What Are AWS Network Services?
AWS network services connect workloads running on AWS to each other, to users, and to on-premises datacenters using a global, software-defined network built on top of the AWS backbone. The core AWS network services you must know for CLF-C02 Task 3.5 are Amazon VPC, Route 53, CloudFront, AWS Global Accelerator, AWS Direct Connect, AWS Site-to-Site VPN, AWS Client VPN, and AWS Transit Gateway. Together, these AWS network services replace the traditional physical switches, routers, firewalls, load balancers, CDNs, and MPLS circuits that you would otherwise buy, rack, cable, and operate in a datacenter.
The AWS CLF-C02 exam guide lists AWS network services under Domain 3 (Cloud Technology and Services, 34% weight), so the ability to identify the right AWS network services for a given scenario is mission-critical. You are not expected to configure an Amazon VPC route table byte-by-byte, but you must be able to say which AWS network services solve which problem: isolation (Amazon VPC), DNS (Route 53), global content delivery (CloudFront), static-IP TCP/UDP acceleration (Global Accelerator), private hybrid links (Direct Connect), encrypted internet tunnels (VPN), and multi-VPC hubs (Transit Gateway). This topic combines networking concepts with AWS service names, and candidates consistently rank the AWS network services domain at 0.70 difficulty — notably higher than AWS compute or database services.
Because AWS network services are the plumbing that every other AWS service rides on, understanding Amazon VPC, Route 53, CloudFront, Direct Connect, and VPN also unlocks later certifications such as SAA-C03 and ANS-C01. Invest the time now: every hour you spend on AWS network services pays dividends across the rest of your AWS learning path.
Plain-Language Explanation: AWS Network Services
AWS network services 乍看很複雜,但用三個生活化的類比就能把 Amazon VPC、Route 53、CloudFront、Direct Connect、VPN 的角色講清楚。
Analogy 1 — The Shopping Mall (Amazon VPC and Subnets)
Think of Amazon VPC as renting a shopping mall inside the AWS Region. The entire mall is your Amazon VPC. Inside the mall you carve out zones: a public food court facing the parking lot (public subnet with an Internet Gateway), and a locked staff-only stockroom in the back (private subnet with no Internet Gateway). Security Groups are the bouncers standing at each shop door, checking ID both ways and remembering who they let in (stateful). NACLs are the traffic signs and lane markings painted on the mall corridors — they apply to every floor tile regardless of who is walking (stateless, subnet-level). VPC Peering is a covered walkway between your mall and a partner mall across the street: you can walk between the two, but you cannot use that walkway to reach a third mall three blocks away. Transit Gateway is the central bus terminal that every mall in the city connects to — one ride gets you anywhere on the network.
Analogy 2 — The Postal System (Route 53 and CloudFront)
Route 53 is the post office address book: when someone types examhub.cc, Route 53 looks up the address and tells the sender where to deliver the envelope. Route 53 routing policies are like the post office deciding which sorting depot to use — simple (one address), weighted (split mail 80/20 between two warehouses for A/B testing), latency (ship from the nearest depot), failover (if the primary warehouse is on fire, reroute to the backup), and geolocation (Asian customers get Tokyo depot, European customers get Dublin depot). CloudFront is the chain of local 7-Eleven stores that pre-stock popular items. Instead of the customer waiting for a delivery truck from a central Amazon warehouse, they walk two blocks to grab a cold drink from the nearest edge location. Signed URLs are like numbered ticket stubs — only the customer holding the stub can claim the item at the counter.
Analogy 3 — The Phone Line to Headquarters (Direct Connect vs VPN)
Your on-premises datacenter is branch office; the AWS Region is headquarters. AWS Site-to-Site VPN is a regular internet phone call with a scrambler — cheap, quick to set up, works anywhere, but voice quality fluctuates because you are sharing the public phone network. AWS Direct Connect is a dedicated leased line pulled directly from your branch office to headquarters — expensive, weeks to install, but the bandwidth and latency are contractually guaranteed because no one else is on the wire. AWS Client VPN is your employee-issued VPN software that any laptop can use to call into headquarters from a Starbucks. AWS Global Accelerator is the corporate toll-free number: no matter where you dial from, the call is instantly routed onto the AWS private phone backbone and delivered fast to the right internal extension.
With these three analogies — the shopping mall, the postal system, and the phone line — you now have a mental map covering every AWS network services component that CLF-C02 can test.
