Courses/SOA-C03/Networking and Content Delivery
Practice questions →
AWSSOA-C03

Networking and Content Delivery

Topic 5 of 5 · Study notes

AWS Certified CloudOps Engineer - Associate (SOA-C03) — Domain 5: Networking and Content Delivery

Exam Code: SOA-C03  |  Level: Associate
Domain Weight: 18%  |  Total Domains: 6  |  Passing Score: 720/1000

Table of Contents

  1. VPC Fundamentals
  2. VPC Connectivity
  3. DNS — Route 53 and Resolver
  4. Advanced Networking
  5. Windows and Hybrid Networking
  6. Common Troubleshooting Scenarios
  7. Exam Tips & Quick Reference

1. VPC Fundamentals

A VPC is an isolated network environment in AWS. The exam tests subnet sizing, routing rules, security group vs. NACL behavior, and VPC flow log configuration.

1.1 VPC Core Concepts

IP Address Reservation Per Subnet

Every VPC subnet reserves 5 IP addresses (first 4 + last 1):

Address Reserved For
First (e.g., 10.0.0.0) Network address
First + 1 (e.g., 10.0.0.1) VPC router
First + 2 (e.g., 10.0.0.2) DNS server
First + 3 (e.g., 10.0.0.3) Reserved for future AWS use
Last (e.g., 10.0.0.255) Broadcast address (not supported in VPC)

A /28 subnet has 16 total addresses → 11 usable. Plan accordingly when sizing subnets.

Subnet and CIDR Limitations

You cannot change a subnet's CIDR block after creation, and you cannot change the primary VPC CIDR block. You CAN add secondary CIDR blocks to a VPC.

Exam Tip: "Cannot launch more EC2 instances because no free IP addresses in private subnet" → Create a new private subnet in the VPC — you cannot resize an existing subnet.

1.2 VPC Components — Complete Reference

Internet Gateway (IGW)

Provides two-way internet connectivity for resources with public IPs. Horizontally scaled, redundant, and highly available. Performs NAT for instances with public IPv4 addresses (maps private IP ↔ public IP). One IGW per VPC. Must attach IGW to VPC AND add a route to the route table.

Egress-Only Internet Gateway

IPv6 equivalent of NAT gateway. Allows IPv6 resources to initiate outbound connections while blocking inbound connections from the internet. Route table entry: ::/0 → eigw-xxxx.

NAT Gateway

Allows private subnet resources to make outbound internet connections while blocking inbound connections from the internet.

Exam Tip: NAT Gateway MUST be placed in a PUBLIC subnet — not a private subnet. This is the most common NAT gateway exam trap. For multi-AZ HA, deploy one NAT gateway per AZ.

Critical route table entry for private subnet:

0.0.0.0/0 → nat-gateway-id    ← points to NAT gateway in PUBLIC subnet

NAT Instance (Legacy)

A NAT instance must have Source/Destination Checks disabled because it forwards traffic on behalf of other instances (it is neither the true source nor the destination). Place it in a public subnet and add a route in the private subnet route table pointing to the NAT instance ID.

aws ec2 modify-instance-attribute \
  --instance-id i-1234567890 \
  --source-dest-check "{\"Value\": false}"

Transit Gateway (TGW)

Central hub connecting multiple VPCs and VPN connections. Supports transitive routing (VPC A → TGW → VPC B, VPC A → TGW → VPN). VPC peering does NOT support transitive routing. Use TGW when connecting many VPCs or replacing a mesh of VPC peering connections.

1.3 Route Tables

Route Evaluation Order

Routes are evaluated from most specific to least specific (longest prefix match):

Destination          Target
10.0.0.0/16          local           ← VPC-internal traffic (most specific for VPC CIDR)
10.0.1.0/24          nat-gateway-id  ← More specific → wins for this subnet
0.0.0.0/0            igw-xxxxx       ← Default route; all other traffic

Route Table Types

Route Table Associated With Has Route To
Public subnet Public subnets 0.0.0.0/0 → IGW
Private subnet Private subnets 0.0.0.0/0 → NAT GW
Main route table Subnets without explicit association Usually VGW or local only

Note: The VPC Wizard creates the main route table for the PRIVATE subnet (with route to NAT) and a custom route table for the PUBLIC subnet (with route to IGW). This is the opposite of what you might expect.

