AWS Network Services Explained: VPC, Route 53, CloudFront and More
Networking questions on the CLF-C02 exam are identification questions: shown a requirement, you name the AWS network service or VPC component that meets it. This lesson covers everything Task 3.5 tests. You will learn what Amazon VPC is and how subnets, internet gateways, NAT gateways, and route tables fit together — including the classic exam pairing of internet gateway versus NAT gateway and public versus private subnets. You will identify the two security layers inside a VPC, security groups and network ACLs, at the level this task requires. You will then map the purpose of Amazon Route 53 for DNS and domain registration, distinguish the edge services Amazon CloudFront and AWS Global Accelerator, and recognize the two main ways to connect an on-premises network to AWS: AWS Site-to-Site VPN and AWS Direct Connect. Reference tables and a three-tier web application scenario tie every component to the trigger phrases the exam uses.
On this page8 sections
- Amazon VPC: your isolated network inside AWS
- Public vs private subnets: internet gateway vs NAT gateway
- Scenario: a three-tier web application network layout
- Security inside a VPC: security groups and network ACLs
- VPC components at a glance
- Amazon Route 53: DNS and domain names
- Edge services: CloudFront vs Global Accelerator
- Connecting your network to AWS: VPN and Direct Connect
- Identify the core components of an Amazon VPC: subnets, route tables, internet gateways, and NAT gateways
- Distinguish a public subnet from a private subnet by its route to an internet gateway
- Recognize security groups and network ACLs as the instance-level and subnet-level security layers of a VPC
- State the purpose of Amazon Route 53 as AWS's DNS and domain registration service
- Differentiate Amazon CloudFront (content caching) from AWS Global Accelerator (connection acceleration)
- Identify AWS Site-to-Site VPN and AWS Direct Connect as the main connectivity options between on-premises networks and AWS
Amazon VPC: your isolated network inside AWS
Amazon Virtual Private Cloud (Amazon VPC) is your logically isolated virtual network within the AWS Cloud. When you create a VPC, you define its private IP address range (a CIDR block, such as 10.0.0.0/16), and everything you launch with a network presence — EC2 instances, RDS databases, load balancers — lives inside it. "Logically isolated" is the phrase to remember: your VPC's traffic is separated from every other customer's, even though it runs on shared AWS infrastructure. When an exam question asks for "a logically isolated section of the AWS Cloud where you can launch resources in a virtual network you define," the answer is Amazon VPC.
You carve the VPC's IP range into subnets, smaller address ranges where resources are actually placed. The rule that matters most for the exam: each subnet exists in exactly one Availability Zone. A subnet cannot span AZs, while the VPC itself spans all AZs in its Region. This is why highly available architectures use multiple subnets — one or more per Availability Zone — so an application can survive the loss of a single AZ.
Traffic direction inside a VPC is controlled by route tables. A route table is a set of rules attached to subnets that decides where network traffic is sent — locally within the VPC, out to the internet, or toward a gateway. At the Cloud Practitioner level you only need to recognize what a route table is; you will not configure one on the exam. But route tables are the key to the next concept, because a subnet's route table is exactly what makes it "public" or "private."
Public vs private subnets: internet gateway vs NAT gateway
An internet gateway (IGW) is a VPC component that allows communication between your VPC and the internet — in both directions. You attach one internet gateway to a VPC. A public subnet is simply a subnet whose route table has a route to that internet gateway: resources in it with public IP addresses can be reached from the internet and can reach out to it. A private subnet has no route to an internet gateway, so its resources cannot be reached directly from the internet at all. This definition — public means "routes to an IGW," private means "no direct internet route" — is tested constantly.
But private resources often still need to initiate internet connections: a database server downloading security patches, an application server calling a third-party API. That is the job of a NAT gateway (network address translation). A NAT gateway sits in a public subnet and lets resources in private subnets make outbound connections to the internet while blocking unsolicited inbound connections from the internet to those resources. Responses to outbound requests flow back, but nothing on the internet can start a conversation with a private instance.
The internet-gateway-versus-NAT-gateway contrast is the single most common Task 3.5 question pattern:
- Internet gateway: two-way internet access for the VPC; required for public subnets. Trigger: "allow the VPC to communicate with the internet."
- NAT gateway: outbound-only internet access for private-subnet resources. Trigger: "instances in a private subnet need to download updates, but must not be reachable from the internet."