Core Operating Principles — Why Amazon VPC Is the Foundation
Every other AWS network services component is built on or plugs into Amazon VPC, so understanding Amazon VPC first is non-negotiable. An Amazon VPC is a logically isolated virtual network that you define inside an AWS Region. You choose the IPv4 CIDR block (for example 10.0.0.0/16), carve it into subnets, attach gateways, and set routing rules. No other AWS customer can see into your Amazon VPC unless you explicitly allow it through peering, Transit Gateway, PrivateLink, or a VPN.
Subnets: Public vs Private
A subnet is a slice of your Amazon VPC CIDR that lives in exactly one Availability Zone. A public subnet has a route table entry sending 0.0.0.0/0 to an Internet Gateway (IGW); instances here can reach the internet and be reached from the internet (if they have a public IP). A private subnet has no IGW route; instances here can only talk to the internet indirectly via a NAT Gateway in a public subnet. Route 53 inbound/outbound resolvers, VPC endpoints, and RDS Multi-AZ replicas typically live in private subnets.
Route Tables, Internet Gateway, and NAT Gateway
Route tables decide where traffic goes. Every subnet is associated with exactly one route table. The Internet Gateway is a horizontally scaled, redundant VPC component that provides internet access to public subnets — one per Amazon VPC. The NAT Gateway is a managed service that lets instances in a private subnet initiate outbound internet connections (for example, downloading patches) without accepting inbound connections. NAT Gateway is zonal, so deploy one per AZ for high availability.
Security Groups vs NACLs — The Most Tested Trap
Security Groups and NACLs both filter traffic, but they work at different layers and behave differently. Security Groups live at the instance level, are stateful (return traffic is automatically allowed), support allow rules only, and default-deny inbound / default-allow outbound. NACLs live at the subnet level, are stateless (return traffic must be explicitly allowed), support allow AND deny rules, are evaluated in numbered order, and default-allow all traffic in the default NACL. Confusing these two is the number-one AWS network services trap on CLF-C02.
Security Group — A Security Group is a stateful virtual firewall for your EC2 instance, ENI, RDS instance, or Lambda function attached to an Amazon VPC. It supports allow rules only and automatically permits return traffic for any allowed connection. Security Groups are the primary Amazon VPC network security control. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
VPC Peering vs Transit Gateway
VPC Peering creates a one-to-one connection between two Amazon VPCs (same account or cross-account, same Region or cross-Region). Critically, VPC peering is non-transitive: if VPC-A peers with VPC-B, and VPC-B peers with VPC-C, then VPC-A cannot reach VPC-C through VPC-B. You would need a direct A-C peering. This explodes to N×(N-1)/2 connections at scale — the classic "mesh hell."
AWS Transit Gateway solves the mesh hell by acting as a hub-and-spoke router: every Amazon VPC, VPN, and Direct Connect attaches to one Transit Gateway, and traffic routes transitively between them via the hub. One Transit Gateway can connect thousands of Amazon VPCs. For any AWS network services question that says "five or more VPCs" or "multi-account at scale," the answer is almost always Transit Gateway, not VPC peering.
Classic Trap: VPC Peering Is Not Transitive — Even though VPC-A can reach VPC-B, and VPC-B can reach VPC-C, there is no path from VPC-A to VPC-C through VPC-B unless you create a direct A-C peering or put a Transit Gateway in the middle. This is the single most-asked AWS network services trap on CLF-C02. Mnemonic: "Peers don't forward packets for friends." Reference: https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html
Amazon VPC Deep Dive — Components and Boundaries
Endpoints: Gateway vs Interface
VPC Endpoints let your Amazon VPC talk to AWS services over the AWS private network, bypassing the public internet. Gateway Endpoints support only S3 and DynamoDB and use a route-table prefix list (no charge). Interface Endpoints (powered by AWS PrivateLink) create an ENI in your subnet with a private IP and work for most AWS services. Interface endpoints are charged per hour plus per GB.
Elastic IPs and Public IPs
A Public IP is automatically assigned to an instance launched in a public subnet (if enabled) and is lost when the instance stops. An Elastic IP (EIP) is a static IPv4 address you own and can reassign between instances; EIPs that are allocated but not attached to a running instance incur an hourly charge — a classic AWS bill-surprise.
Amazon VPC Flow Logs
VPC Flow Logs capture metadata about IP traffic going in and out of network interfaces in your Amazon VPC. They are written to CloudWatch Logs or S3 and are used for security forensics, troubleshooting, and compliance. Flow Logs do not capture packet contents — only 5-tuple metadata plus action and bytes.
Amazon VPC Quick Numbers for CLF-C02 — - Default Amazon VPCs per Region: 5 (soft limit).
