BrainyBeeBrainyBee
Study Guide1,084 words

AWS Network Segmentation and Connectivity: Architect's Study Guide

Network segmentation (for example, subnetting, IP addressing, connectivity among VPCs)

AWS Network Segmentation and Connectivity: Architect's Study Guide

This guide covers the architectural principles of network isolation, IP address planning, and interconnectivity strategies for complex AWS environments, specifically aligned with the SAP-C02 exam domains.

Learning Objectives

After studying this guide, you should be able to:

  • Design a scalable IPv4/IPv6 addressing scheme that accounts for future expansion and AWS-reserved addresses.
  • Implement network segmentation using a combination of VPCs, subnets, and route tables.
  • Differentiate between stateful and stateless security controls (Security Groups vs. NACLs).
  • Architect multi-VPC and hybrid connectivity using AWS Transit Gateway and VPC Peering.
  • Evaluate connectivity options for high availability and disaster recovery using Direct Connect (DX) and VPN.

Key Terms & Glossary

  • VPC (Virtual Private Cloud): A regional virtual network dedicated to your AWS account, logically isolated from other networks.
  • Subnet: A range of IP addresses in your VPC; subnets are locked to a single Availability Zone (AZ).
  • Transit Gateway (TGW): A network transit hub used to interconnect VPCs and on-premises networks through a central point.
  • CIDR (Classless Inter-Domain Routing): A method for allocating IP addresses and IP routing (e.g., 10.0.0.0/16).
  • BGP (Border Gateway Protocol): The routing protocol used to exchange routing information between your network and AWS over Direct Connect or VPN.
  • PrivateLink: A technology that provides private connectivity between VPCs, AWS services, and on-premises networks without exposing traffic to the public internet.

The "Big Idea"

Network segmentation is not just about organizing resources; it is a fundamental pillar of the Zero-Trust Model. By layering virtual networks, architects ensure that even if one layer is compromised, lateral movement is restricted. In AWS, this is achieved by placing resources in subnets based on their connectivity needs (e.g., web servers in public subnets, databases in private subnets) and using Transit Gateway to manage complexity as organizations scale to hundreds of VPCs.

Formula / Concept Box

ConceptRule / FormulaKey Constraint
Available IPs2(32n)52^{(32 - n)} - 5AWS reserves 5 IPs per subnet (first 4 and last 1).
Subnet Scope1 Subnet = 1 AZSubnets cannot span multiple Availability Zones.
VPC Scope1 VPC = 1 RegionVPCs can span multiple AZs within that Region.
TGW RoutingBGP or StaticVPC routes to TGW must be manually added to VPC route tables.

Hierarchical Outline

  • I. IP Address Planning
    • CIDR Selection: Avoid overlapping ranges to allow for future TGW or Peering integration.
    • Reserved IPs: Account for the 5 reserved addresses per subnet in capacity planning.
    • IPv6 Transition: Use IPv6 to bypass IPv4 exhaustion and simplify NAT requirements.
  • II. Network Layering (Segmentation)
    • Public Subnets: Include a route to an Internet Gateway (IGW).
    • Private Subnets: No direct internet route; use NAT Gateways for outbound-only traffic.
    • Isolated Subnets: No internet or NAT access; restricted to internal VPC traffic.
  • III. Connectivity Hubs
    • VPC Peering: Best for simple 1-to-1 connections; no transitive routing allowed.
    • Transit Gateway: Regional hub-and-spoke for complex, transitive routing across many VPCs.
    • Direct Connect (DX) vs VPN: DX for consistent performance; VPN for quick setup or low-cost backup.

Visual Anchors

Hub-and-Spoke Architecture

Loading Diagram...