1.4 Security Groups vs. Network ACLs

Security Groups — Stateful Firewall

Characteristic Detail
Applies to EC2 instances (ENIs)
State STATEFUL — return traffic automatically allowed
Rules Allow rules ONLY — no explicit deny
Default (new SG) No inbound rules; all outbound allowed

Because security groups are stateful, adding inbound TCP/443 allows HTTPS requests and the response traffic is automatically allowed — you do NOT need a separate outbound rule.

Security groups cannot explicitly deny traffic from a specific IP. Use NACLs to block specific IPs.

Network ACLs (NACLs) — Stateless Firewall

Characteristic Detail
Applies to Subnets (all instances in the subnet)
State STATELESS — both directions need explicit rules
Rules Allow AND Deny rules
Evaluation Rules evaluated in ascending number order; first match wins
Default NACL Allow all inbound and outbound
Custom NACL Deny all inbound and outbound by default

For a web server in a subnet, both inbound and outbound rules are required:

Inbound rule:  Allow TCP port 80  from 0.0.0.0/0     ← allows incoming HTTP requests
Outbound rule: Allow TCP port 1024-65535 to 0.0.0.0/0 ← allows HTTP response (ephemeral ports)

Exam Tip: "New web server can send requests to internet but web browsers cannot reach it" → Missing NACL outbound rule for ephemeral ports 1024-65535 (the client's response port range).

For a deny rule to take effect, its rule number must be lower than the allow rule:

Rule 90:  DENY  ALL  from 192.168.1.100/32   ← Must be BEFORE the allow rule
Rule 100: ALLOW ALL  from 0.0.0.0/0
Rule *:   DENY  ALL  (default)

1.5 VPC Flow Logs

What Flow Logs Capture

VPC Flow Logs capture metadata about IP traffic — NOT the packet payload:

version account-id interface-id srcaddr dstaddr srcport dstport protocol packets bytes start end action log-status
2 123456789 eni-abc123 10.0.0.5 172.31.0.10 49152 443 6 10 840 1546620600 1546620660 ACCEPT OK

What Flow Logs Do NOT Capture

Flow logs do not capture DNS queries to Route 53, DHCP traffic, instance metadata service traffic (169.254.169.254), Windows license activation traffic, or packet payload/content.

Troubleshooting with Flow Logs

Flow Log Shows Meaning
ACCEPT inbound, ACCEPT outbound Both directions allowed — no blocking
REJECT inbound Security group or NACL blocking inbound
ACCEPT inbound, REJECT outbound NACL blocking outbound response (ephemeral port issue)
No flow log entry Traffic never reached the network interface

Exam Tip: If you need to add fields (like tcp-flags) to existing VPC flow logs, you cannot modify an existing flow log's format. Create a new flow log with the custom format including the additional field and delete the original.

Flow logs are not real-time — first logs appear approximately 10 minutes after enabling. The IAM role for flow logs needs logs:CreateLogGroup, logs:CreateLogStream, logs:PutLogEvents, logs:DescribeLogGroups, and logs:DescribeLogStreams.

2. VPC Connectivity

2.1 VPC Peering

VPC peering creates a private network connection between two VPCs (same or different account/region) where traffic stays on the AWS network backbone. Peering is not transitive — if A peers B and B peers C, A cannot communicate with C through B.

After creating a peering connection, both route tables must be updated manually:

In VPC A's route table:
  172.31.0.0/16  →  pcx-12345abc   ← routes to VPC B through peering

In VPC B's route table:
  10.0.0.0/16    →  pcx-12345abc   ← routes to VPC A through peering

Also update security groups in each VPC to allow traffic from the other VPC's CIDR range.

Exam Tip: VPC peering CIDR blocks cannot overlap — if both VPCs use 10.0.0.0/16, peering will fail. For connecting many VPCs with transitive routing, use Transit Gateway instead.

2.2 AWS Site-to-Site VPN

On-premises Network                          AWS VPC
Customer Gateway (CGW)  ←────VPN────→  Virtual Private Gateway (VGW)
                              IPsec

Customer Gateway IP Address rule: When configuring the Customer Gateway resource in AWS, if there is a NAT device in front of the customer gateway device, provide the public IP of the NAT device — not the private IP of the customer gateway. AWS only sees the NAT device's public IP.

After creating a Site-to-Site VPN, enable route propagation on the VPC route table or manually add static routes: on-premises-CIDR → vgw-xxxx. When a new subnet is added to a new AZ and cannot reach on-premises, the new subnet's route table is missing the route to the VGW.