If the scenario mentions receiving traffic from the internet, think internet gateway and public subnet. If it mentions private resources reaching out — updates, patches, external APIs — while staying unreachable, think NAT gateway.
Scenario: a three-tier web application network layout
Put the components together with the layout the exam loves to describe: a classic three-tier web application — web tier, application tier, database tier — built for high availability across two Availability Zones.
Web tier (public subnets). The load balancer that receives customer traffic lives in public subnets, one in each Availability Zone. Those subnets are public because their route table sends internet-bound traffic to the VPC's internet gateway. This is the only tier that needs to accept connections from the internet.
Application tier (private subnets). The EC2 instances running business logic sit in private subnets. Nothing on the internet can connect to them directly — they receive traffic only from the load balancer inside the VPC. When these servers need to fetch operating system patches or call an external payment API, their route table sends that outbound traffic to a NAT gateway in a public subnet. Outbound works; unsolicited inbound is blocked.
Database tier (private subnets). The databases live in their own private subnets with no internet route at all, or route outbound through the same NAT gateway when patching requires it. They accept connections only from the application tier.
Notice what each component contributes: the VPC provides the isolated network, subnets place resources into specific Availability Zones, route tables define which subnets are public or private, the internet gateway admits customer traffic to the web tier, and the NAT gateway lets the hidden tiers reach out without being exposed. When a question sketches an architecture like this and asks "which component allows the application servers to download updates?", you can now answer NAT gateway without hesitation.
Security inside a VPC: security groups and network ACLs
Task 3.5 asks you to recognize the two security layers built into every VPC, not to analyze them in depth. A security group acts as a virtual firewall at the resource level — it is attached to individual resources such as EC2 instances or load balancers and controls what traffic can reach and leave them. A network ACL (access control list) is a firewall at the subnet level — it filters traffic entering and leaving an entire subnet, applying to every resource inside it. Remember the pairing as two layers of defense at two different scopes: security group = instance, network ACL = subnet. The deeper behavioral differences between them (rule evaluation, statefulness, allow versus deny rules) are examined under the security domain rather than here; for network-service identification, matching each one to its level is enough.
One quick anchor: if a question says "controls traffic at the instance level," choose security group; if it says "controls traffic at the subnet level" or "an optional additional layer that applies to all resources in a subnet," choose network ACL. Both are free, both are components of the VPC itself, and neither is a separate service you subscribe to.
VPC components at a glance
Use this table as your recognition sheet for VPC-component questions. The exam almost always gives you the middle column and expects you to produce the left column.
| Component | What it does | Trigger phrase in a question |
|---|---|---|
| Amazon VPC | Logically isolated virtual network in AWS where you define the IP range and launch resources | "Logically isolated section of the AWS Cloud" |
| Subnet | A segment of the VPC's IP range where resources are placed; exists in exactly one Availability Zone | "Range of IP addresses in your VPC, tied to one AZ" |
| Public subnet | Subnet whose route table has a route to an internet gateway | "Resources must be reachable from the internet" |
| Private subnet | Subnet with no direct route to an internet gateway | "Resources must not be directly reachable from the internet" |
| Internet gateway (IGW) | Enables two-way communication between the VPC and the internet | "Allow the VPC to communicate with the internet" |
| NAT gateway | Lets private-subnet resources initiate outbound internet connections while blocking inbound | "Private instances need to download updates but stay unreachable" |
| Route table | Rules that determine where a subnet's network traffic is directed | "Determines where network traffic from a subnet is sent" |
| Security group | Virtual firewall at the individual resource (instance) level | "Controls traffic at the instance level" |
| Network ACL | Firewall at the subnet level, applying to all resources in the subnet | "Controls traffic at the subnet level" |
A few related items appear as answer options and deserve one-line recognition each: VPC peering connects two VPCs privately so they can route traffic between each other; AWS Transit Gateway is a central hub that connects many VPCs and on-premises networks through a single gateway; and AWS PrivateLink provides private connectivity to services without sending traffic over the public internet. You will not be asked to configure any of them — only to recognize what each is.
Amazon Route 53: DNS and domain names
Amazon Route 53 is AWS's Domain Name System (DNS) web service. Its core purpose is translation: it converts human-friendly domain names such as www.example.com into the IP addresses computers use to connect to each other. Any exam question containing "DNS," "domain name resolution," or "translate domain names to IP addresses" points to Route 53. The name itself is a mnemonic — DNS traffic uses port 53.