- Subnet AZ mapping: 1 subnet = 1 AZ (never spans AZs).
- Reserved IPs per subnet: 5 (first 4 and last 1 of the CIDR).
- Security Groups: stateful, instance-level, allow-only.
- NACLs: stateless, subnet-level, allow AND deny, evaluated in order.
- Default NACL: allows all. Custom NACL: denies all. Reference: https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html
Amazon Route 53 — Managed DNS and Routing Policies
Amazon Route 53 is the managed DNS component of AWS network services, named after the DNS UDP port 53. It provides three main functions: domain registration (buy examhub.cc directly from AWS), authoritative DNS resolution (translate www.examhub.cc to an IP), and health checking (monitor endpoints and fail over when they go down). Route 53 has a 100% availability SLA — the highest SLA of any AWS service.
Route 53 Routing Policies
- Simple — one record, one or more values, no health checks. The default.
- Weighted — split traffic across multiple records by weight (for A/B testing or blue-green deployments).
- Latency-based — route the user to the AWS Region with the lowest measured latency (not necessarily the closest).
- Failover — active-passive: primary record serves traffic until a Route 53 health check marks it unhealthy, then traffic shifts to the secondary.
- Geolocation — route by the user's continent, country, or state (for content localization or regulatory compliance).
- Geoproximity — route by geographic distance with an optional bias (more advanced than geolocation).
- Multi-value answer — up to 8 healthy records returned in a single response (poor-man's load balancing).
Alias Records
An alias record is a Route 53-specific extension of the DNS A/AAAA record that points directly to AWS resources (ELB, CloudFront, S3 website, API Gateway, another Route 53 record) by name rather than IP. Alias records are free, while standard CNAMEs at the apex of a zone are illegal per DNS RFC — you must use alias. The alias rule is a CLF-C02 favorite.
Route 53 Health Checks
Health checks monitor an endpoint's health from multiple AWS locations and integrate with failover and weighted policies. You can health-check HTTP/HTTPS endpoints, TCP ports, other health checks (nested), and CloudWatch alarms.
Route 53 Alias Records Are Free and Required at the Zone Apex — Use an Alias record for examhub.cc (the zone apex) pointing to a CloudFront distribution or Application Load Balancer. A regular CNAME cannot coexist with the SOA and NS records at the zone apex, so alias is mandatory. Alias queries to AWS targets are also free, while standard DNS queries carry a small charge.
Reference: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias-non-alias.html
Amazon CloudFront — The Global CDN
Amazon CloudFront is a content delivery network (CDN) with 600+ edge locations worldwide. When a user requests content, CloudFront serves it from the nearest edge location. If the content is not cached (cache miss), CloudFront fetches it from your origin — S3 bucket, ALB, EC2 instance, MediaStore, or any HTTP server — and caches it at the edge for the TTL duration.
Why CloudFront, Why Now
- Performance: edge locations are physically close to users, cutting RTT from 200ms to 20ms.
- Cost: each cache hit saves an origin request and the associated data transfer charge.
- Security: integrates with AWS WAF (application-layer filtering), AWS Shield (DDoS protection), and Origin Access Control (lock S3 to CloudFront-only access).
- TLS: free ACM certificates, modern cipher suites, and automatic rotation.
Signed URLs vs Signed Cookies
Both restrict access to premium content. Signed URLs protect a single file (think: one PDF download link). Signed Cookies protect a set of files (think: a video streaming session or an authenticated portal). Choose signed cookies when the number of files is large or unknown.
Origin Failover
Define a primary origin and a secondary origin. CloudFront automatically fails over to the secondary on specific HTTP status codes from the primary (for example 5xx). This gives the origin side of CloudFront a disaster-recovery pattern without requiring DNS failover.
CloudFront Is Not Just a CDN — It's a Security and Cost Optimizer — Putting CloudFront in front of an S3 website or ALB usually saves money (origin egress falls) and improves security (AWS WAF, AWS Shield Standard free tier, TLS termination at the edge). The common misconception is that CloudFront only matters for high-traffic global apps; even a small regional app benefits from the free AWS Shield Standard and origin protection. Reference: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Introduction.html
AWS Global Accelerator — Static Anycast IPs Over the AWS Backbone
AWS Global Accelerator gives you 2 static anycast IP addresses that act as a fixed front door for your application. Traffic hits the nearest AWS edge location, enters the AWS global network backbone, and traverses it privately to your application in a specific AWS Region — bypassing congested public internet paths.
CloudFront vs Global Accelerator — The Canonical Confusion
This is the second-most asked trap among AWS network services questions. Use this cheat sheet:
- