Lalit's Cloud & DevOps notes

Getting Started with AWS Networking

3 min read

Overview

Understanding the foundation of AWS networking is essential before diving deeper into advanced cloud architectures. This note captures the key concepts you need to keep in mind while working on cloud projects.

Key Components

Core Networking Services

  • VPC (Virtual Private Cloud): Your isolated slice of the AWS network.
  • Subnets: Logical subdivisions of a VPC, which can be public or private.
  • Route Tables: Define how traffic is directed within your VPC and to the internet.
  • Internet Gateway / NAT Gateway: Provide connectivity between subnets and external networks.
  • Security Groups & NACLs: Stateful and stateless firewalls that guard your resources.

Modern AWS Networking Services (2024)

  • VPC Lattice: Application-centric networking service that simplifies connectivity and observability across services
  • Gateway Load Balancer: Deploy, scale, and manage third-party virtual appliances with ease
  • Network Firewall: Managed network security service that protects your VPCs
  • Transit Gateway: Central hub that simplifies network connectivity between thousands of VPCs, on-premises networks, and remote sites
  • Cloud WAN: Managed wide area networking (WAN) service for building global networks

Practical Implementation Examples

Standard VPC Setup

# CloudFormation VPC Template
Resources:
  MyVPC:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 10.0.0.0/16
      EnableDnsSupport: true
      EnableDnsHostnames: true
      Tags:
        - Key: Name
          Value: production-vpc
 
  PublicSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.1.0/24
      AvailabilityZone: us-east-1a
      MapPublicIpOnLaunch: true
      Tags:
        - Key: Name
          Value: public-subnet-1a
 
  PrivateSubnet:
    Type: AWS::EC2::Subnet
    Properties:
      VpcId: !Ref MyVPC
      CidrBlock: 10.0.2.0/24
      AvailabilityZone: us-east-1a
      Tags:
        - Key: Name
          Value: private-subnet-1a

Security Group Best Practices

# Security Group for Web Servers
WebServerSecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupDescription: Allow HTTP/HTTPS from anywhere
    VpcId: !Ref MyVPC
    SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: 0.0.0.0/0
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: 0.0.0.0/0
    SecurityGroupEgress:
      - IpProtocol: -1
        CidrIp: 0.0.0.0/0

VPC Lattice Service Network Example

# VPC Lattice Service Network
ServiceNetwork:
  Type: AWS::VpcLattice::ServiceNetwork
  Properties:
    Name: my-service-network
    AuthType: NONE
 
Service:
  Type: AWS::VpcLattice::Service
  Properties:
    Name: web-service
    ServiceNetworkIdentifier: !Ref ServiceNetwork

Workflow Tips

  1. Start every project with a baseline VPC diagram stored alongside the note.
  2. Maintain reusable CloudFormation or Terraform snippets for common subnet layouts.
  3. Document CIDR allocations to avoid overlaps across environments.
  4. Use infrastructure as code (IaC) for all networking configurations.
  5. Implement tagging strategies for cost tracking and resource management.

Security Best Practices

Network Security

  • Principle of Least Privilege: Restrict security group rules to only necessary ports and protocols
  • Use VPC Flow Logs: Enable VPC Flow Logs for monitoring and troubleshooting network traffic
  • Implement Network ACLs: Add an additional layer of security at the subnet level
  • Regular Security Group Audits: Review and remove unused security groups and rules

Monitoring and Observability

# VPC Flow Logs Configuration
FlowLog:
  Type: AWS::EC2::FlowLog
  Properties:
    ResourceId: !Ref MyVPC
    ResourceType: VPC
    TrafficType: ALL
    LogGroupName: /aws/vpc/flow-logs
    DeliverLogsPermissionArn: !GetAtt FlowLogsRole.Arn

Advanced Security Services

  • AWS Network Firewall: Deploy firewall rules to protect your VPCs
  • AWS WAF: Protect web applications from common web exploits
  • AWS Shield: Managed DDoS protection
  • GuardDuty: Intelligent threat detection

Next Steps

  • Map your current infrastructure into this model.
  • Identify any gaps in monitoring or logging for network flows.
  • Capture learnings from each deployment and link them back here for future reference.
  • Implement automated security compliance checks using AWS Config.
  • Set up centralized logging with CloudWatch Logs or third-party SIEM solutions.
  • Consider implementing network segmentation for different environments (dev, staging, production).

Graph View