2.3 AWS Direct Connect

Direct Connect provides a dedicated physical connection from on-premises to AWS. Traffic does NOT traverse the public internet. Direct Connect is not encrypted by default — for encryption over Direct Connect, use VPN on top of Direct Connect.

Use cases: compliance requiring no-internet path, consistent guaranteed bandwidth, and very low latency.

2.4 VPC Endpoints

Gateway Endpoints

Feature Detail
Supported services S3 and DynamoDB only
Cost FREE — no hourly charge, no data processing charge
How configured Entry added to route table: S3 prefix list → vpce-xxxx

Exam Tip: "Private subnet EC2 must access S3 privately without internet; no cost for VPC connectivity" → Gateway VPC endpoint for S3 — it is free and requires only a route table entry.

Feature Detail
Supported services Most AWS services (SSM, Secrets Manager, SQS, SNS, etc.)
Cost $0.01/hour per AZ + $0.01 per GB
How configured Creates an ENI in your subnet with a private IP address

Use interface endpoints when Lambda or EC2 in a private subnet needs SSM, Secrets Manager, SQS, or other AWS services without internet access.

Bucket Policy for VPC Endpoint Restriction

Force S3 access to come only through a VPC endpoint:

{
  "Effect": "Deny",
  "Principal": "*",
  "Action": "s3:*",
  "Resource": ["arn:aws:s3:::my-bucket", "arn:aws:s3:::my-bucket/*"],
  "Condition": {
    "StringNotEquals": { "aws:sourceVpce": "vpce-1a2b3c4d" }
  }
}

3. DNS — Route 53 and Resolver

3.1 Route 53 — Routing Policies

Policy Based On Notes
Simple N/A Single record; multiple IPs returned randomly; no health check
Weighted % distribution A/B testing; gradual migration; can have health checks
Latency Measured network latency Routes to lowest latency region from user's location
Failover Health check result Primary/secondary; automatic DNS failover
Geolocation User's geographic location (country/continent) Compliance, content localization
Geoproximity Location + configurable bias Shift traffic bias toward specific regions
Multivalue Random selection with health checks Up to 8 healthy records; not a replacement for ELB
IP-based User's IP address CIDR ranges Route based on ISP or known IP ranges

Exam Tip: "Route traffic based on the location of resources" → Geoproximity (not geolocation — geolocation routes based on the user's location, not the resource location).

Route 53 for Multi-Region Failover

Create Alias records pointing to ALBs in the primary and secondary regions with Failover routing policy. When the primary ALB health check fails, Route 53 automatically returns the secondary record's IP.

Set EvaluateTargetHealth: true on alias records so the alias record inherits the health of the ALB target group.

3.2 Route 53 Resolver

Resolver Endpoints

OUTBOUND Endpoint (VPC → On-premises): Use when EC2 instances in a VPC need to resolve on-premises hostnames (e.g., database.corp.internal). Route 53 Resolver forwards DNS queries for specified domains to on-premises DNS servers.

INBOUND Endpoint (On-premises → VPC): Use when on-premises servers need to resolve AWS private hosted zone records (e.g., myapp.aws.internal). Configure the on-premises DNS server to forward queries to the inbound endpoint IP.

VPC EC2 → resolve on-premises.corp.internal
         → VPC DNS (169.254.169.253)
         → Outbound endpoint
         → On-premises DNS server
         → Returns answer

On-premises server → resolve app.aws.internal
                    → On-premises DNS (forwards per rule)
                    → Inbound endpoint in VPC
                    → Route 53 private hosted zone
                    → Returns answer

Exam Tip: The question describes the DIRECTION of the DNS query: "Application in VPC can't resolve on-premises hostname" → OUTBOUND endpoint. "On-premises application can't resolve VPC hostname" → INBOUND endpoint.

3.3 Route 53 for S3 Website Hosting

The S3 bucket name MUST exactly match the domain record name in Route 53 (e.g., bucket www.example.com → Route 53 record www.example.com). Use Alias records (not CNAME) — especially at the zone apex. For both www.example.com and example.com, create separate buckets with matching names and configure the apex bucket to redirect to the www bucket.

4. Advanced Networking

4.1 Elastic Network Interfaces and Elastic IPs

An Elastic IP address is a static public IPv4 address that you own until released. It is charged when NOT associated with a running instance or network interface.

