ACO Module 7 – Networking · Interactive Trainer

VPC · Subnets · Routing · Connectivity · Security Layers · Troubleshooting · CloudFormation · Quiz

Cloud Ops / SysOps Hands-on Networking

Cloud VPC Playground

Click components → see explanation • Switch tabs to learn topics
🎯 Goal: “See” how an AWS VPC hangs together 🧪 Try: click EC2, NAT, IGW, endpoint, SG…
☁ Internet
Region: ap-southeast-1 (Singapore)
VPC 10.0.0.0/16 (Isolated virtual network)
Public Subnet A 10.0.1.0/24
Private App Subnet B 10.0.2.0/24
Private DB Subnet C 10.0.3.0/24
Shared Services
Internet-facing / public path Private internal resources Security controls
Try it: Click a component (IGW, NAT, EC2, RDS, SG, endpoint…) to see how traffic flows and which exam concepts it maps to.

Big picture: A VPC is your private datacenter inside AWS.

  • Choose a CIDR range (for example, 10.0.0.0/16).
  • Split it into subnets per AZ (public & private).
  • Attach an Internet Gateway for public access.
  • Use a NAT Gateway so private instances can go out but stay unreachable from internet.
  • Layer security: route tables → NACLs → security groups → OS firewall.

In SysOps / exams, almost every troubleshooting question is some variation of: “Which combination of subnet, route, SG, NACL, and gateway is missing?”

VPC & IP addressing:

  • VPC is logically isolated per account & Region.
  • Use private IP ranges (RFC1918). Avoid overlapping CIDRs across VPCs / on-prem.
  • Subnet must be inside VPC range and tied to exactly one AZ.
  • AWS reserves 5 IPs per subnet (network, router, DNS, future use, broadcast).

Tip: exam loves to ask why you “lost IPs” inside a subnet.

Public vs Private is about routes, not names.

  • Public subnet ⇒ route table has 0.0.0.0/0 → IGW.
  • Private subnet (outbound only) ⇒ 0.0.0.0/0 → NAT Gateway.
  • Isolated subnet ⇒ no default route to IGW or NAT.
  • Attach the correct route table to the correct subnet – subtle but important.

Common exam trap: they give you a “public” subnet with no IGW route. It’s actually private.

Connectivity “if…then…” map:

  • If private subnet → internet (outbound only) ⇒ use NAT Gateway.
  • If VPC ↔ VPC (no overlap, non-transitive) ⇒ VPC Peering.
  • If many VPCs + on-prem ⇒ Transit Gateway.
  • If on-prem ↔ VPC ⇒ Site-to-Site VPN or Direct Connect (+ VPN).
  • If to S3/DynamoDB without public internet ⇒ Gateway endpoint.
  • If to specific AWS service/API privately ⇒ Interface endpoint (PrivateLink).

Layered network defense:

  • Route tables – where traffic is even allowed to try to go.
  • NACLs – stateless allow/deny at subnet level.
  • Security groups – stateful rules on ENIs/instances.
  • Host controls – OS firewall, agents, IDS/IPS.

Rule of thumb: if one packet direction is blocked (NACL), the flow fails. SGs remember state for you.

Standard “cannot connect” checklist:

  1. Is the instance / RDS actually up and healthy?
  2. Correct security group inbound rules (port, protocol, source CIDR)?
  3. NACL not blocking required ports (in & out)?
  4. Route table has correct route to IGW / NAT / peering / TGW?
  5. For internet traffic: public IP/EIP? IGW attached to VPC?
  6. For peering: both sides added routes and allowed each other in SG/NACL?

In SysOps scenarios, you can nearly always eliminate options by asking “which layer is missing?”

CloudFormation view: Click any component in the VPC diagram to see a Level 2 snippet (deployable resource + key attachment/association).

# Click a component above (IGW, NAT, ALB, EC2, RDS, SG, NACL, endpoints...)
# to see a focused CloudFormation YAML snippet for that resource.

# Example: Internet Gateway + attachment
InternetGateway:
  Type: AWS::EC2::InternetGateway

AttachGateway:
  Type: AWS::EC2::VPCGatewayAttachment
  Properties:
    VpcId: !Ref VPC
    InternetGatewayId: !Ref InternetGateway
💡 Tip: You can paste these snippets into a larger template with Parameters and Outputs for a full CA2 / SysOps lab.

Quick Networking Quiz

1. What actually makes a subnet “public” in AWS?

2. A private EC2 instance needs OS updates from internet but must stay private. Best design?

3. Which is a limitation of VPC peering?

4. You create a gateway VPC endpoint for Amazon S3. What happens to S3 traffic?

5. Students cannot SSH to a lab EC2 instance in a public subnet. Instance is running and has a public IP. Which 2 checks come first?

6. You want hundreds of VPCs and on-prem networks to share connectivity through a central hub. Which service is designed for this?

Score: 0 / 6

Use this as a warm-up before PoliteMall quiz / CA2.

Network Troubleshooting Flow

Follow this when “it doesn’t work”

SysOps Troubleshooting Flow (SSH / HTTP)

  1. 1
    Instance & health

    Is the EC2/RDS running? Status checks passed? Correct AZ & subnet?

  2. 2
    Security group

    Inbound allows correct port (22/80/443/3306), protocol, and source (your IP / ALB SG / app SG).

  3. 3
    NACL

    Stateless! Check both inbound & outbound. Avoid “deny all” catching valid traffic.

  4. 4
    Routes & gateways

    Public subnet has 0.0.0.0/0 → IGW? Private subnet to NAT? Peering / TGW routes on both sides?

  5. 5
    Name resolution & misc

    Correct DNS name, key pair / password, user (ec2-user, ubuntu, etc.) and client-side firewall?

💡 Exam hack: If traffic is one-way only, think NACL / routing. If nothing gets in at all, think SG + route.