Vinay Kumar
Networking
LearningTree · AWS · Networking

AWS Networking —
The Complete Request Flow

Not a list of services — a system. Understand how DNS, edge caching, load balancing, API management, and private networking work together to deliver every request from user to backend.

End-to-End Request Flow

Every request to an AWS-hosted application passes through the same logical layers. Understanding this flow is the single most important networking concept for AWS certification exams.

Complete Request Flow — User to Backend
👤 User types URL Route 53 DNS → IP CloudFront Edge cache ELB / API GW Route + Auth + Throttle Traffic layer Compute Lambda/EC2/ECS Data RDS/DDB ② DNS ③ Edge ④ Traffic ⑤ Compute ⑥ Data Every AWS web request flows through these layers (some optional) Networking = layers ①–④ | This module covers all of them
Networking Layers — What Each Service Does
Layer Service What It Does One-Liner
① DNS Route 53 Translates domain → IP address Where does this domain live?
② Edge CloudFront Caches content at 450+ edge locations Serve from closest location
② Edge Global Accelerator Static IPs + AWS backbone routing (TCP/UDP) Optimize non-HTTP traffic
③ Traffic ELB (ALB/NLB) Distributes requests across targets Spread load, health check
③ API API Gateway Manages APIs — auth, throttle, route Front door for APIs
④ Network VPC Private isolated network — subnets, routing, firewalls Your private data centre
⑤ Connectivity Direct Connect Dedicated fibre from on-prem to AWS Private, consistent bandwidth
⑤ Connectivity Site-to-Site VPN Encrypted tunnel over internet to VPC Quick setup, encrypted hybrid
⑤ Hub Transit Gateway Central hub connecting multiple VPCs + on-prem Hub-and-spoke router
⑥ Private PrivateLink Access AWS services without internet Private access, no exposure
⑦ Security WAF Layer 7 firewall — SQL injection, XSS, bots Block bad HTTP requests
⑦ Security Shield DDoS protection (Standard free, Advanced $3K/mo) Absorb volumetric attacks
🧠 Key Insight

These services are not alternatives — they're layers in a stack. A production system typically uses ALL of them: Route 53 + CloudFront + ELB or API Gateway + VPC.

Decision Guide — When to Use What
You Need... Use Why
Custom domain Route 53 DNS management + health-check routing
Low latency for global users (HTTP) CloudFront Cache at edge, reduce round-trip distance
Static IP + global TCP/UDP acceleration Global Accelerator Anycast IPs, AWS backbone, instant failover (~$0.025/hr)
Distribute traffic across EC2/ECS ALB Layer 7, path/host routing, health checks
Ultra-low latency / static IP (TCP/UDP) NLB Layer 4, millions req/s, source IP preserved
Inline traffic inspection (firewall/IDS) GWLB Route through 3rd-party appliances (GENEVE, Layer 3)
Serverless API (Lambda backend) API Gateway Auth, throttle, caching — no servers
Private network isolation VPC Subnets, security groups, NACLs, NAT
Dedicated private link to on-premises Direct Connect Private fibre, consistent latency (weeks to set up)
Quick encrypted hybrid connection Site-to-Site VPN IPsec over internet, minutes to set up
Connect many VPCs + on-prem centrally Transit Gateway Hub-and-spoke, transitive routing, 5000 attachments
Access AWS services without internet PrivateLink VPC endpoint → SQS/KMS/S3 via AWS backbone
Block SQL injection / XSS / bots WAF Layer 7 rules on CloudFront/ALB/API GW
DDoS protection Shield Standard (free/auto) or Advanced ($3K/mo + DRT)
Architecture Patterns
3 Common Patterns — Static Site, Serverless API, Web App
PATTERN 1: Static Website Route 53 → CloudFront → S3 No servers, global CDN, HTTPS Cost: ~$1/month for millions of views PATTERN 2: Serverless API Route 53 → API GW → Lambda → DDB Auth, throttle, pay-per-request Cost: ~$2.50/month at 1M requests PATTERN 3: Web Application Route 53 → CF → ALB → EC2/ECS Multi-AZ, Auto Scaling, health checks Enterprise: highly available + scalable PRODUCTION STACK (all layers combined) Route 53 DNS CloudFront Edge + WAF ALB Load balance EC2 / ECS Compute RDS Database VPC Private network
Additional Patterns — Hybrid & Private Access
2 More Patterns — Hybrid Connectivity + Private Service Access
PATTERN 4: Hybrid Architecture On-Prem → Direct Connect (or VPN) → Transit GW → VPCs Central hub connects offices + cloud + regions Enterprise: DX primary, VPN backup, BGP failover PATTERN 5: Private Service Access EC2 → VPC Endpoint → SQS/S3/KMS (no internet) Zero internet exposure for backend services Security: PrivateLink + endpoint policies SECURITY STACK (protects all patterns above) Shield (DDoS) WAF (Layer 7) Security Groups NACLs PrivateLink / VPN
Exam Insights

