VPC private networks, CloudFront CDN, API Gateway, and load balancing are the building blocks of secure, fast, and resilient cloud architecture. This page covers each and how they fit together.

Why Networking Matters

Networking is the foundation of every cloud architecture. Get it right, and your applications are secure, fast, and resilient. Get it wrong, and you face security vulnerabilities, performance bottlenecks, or unexpected costs.

This guide covers:

  • VPC (Virtual Private Cloud): Your private network in AWS
  • Load Balancing: Distributing traffic across servers
  • CloudFront: Delivering content globally with low latency
  • API Gateway: Managing and securing your APIs

Consider the following before designing your network: Where will users access your application from? What needs to be public vs. private? How will services communicate with each other?


VPC - Your Private Cloud Network

VPC (Virtual Private Cloud) lets you create isolated networks in AWS. Think of it as your own private data center in the cloud, complete with subnets, routing rules, and security controls.

Why VPCs matter: Without a VPC, your resources would be exposed directly to the internet. VPCs provide network isolation, allowing you to control exactly what can communicate with what.

Key VPC Concepts

Before diving in, familiarize yourself with these building blocks:

Component What It Does When to Use
Subnets Subdivide your VPC into segments Separate public/private resources
Internet Gateway Connects VPC to the internet Required for public-facing resources
NAT Gateway Lets private resources access internet (outbound only) Private servers needing updates/APIs
Security Groups Instance-level firewalls (stateful) Control traffic to/from each resource
Network ACLs Subnet-level firewalls (stateless) Additional layer of defense
Route Tables Control traffic routing Direct traffic between subnets/internet

Multi-AZ Architecture

For production workloads, spread resources across multiple Availability Zones. If one AZ fails, your application continues running in another. The diagram below shows a canonical three-tier VPC spanning two AZs, with traffic flowing inward from the internet to public, then private, then data subnets.

flowchart TB
    IGW([Internet Gateway])
    subgraph VPC["VPC 10.0.0.0/16"]
        direction LR
        subgraph AZA["Availability Zone A"]
            PubA["Public 10.0.1.0/24<br/>ALB · NAT GW"]
            PrivA["Private 10.0.10.0/24<br/>App Servers"]
            DataA["Data 10.0.100.0/24<br/>RDS Primary"]
            PubA --> PrivA --> DataA
        end
        subgraph AZB["Availability Zone B"]
            PubB["Public 10.0.2.0/24<br/>ALB · NAT GW"]
            PrivB["Private 10.0.20.0/24<br/>App Servers"]
            DataB["Data 10.0.200.0/24<br/>RDS Standby"]
            PubB --> PrivB --> DataB
        end
    end
    IGW --> PubA
    IGW --> PubB
    DataA -. "synchronous replication" .- DataB

The public subnets hold internet-facing resources (load balancers, NAT gateways). Private subnets hold application servers that reach the internet only outbound via NAT. Data subnets isolate databases with no internet route at all.

Real-world example: An e-commerce application runs web servers in public subnets (accessible from the internet) and databases in private subnets (only accessible from web servers). If AZ-A experiences an outage, traffic automatically routes to AZ-B.

VPC Best Practices

  • Use private subnets by default: Only place resources in public subnets if they must be directly accessible from the internet
  • Deploy NAT Gateways in each AZ: Prevents cross-AZ traffic charges and provides resilience
  • Use Security Groups as primary firewall: They are stateful and easier to manage than NACLs
  • Plan your CIDR blocks: Choose ranges that do not overlap with on-premises networks if you plan to connect them later

API Gateway - Managing Your APIs

API Gateway provides a managed service for creating, deploying, and securing APIs. It handles authentication, rate limiting, caching, and monitoring so you can focus on your backend logic.

When to Use API Gateway

  • REST APIs: Traditional request/response APIs for web and mobile
  • WebSocket APIs: Real-time two-way communication (chat, gaming)
  • HTTP APIs: Simpler, cheaper alternative to REST APIs

API Gateway vs Application Load Balancer

Feature API Gateway Application Load Balancer
API management Full (throttling, keys, usage plans) Basic
Cost model Per request Per hour + data
WebSocket support Yes No
Request transformation Yes No
Best for APIs needing management features Simple HTTP routing

Key API Gateway Features

Request Validation: Validate request bodies and parameters before they reach your backend:

# Create a request validator
aws apigateway create-request-validator --rest-api-id xxx \
  --name "ValidateBody" --validate-request-body

Usage Plans and API Keys: Control who can access your API and how much:

# Create a usage plan with rate limiting
aws apigateway create-usage-plan --name "BasicPlan" \
  --throttle burstLimit=100,rateLimit=50 \
  --quota limit=1000,period=DAY

Custom Authorizers: Use Lambda functions to implement custom authentication:

# Create a Lambda authorizer
aws apigateway create-authorizer --rest-api-id xxx \
  --name "JWTAuthorizer" --type TOKEN \
  --authorizer-uri "arn:aws:lambda:region:account:function:authorizer"

CloudFront - Content Delivery Network

CloudFront is AWS’s content delivery network (CDN). Instead of users fetching data from your servers in one region, CloudFront caches content at 600+ edge locations worldwide. Users get data from the nearest location, reducing latency from seconds to milliseconds.