CloudWatch Alarm Recover Action

A CloudWatch alarm on StatusCheckFailed_System metric with the Recover EC2 action recovers the instance to new underlying hardware. It preserves the instance ID, private IP address, Elastic IP address, and EBS volumes. It does NOT preserve instance store volumes or RAM contents.

Action When Preserves IP
Reboot Same hardware, OS restart Yes
Stop/Start Move to different hardware Yes (EIP; private IP stays same)
Recover Hardware failure detected Yes (all IPs preserved)
Terminate Decommission No

4.2 Application Load Balancer — Networking Details

ALB requires at least 2 subnets in different AZs. For internet-facing ALBs, subnets must be PUBLIC subnets. Each subnet must have at least one free IP address.

ALB HTTP to HTTPS Redirect

Listener: HTTP:80
  Default Rule: Redirect to HTTPS:443
    Location: https://#{host}:443/#{path}?#{query}
    Status Code: 301

Listener: HTTPS:443
  ACM Certificate: arn:aws:acm:region:account:certificate/cert-id
  Default Rule: Forward to Target Group

4.3 Network Load Balancer Features

Each AZ gets a static IP (or Elastic IP) that clients can use for IP-based allow-listing. This is useful when applications behind NLB need to tell third-party services which IPs to allow.

Need Use
Static IP per AZ NLB
URL-based routing / WebSockets / gRPC ALB
Millions of requests per second NLB
TCP/UDP pass-through NLB

Exam Tip: "Application uploads to third-party service that requires a single IP address allow-list" → Place instances behind NLB (static IP per AZ) or NAT gateway (common public IP for all instances outbound).

5. Windows and Hybrid Networking

5.1 Amazon FSx for Windows File Server

Feature FSx for Windows Amazon EFS
Protocol SMB (Windows native) NFS (Linux native)
OS compatibility Windows instances Linux instances
Active Directory Full integration External AD connector
Windows features DFS, NTFS ACLs, VSS Not supported

Exam Tip: "CloudOps Engineer creates EFS file share for Windows EC2 instances but cannot mount it" → Delete EFS → Create Amazon FSx for Windows File Server instead. Windows instances cannot natively mount NFS (EFS) without additional configuration.

5.2 EC2 Instance Connect vs. Session Manager vs. Bastion

Feature Bastion Host Session Manager EC2 Instance Connect
Requires SSH port open Yes No No
Requires SSH key pair Yes No No (temporary keys)
Audit logging Manual setup Built-in No
IAM-based access control No Yes Partial
Works with private subnet instances Via bastion only Yes (VPC endpoints) Only if internet access

Exam Tip: "Access hundreds of Linux/Windows EC2 instances in private subnets without SSH; centrally log sessions; IAM-controlled" → SSM Session Manager — not bastion hosts, not EC2 Instance Connect.

6. Common Troubleshooting Scenarios

6.1 Connection Troubleshooting Checklist

When an EC2 instance is unreachable, check in order:

  1. Does the instance have a public IP (or EIP for internet-facing)?
  2. Is an Internet Gateway attached to the VPC?
  3. Does the public subnet route table have 0.0.0.0/0 → igw-xxxx?
  4. Does the security group inbound allow the required port from the source IP?
  5. Do the NACL rules allow the port inbound AND allow ephemeral ports (1024-65535) outbound for the response?
  6. Is there an OS firewall (iptables, Windows Firewall) blocking the port?
  7. Is the application actually listening on the correct port?

Common Exam Scenarios and Root Causes

Symptom Root Cause
Ping (ICMP) from on-premises to EC2 fails Security group missing inbound ICMP; or NACL missing outbound ICMP (stateless!)
HTTPS connection times out Security group missing inbound TCP/443; or NACL missing outbound TCP/1024-65535
Private subnet EC2 cannot reach internet Route table missing 0.0.0.0/0 → NAT GW; or NAT GW is in private subnet (not public)
VPN-connected on-premises cannot reach new AZ EC2 New subnet route table missing on-premises-CIDR → vgw-xxxx

6.2 ALB HTTP 5xx Error Codes

Code Meaning
502 Bad Gateway Origin returned invalid response; often an expired SSL certificate
503 Service Unavailable No healthy targets in the target group
504 Gateway Timeout Target did not respond in time
500 Internal Server Error ALB internal error

HTTPCode_ELB_5xx_Count being high most commonly indicates the target group has no healthy instances (503).