Subnet Isolation Levels

\begin{tikzpicture}[node distance=2cm] \draw[thick, blue] (0,0) rectangle (6,4) node[pos=0.9, left] {VPC (Region)}; \draw[dashed] (0.5,0.5) rectangle (2.5,3.5) node[midway, above=1.2cm] {AZ 1}; \draw[dashed] (3.5,0.5) rectangle (5.5,3.5) node[midway, above=1.2cm] {AZ 2}; \draw[fill=green!20] (0.7,2.2) rectangle (2.3,3.2) node[midway] {Public Sub}; \draw[fill=red!20] (0.7,0.7) rectangle (2.3,1.7) node[midway] {Private Sub}; \draw[fill=green!20] (3.7,2.2) rectangle (5.3,3.2) node[midway] {Public Sub}; \draw[fill=red!20] (3.7,0.7) rectangle (5.3,1.7) node[midway] {Private Sub}; \end{tikzpicture}

Definition-Example Pairs

  • Stateful Firewall (Security Group): A firewall that remembers the state of a connection. If you send a request out, the response is automatically allowed back in.
    • Example: Allowing port 443 inbound to a web server; the server's response to the client is automatically permitted.
  • Stateless Firewall (NACL): A firewall that evaluates every packet independently. Inbound and outbound rules must be explicitly defined.
    • Example: Blocking a specific malicious IP address range from entering or leaving a subnet.
  • Interface VPC Endpoint: An Elastic Network Interface (ENI) with a private IP address that acts as an entry point for traffic destined for a supported service.
    • Example: Connecting to Amazon S3 privately from an EC2 instance without using an Internet Gateway.

Worked Examples

Example 1: IP Subnet Sizing

Scenario: You need to deploy a microservice that requires 200 EC2 instances. You want to deploy across 3 Availability Zones for high availability. Step 1: Determine IPs per AZ. $200 / 3 \approx 67instancesperAZ.Step2:AccountforreservedIPs.$67+5=72 instances per AZ. **Step 2:** Account for reserved IPs. $67 + 5 = 72 IPs minimum per subnet. Step 3: Choose CIDR size. A /25 provides 128 IPs, while a /26 provides 64 IPs. Result: You must use at least a /25 for each subnet to accommodate 67 instances and the 5 reserved IPs.

Example 2: Transit Gateway Routing

Scenario: You attach a new VPC (VPC-C) to a Transit Gateway. How do you enable traffic from VPC-C to your on-premises network? Step 1: Create a TGW Attachment for VPC-C. Step 2: In the VPC-C Route Table, add a route: Destination: 10.0.0.0/8 (On-Prem), Target: tgw-id. Step 3: Ensure the TGW Route Table has a route for the on-premises range pointing to the VPN/DX attachment.

Checkpoint Questions

  1. Which five IP addresses are reserved by AWS in every subnet CIDR block?
  2. True/False: A Transit Gateway can natively handle traffic between two VPCs with overlapping CIDR blocks.
  3. What is the primary difference between how routes are propagated to a TGW from a VPN versus from a VPC?

Muddy Points & Cross-Refs

  • Overlapping CIDRs: This is a common exam "gotcha." If VPCs have overlapping IPs, they cannot be peered and will cause issues in TGW. Solutions include using NAT or moving to IPv6.
  • TGW Route Propagation: Remember that while TGW learns VPC routes automatically via the attachment, the VPC Route Table must be updated manually with a static route to the TGW.
  • BGP vs Static VPN: BGP (Dynamic) allows for automatic failover and path selection, whereas Static VPNs require manual route updates if your on-premises network changes.

Comparison Tables

Security Groups vs. Network ACLs

FeatureSecurity Group (SG)Network ACL (NACL)
LevelInstance (ENI)Subnet
StateStatefulStateless
Rule OrderAll rules evaluatedRules evaluated in order (lowest number first)
Allow/DenyAllow rules onlyAllow and Deny rules

VPC Peering vs. Transit Gateway

FeatureVPC PeeringTransit Gateway (TGW)
TopologyMesh (1-to-1)Hub-and-Spoke
Transitive RoutingNoYes
ComplexityHigh at scale (n(n1)/2n(n-1)/2)Low (Centralized management)
PerformanceNo bandwidth aggregate limit50 Gbps per VPC attachment
All AWS Certified Solutions Architect - Professional (SAP-C02) Study Resources

Ready to study AWS Certified Solutions Architect - Professional (SAP-C02)?

Practice tests, flashcards, and all study notes — free, no sign-up needed.

Start Studying — Free