Blog 1- AWS Cloud Networking Foundational Concepts

Disclaimer: the content of this blog is solely based on my personal view/experience, and it’s not a company or someone else’s view. The content is intended for educational purpose only, and it’s not an official whitepaper or best practices document. Therefore, you must always refer to the official and latest AWS documentations, before considering anything discussed in this blog series, in any AWS environment.

In this first blog, of the blog series “AWS Cloud Networking – Zero to Hero” the focus will be on the foundational concepts that collectively construct a functional Virtual Private Cloud aka. VPC.

A VPC is a logical object that host/isolate the various cloud elements that belong to a tenant/account.

“Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.”

Nonetheless, before we jump into the details of the networking elements inside a VPC, lets zoom out and look at the big picture, starting from the overall AWS global infrastructure and how/where a VPC can fit in this global infrastructure.

At the time of this blog writing, AWS global infrastructure spans 69 Availability Zones within 22 geographic regions around the world, and has announced plans for sixteen more Availability Zones and five more AWS Regions in Indonesia, Italy, Japan, South Africa, and Spain.

Every data center, AZ, and AWS Region is interconnected via a purpose-built, highly available, and low-latency private global network infrastructure. The network is built on a global, fully redundant, parallel 100 GbE metro fiber network that is linked via trans-oceanic cables across the Atlantic, Pacific, and Indian Oceans, as well as the Mediterranean, Red Sea, and South China Seas.

What is meant by a Region and Availability Zone (AZ) in the above paragraph?

A region refers to a geographic area where AWS provides access to its cloud services from, and these geographic areas are distributed worldwide, and independent of each other. This is mainly to provide failure domain isolation to achieve the greatest possible level of fault tolerance and stability. In which a complete failure of one region, shouldn’t have an impact on any other region. As a result, any application, service, and data create in a region stays in that region unless its intentionally moved or configured to replicate/copy to other region(s).

If we zoom in, a bit to see what a region physically consists of, as illustrated in the figure below, there are two or more logical zone referred to as availability zones (AZ), think of each AZ as a single physical failure domain, each AZ may consist of one or more physical data centers, all these physical data centers interconnected over high speed redundant fiber links.

For more info:

Taking the above, into considerations, where dose a VPC fit in this global infrastructure?

A VPC can reside in a single region (you can have many VPCs in a single or multiple regions), and takes advantage of the availability zones in that region, in which applications can be designed to be partitioned across AZ’s, to achieve better availability, as these applications will be isolated and protected from issues like; power outages, lightning strikes, tornadoes, earthquakes, etc. that may occur at an AZ level.

From IP communication point of view, a VPC can have multiple Classless Inter-Domain Routing (CIDR) blocks. The CIDR block(s) then can be divided into smaller IP ranges, where each IP range/subnet need to be associated with an AZ. In other words, within a VPC you can have a separate IP subnet per AZ. This is important to take into consideration when you design your application or plan to migrate your on-Premises application. Because the IP subnet is not extended across AZs.


IP addressing can be IPv4 or both IPv4 and IPv6. This indicates, that if we need to use IPv6, we must have IPv4, enabled because it is used by AWS services within or outside a VPC. Also, this implies that you need to make sure you allocate an IPv4 range(s) that is large enough to scale with the IPv6 range you planning to utilize within the VPC.

Although, Amazon VPC uses many traditional concepts, like subnets, IP addresses, and stateful firewalls. The underlying Amazon VPC mechanics differ, however, from the composition of standard, on-premises networking infrastructures. AWS built a custom network environment that satisfies the scale, performance, flexibility, and security requirements of the millions of active customers who use AWS each day.

Tenant isolation is a core function of Amazon VPC. In order to understand which resources are part of a given VPC, Amazon VPC uses a mapping service. The mapping service abstracts your VPC from the underlying AWS infrastructure. For any given VPC, the mapping service maintains information about all of its resources, their VPC IP addresses, and the IP addresses of the underlying physical server on which the resource is running. It is the definitive source of topology information for each VPC.”

One of the interesting custom AWS systems, that enables several AWS networking services to function at scale, such as; NAT Gateway, Network Load Balancer, Elastic Network Interface, Transit Gateway, etc. is the AWS Hyperplane. Refer to the below AWS reinvent session for some insight about the AWS Hyperplane

Now we have a good understanding of the big picture of AWS global infrastructure and where a VPC fits in this picture, next blog will take it a step forward and will zoom into the fundamentals of VPC networking.


Note: you may hear of a new term called “AWS Local Zone”, AWS Local Zones are a new type of AWS infrastructure deployment that places AWS compute, storage, database, and other select services closer to large population, industry, and IT centers where no AWS Region exists today. This concept helps to provide latency-sensitive portions of applications local to end-users and resources in a specific geography, delivering single-digit millisecond latency for use cases such as media & entertainment content creation, real-time gaming, reservoir simulations, electronic design automation, and machine learning. Each AWS Local Zone location is an extension of an AWS Region where you can run your latency-sensitive applications

The Los Angeles AWS Local Zone is generally available and you can expect more Local Zones to come.



AWS Certified Advanced Networking Official Study Guide

Categories :
Marwan Al-shawi – CCDE No. 20130066, Google Cloud Certified Architect, AWS Certified Solutions Architect, Cisco Press author (author of the Top Cisco Certifications’ Design Books “CCDE Study Guide and the upcoming CCDP Arch 4th Edition”). He is Experienced Technical Architect. Marwan has been in the networking industry for more than 12 years and has been involved in architecting, designing, and implementing various large-scale networks, some of which are global service provider-grade networks. Marwan holds a Master of Science degree in internetworking from the University of Technology, Sydney. Marwan enjoys helping and assessing others, Therefore, he was selected as a Cisco Designated VIP by the Cisco Support Community (CSC) (official Cisco Systems forums) in 2012, and by the Solutions and Architectures subcommunity in 2014. In addition, Marwan was selected as a member of the Cisco Champions program in 2015 and 2016.