Route 53 does three things you should be able to list. First, DNS resolution: it answers queries for your domain, directing users to resources inside AWS (a load balancer, a CloudFront distribution, an S3 static website) or outside it. Second, domain registration: you can buy and manage domain names directly through Route 53, so registration and DNS hosting live in one service. Third, health-check-aware traffic routing: Route 53 can monitor the health of your endpoints and route users away from unhealthy ones.
That third capability is delivered through routing policies, which you only need to recognize at one line each: simple (one answer for everyone), weighted (split traffic by percentage), latency-based (send users to the Region that answers fastest for them), failover (switch to a standby when the primary fails its health check), and geolocation (route by the user's location). If a question describes sending users to different endpoints based on where they are or how healthy the endpoint is, that is Route 53 doing DNS-level routing.
Keep Route 53 distinct from CloudFront: Route 53 tells the user's browser which address to connect to; it does not carry or cache the content itself. Delivering the content quickly is the next section's job.
Edge services: CloudFront vs Global Accelerator
Amazon CloudFront is AWS's content delivery network (CDN). It caches copies of your content — images, video, static files, and also dynamic content and APIs — at edge locations around the world, so users are served from a nearby edge instead of crossing the globe to your origin server. The result is lower latency and less load on the origin. Triggers for CloudFront: "CDN," "cache content at edge locations," "deliver content with low latency to global users," "reduce load on the origin," or "stream video to viewers worldwide." CloudFront works naturally with origins such as Amazon S3 and load balancers, and it operates over HTTP and HTTPS.
AWS Global Accelerator also uses AWS's edge network, but it solves a different problem. Instead of caching content, it improves the path your users' traffic takes: users connect to the nearest AWS edge location and their traffic then rides AWS's private global network to your application, avoiding the congestion and unpredictable routing of the public internet. It works for any TCP or UDP application — including non-HTTP workloads like gaming, VoIP, and IoT — and it gives you a pair of static anycast IP addresses that act as a fixed front door to endpoints in one or more Regions, improving both performance and availability.
The exam contrast to memorize: CloudFront caches content; Global Accelerator accelerates connections. If the scenario is about delivering or caching content (files, video, web pages) close to users, choose CloudFront. If it is about improving performance or availability for an application's network path, mentions TCP/UDP traffic that is not cacheable, or asks for static IP addresses that front a global application, choose Global Accelerator. Both are "edge services," both use AWS edge locations — the difference is what travels through them: cached content versus live connections.
Connecting your network to AWS: VPN and Direct Connect
The final identification set covers how an on-premises network — a corporate data center or office — connects privately to AWS. AWS Site-to-Site VPN creates encrypted tunnels over the public internet between your on-premises network and your VPC. Because it runs over the internet, it is quick to set up and low cost, but its performance depends on internet conditions. Trigger phrases: "encrypted connection over the internet," "IPsec tunnel," "connect the data center to AWS quickly."
AWS Direct Connect is a dedicated, private physical network connection between your premises and AWS. Your traffic never touches the public internet, which gives consistent network performance and supports high bandwidth. It requires physical provisioning, so it takes longer to establish. Trigger phrases: "dedicated private connection," "does not traverse the public internet," "consistent, predictable network performance." For Task 3.5 you identify what each option is; note simply that they solve the same problem — private connectivity to AWS — by different means: encrypted-over-internet versus dedicated-physical-link. One more to recognize: AWS Client VPN connects individual users (for example, remote employees on laptops) securely to AWS or on-premises networks, whereas Site-to-Site VPN connects entire networks.
Close the topic with the service-level recognition table:
| Service | Purpose | Trigger phrase in a question |
|---|---|---|
| Amazon Route 53 | DNS: translates domain names to IP addresses; registers domains; health-check-aware routing | "DNS", "domain registration", "route users based on latency or health" |
| Amazon CloudFront | CDN: caches static and dynamic content at edge locations for low-latency delivery | "CDN", "cache content close to users", "global content delivery" |
| AWS Global Accelerator | Routes TCP/UDP traffic onto AWS's global network at the nearest edge; static anycast IPs | "Improve performance of a global application", "static IP addresses", "TCP/UDP" |
| AWS Site-to-Site VPN | Encrypted tunnels over the internet between on-premises networks and AWS | "Encrypted connection over the internet" |
| AWS Direct Connect | Dedicated private physical link between on-premises and AWS | "Dedicated connection that bypasses the public internet" |
| AWS Client VPN | Secure connections for individual remote users into AWS or on-premises networks | "Remote employees connect securely from laptops" |
Tip. CLF-C02 probes this task through component identification: given a requirement, name the piece — internet gateway versus NAT gateway (two-way internet access versus outbound-only for private subnets) and public versus private subnet definitions are the most common pairings. Any mention of DNS, domain registration, or name resolution maps to Route 53, while edge questions hinge on CloudFront (caches content) versus Global Accelerator (accelerates TCP/UDP connections with static IPs). Connectivity items ask you to recognize Site-to-Site VPN as encrypted-over-internet and Direct Connect as a dedicated private link. Security groups and network ACLs appear here only as identify-the-level options: instance versus subnet.