🎯 Exam Keywords → Service

  • "static IP" → NLB (not ALB)
  • "path-based routing" → ALB
  • "serverless API" → API Gateway + Lambda
  • "reduce latency globally" → CloudFront
  • "custom domain" → Route 53 + alias record
  • "private subnet internet access" → NAT Gateway (in VPC)
  • "cross-region failover" → Route 53 failover routing
  • "firewall / IDS" → Gateway Load Balancer (GWLB)
  • "rate limit API partners" → API Gateway usage plans + API keys
  • "WebSocket / real-time" → API Gateway WebSocket API
  • "consistent latency to on-prem" → Direct Connect
  • "encrypted hybrid, quick setup" → Site-to-Site VPN
  • "connect multiple VPCs centrally" → Transit Gateway
  • "private S3 access from VPC" → Gateway Endpoint (free)
  • "private SQS/KMS access" → Interface Endpoint (PrivateLink)
  • "DDoS protection" → Shield (Standard free / Advanced $3K)
  • "SQL injection / XSS" → WAF
  • "static IP + global TCP/UDP" → Global Accelerator

⚠️ Common Traps

  • ALB does NOT have a static IP — use NLB if you need one (or NLB → ALB pattern)
  • API Keys are NOT authentication — they're for throttling/identification only
  • CloudFront is NOT just for static content — it caches dynamic APIs too
  • Security Groups are stateful (return traffic auto-allowed); NACLs are stateless (must allow both)
  • HTTP API is cheaper than REST API ($1 vs $3.50/1M) — default to HTTP API unless you need cache/WAF
  • Direct Connect is NOT encrypted by default — add VPN on top for encryption
  • Gateway Endpoint (S3/DDB) is free; Interface Endpoint costs ~$7/month
  • Global Accelerator ≠ CloudFront: GA doesn't cache, optimizes TCP/UDP path instead
  • Transit Gateway enables transitive routing; VPC Peering does NOT
  • Shield Standard is free and automatic — don't confuse with Advanced ($3K/mo)
Explore Each Service
④ network
Amazon VPC
Private isolated network — subnets, route tables, gateways, Security Groups, NACLs. The foundation everything else sits on.
① dns
Route 53
DNS service — domain registration, routing policies (failover, latency, weighted, geolocation), health checks.
② edge
CloudFront
CDN — 450+ edge locations, cache static + dynamic content, Lambda@Edge, Shield + WAF integration.
③ traffic
Elastic Load Balancing
ALB (Layer 7, HTTP routing), NLB (Layer 4, static IP), GWLB (Layer 3, appliances). Distribute + health check.
③ api
API Gateway
Managed API layer — REST/HTTP/WebSocket APIs. Auth, throttling, caching, Lambda integration. Your API control plane.
advanced
Other Services
Transit Gateway, Direct Connect, VPN, PrivateLink, Global Accelerator — cross-VPC and hybrid connectivity.