AWS DNS service. Register domains, create hosted zones, and manage records. Routing policies: simple, weighted (traffic splitting), latency-based, failover (active-passive), and geolocation.
Health checks monitor endpoint availability. Failover routing automatically switches to a backup endpoint when the primary fails.
# Create an A record alias to ALB
aws route53 change-resource-record-sets \
--hosted-zone-id Z1234567890 \
--change-batch '{
"Changes": [{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "app.example.com",
"Type": "A",
"AliasTarget": {
"HostedZoneId": "ALB-HOSTED-ZONE-ID",
"DNSName": "my-alb.us-east-1.elb.amazonaws.com",
"EvaluateTargetHealth": true
}
}
}]
}'Network Security
Security groups act as virtual firewalls for instances — allow rules only, stateful. NACLs control subnet-level traffic — allow and deny rules, stateless. Use both for defense in depth.
AWS WAF protects web applications from common exploits. Attach to CloudFront or ALB. Shield Standard protects against DDoS at no extra cost. Shield Advanced adds enhanced protection and cost guarantees.
# Security group: allow HTTPS from anywhere aws ec2 authorize-security-group-ingress \ --group-id sg-web \ --protocol tcp --port 443 --cidr 0.0.0.0/0 # Allow app traffic only from ALB security group aws ec2 authorize-security-group-ingress \ --group-id sg-app \ --protocol tcp --port 3000 \ --source-group sg-alb