Exam Tips & Quick Reference

Scenario-to-Answer Mapping

Scenario Keyword / Requirement Correct Answer
"Cannot launch more EC2 in private subnet — no IPs" Create new private subnet (cannot resize existing)
"Private subnet → internet fails" Add 0.0.0.0/0 → NAT GW to private subnet route table
"NAT instance not working" Disable source/destination checks on the NAT instance
"Customer gateway behind NAT device" Use public IP of NAT device (not customer gateway private IP)
"New AZ subnets can't reach on-premises" Add on-premises CIDR → VGW route to new subnet route table
"Ping fails; EC2 SG allows it; NACL allows inbound" NACL missing outbound ICMP rule (stateless — both directions needed)
"Browser can't reach web server; SG allows HTTP" NACL missing outbound ephemeral ports 1024-65535
"HTTP to HTTPS redirect on ALB" Port 80 listener → redirect rule → HTTPS:443; port 443 with ACM cert
"Static IP for third-party allow-listing" NLB (static IP per AZ) or NAT gateway (outbound)
"S3 access from EC2 without internet; free" Gateway VPC endpoint for S3 (no cost; add to route table)
"Lambda to SSM/Secrets Manager in private subnet" Interface VPC endpoint for the service
"Connect VPCs in different accounts; transitive OK" Transit Gateway (VPC peering is not transitive)
"VPC peering doesn't work" Both route tables must have routes pointing to peering connection
"VPC peering fails — CIDR overlap" CIDRs cannot overlap; one VPC must be re-addressed
"Monitor traffic between ECS tasks" ECS awsvpc network mode + VPC Flow Logs on ENIs
"Resolve on-premises hostnames from VPC" Route 53 Resolver outbound endpoint + forwarding rule
"Resolve AWS hostnames from on-premises" Route 53 Resolver inbound endpoint + configure on-premises DNS forwarder
"GuardDuty finds suspicious traffic — block it" GuardDuty detects only; use NACLs to block the IP
"Windows EC2 instances need shared storage" FSx for Windows File Server (not EFS — EFS is NFS for Linux)
"All EC2 instances use single public IP outbound" NAT gateway; provide NAT gateway's EIP to third party
"VPC flow log needs tcp-flags field" Create new flow log with custom format (cannot modify existing)
"ALB 503 errors" No healthy targets in target group
"CloudFront 502 errors" SSL certificate expired on origin
"Two static IPs for global application" AWS Global Accelerator

Common Traps

  • Security groups vs. NACLs for blocking traffic: Security groups can only ALLOW. To block a specific IP address, you must use a NACL with a Deny rule. This distinction is tested frequently.
  • NAT Gateway placement: NAT Gateway must be in a PUBLIC subnet with an Elastic IP. Placing it in a private subnet is a very common wrong answer option.
  • VPC peering is not transitive: A-B and B-C peering does NOT give A-C connectivity. Exam questions often imply you can chain peering — the correct answer for transitive routing is always Transit Gateway.
  • Outbound vs. Inbound Route 53 Resolver endpoints: The direction refers to which side initiates the query, not where the endpoint lives. Outbound = VPC initiates query toward on-premises. Inbound = on-premises initiates query toward VPC.
  • EFS is NFS for Linux only: Windows instances cannot mount EFS without additional configuration. The answer for Windows shared storage is always FSx for Windows File Server.

Key Terms — Domain 5

Term One-Line Definition
Security Group Stateful ENI-level firewall; return traffic automatically allowed; allow rules only
NACL Stateless subnet-level firewall; both directions need explicit rules; supports deny rules
NAT Gateway Outbound-only internet access for private subnet instances; must be in public subnet
VPC Peering Private connection between two VPCs; non-transitive; CIDR must not overlap
Transit Gateway Hub-and-spoke connector for multiple VPCs and VPNs; supports transitive routing
Gateway Endpoint Free VPC endpoint for S3 and DynamoDB only; implemented via route table entry
Interface Endpoint Paid VPC endpoint (PrivateLink) for most AWS services; creates ENI in your subnet
Route 53 Outbound Resolver Forwards DNS queries from VPC to on-premises DNS for on-premises hostnames
Route 53 Inbound Resolver Receives DNS queries from on-premises and resolves AWS private hosted zones
FSx for Windows SMB-protocol managed file share for Windows EC2 instances with AD integration

End of Domain 5. ← All Domains Complete

Previous

Security and Compliance

All done!

Start Practicing →

Ready to test yourself?

Practice questions for this topic

Start Practicing →

SOA-C03 Topics

Topic 5 of 5