When to Use CloudFront

  • Static assets (images, CSS, JavaScript): Immediate 10x performance boost
  • API responses that do not change frequently: Reduce origin load
  • Video streaming: Adaptive bitrate based on user connection
  • Global applications: Consistent performance worldwide

Real-world impact: A news website serving images from S3 in US-East to users in Australia saw 2-second load times. After adding CloudFront, Australian users get 200ms load times from the Sydney edge location.

CloudFront Origin Types

Origin Type Use Case Configuration
S3 bucket Static websites, media files Use Origin Access Control for security
Application Load Balancer Dynamic content from EC2/ECS Forward headers for personalization
Custom origin Any HTTP server Your on-premises or other cloud servers
Lambda@Edge Serverless at the edge Customize requests/responses globally

Setting Up CloudFront

Basic setup for S3 static website:

# Create a CloudFront distribution with S3 origin
aws cloudfront create-distribution \
  --origin-domain-name my-bucket.s3.amazonaws.com \
  --default-root-object index.html

Cache settings to consider:

  • Static assets (images, CSS, JS): Cache for 7+ days
  • Dynamic content: Cache for minutes or disable caching
  • API responses: Usually no caching, or short TTL

CloudFront Best Practices

  • Use Origin Access Control: Prevent direct S3 access; force all traffic through CloudFront
  • Enable compression: Reduces file sizes by 60-80% for text-based content
  • Use custom error pages: Provide friendly 404 and 500 error pages
  • Set up logging: Track usage patterns and troubleshoot issues
  • Invalidate wisely: Invalidations cost money; use versioned filenames instead

Load Balancing

Load balancers distribute incoming traffic across multiple targets (EC2 instances, containers, IP addresses). They improve availability by routing around failures and enable horizontal scaling.

Choosing the Right Load Balancer

Load Balancer Best For Key Features Cost
Application (ALB) Web applications, APIs Path/host routing, WebSocket, HTTP/2 Moderate
Network (NLB) High-performance, TCP/UDP Ultra-low latency, static IPs Lower
Gateway (GWLB) Security appliances Third-party firewall/IDS integration Varies
Classic Legacy applications Avoid for new projects Legacy; avoid for new projects

Recommendation: Use ALB for most web applications. Use NLB only when you need ultra-low latency or static IP addresses.

Common Load Balancer Patterns

Path-based routing (ALB): Route /api/* to API servers, /static/* to static content servers

Host-based routing (ALB): Route api.example.com to API, www.example.com to web servers

Health checks: Configure targets to be removed from rotation when unhealthy:

# Create a target group with health checks
aws elbv2 create-target-group --name my-targets \
  --protocol HTTP --port 80 --vpc-id vpc-xxx \
  --health-check-path /health --health-check-interval-seconds 30

End-to-End Request Flow

A typical request for a global web application touches several networking layers before reaching your servers:

flowchart LR
    User([User]) --> CF[CloudFront Edge]
    CF -->|cache miss| ALB[Application Load Balancer]
    ALB --> SG{Security Group}
    SG --> EC2A[App Server AZ-A]
    SG --> EC2B[App Server AZ-B]
    CF -->|cache hit| User

Cached responses return directly from the nearest edge location. Cache misses route to the origin load balancer, which checks the security group and distributes traffic to healthy targets across AZs.

Common Pitfalls

  • Single NAT Gateway: Placing one NAT Gateway for all AZs creates a single point of failure and incurs cross-AZ data transfer charges. Deploy one per AZ.
  • Overly broad security groups: 0.0.0.0/0 on port 22 (SSH) exposes instances to the entire internet. Scope inbound rules to known CIDRs or use Session Manager instead.
  • Overlapping CIDR blocks: VPCs you intend to peer (or connect to on-premises) must not overlap. Plan address space before creation.
  • Forgetting CloudFront invalidation costs: Frequent /* invalidations add up. Use versioned object names (app.v2.js) so the CDN caches forever.

Key Takeaways

  • VPC means network isolation. Public subnets for internet-facing resources, private for app tiers, data subnets with no internet route for databases.
  • Multi-AZ by default. Spread subnets and NAT gateways across at least two AZs so a single data center failure does not take you offline.
  • ALB for HTTP, NLB for speed. Use Application Load Balancers for path/host routing; reach for Network Load Balancers only when you need ultra-low latency or static IPs.
  • CloudFront cuts latency. Serve static assets from edge locations and force origin access through Origin Access Control to keep S3 buckets private.

See Also