- Amazon VPC is your logically isolated virtual network in AWS; you define the IP range and split it into subnets, each in exactly one Availability Zone.
- Public subnet = route to an internet gateway; private subnet = no direct internet route.
- Internet gateway enables two-way VPC-to-internet traffic; NAT gateway gives private subnets outbound-only internet access.
- Security groups filter traffic at the instance level; network ACLs filter at the subnet level — two VPC security layers.
- Route 53 is DNS: it translates domain names to IP addresses, registers domains, and routes traffic using health checks and routing policies.
- CloudFront is a CDN that caches content at edge locations; Global Accelerator speeds up TCP/UDP connections over AWS's global network with static anycast IPs.
- Site-to-Site VPN = encrypted tunnels over the internet; Direct Connect = dedicated private physical link to AWS.
- Client VPN connects individual remote users; Site-to-Site VPN connects entire networks.
Frequently asked questions
What is the difference between an internet gateway and a NAT gateway in AWS?
An internet gateway attaches to a VPC and allows two-way communication with the internet — resources in public subnets can both receive and send internet traffic. A NAT gateway serves private subnets: it lets those resources initiate outbound connections (for software updates or external API calls) while blocking any connection attempts coming in from the internet. On the exam, "receive traffic from the internet" points to an internet gateway; "private instances need outbound access but must stay unreachable" points to a NAT gateway.
What makes a subnet public or private in a VPC?
The subnet's route table. A public subnet has a route that sends internet-bound traffic to the VPC's internet gateway, so resources with public IP addresses are reachable from the internet. A private subnet has no route to an internet gateway, so its resources cannot be reached directly from outside. Nothing about the subnet itself differs otherwise — the routing decides. Private subnets typically route outbound traffic through a NAT gateway when their resources need internet access.
What is Amazon Route 53 used for?
Route 53 is AWS's DNS service. It translates human-readable domain names like www.example.com into IP addresses, lets you register and manage domain names, and routes user traffic using policies such as latency-based, weighted, failover, and geolocation routing, backed by health checks that steer users away from unhealthy endpoints. Any CLF-C02 question mentioning DNS, domain registration, or name resolution is asking about Route 53 — the 53 refers to the DNS port number.
What is the difference between CloudFront and Global Accelerator?
CloudFront is a content delivery network: it caches copies of your content at edge locations so users download it from somewhere nearby, which suits websites, APIs, and video delivery. Global Accelerator does not cache anything — it routes user connections onto AWS's private global network at the nearest edge location, improving performance and availability for any TCP or UDP application, and provides static anycast IP addresses. Remember it as: CloudFront caches content, Global Accelerator accelerates connections.
What is the difference between AWS VPN and Direct Connect?
AWS Site-to-Site VPN creates encrypted tunnels over the public internet between your on-premises network and AWS — fast to set up and inexpensive, but performance varies with internet conditions. AWS Direct Connect is a dedicated private physical connection between your facility and AWS that bypasses the internet entirely, giving consistent performance and higher bandwidth, at the cost of longer provisioning. For CLF-C02, identify VPN by "encrypted over the internet" and Direct Connect by "dedicated private connection."
Are security groups and network ACLs the same thing?
No. Both are VPC security layers, but they operate at different levels. A security group is a virtual firewall attached to individual resources such as EC2 instances, controlling traffic to and from that resource. A network ACL filters traffic at the subnet boundary, applying to every resource inside the subnet. At the Cloud Practitioner level, matching each one to its scope — security group = instance level, network ACL = subnet level — answers most questions that mention them.
Sign up free to mark lessons complete, bookmark topics and track your exam readiness.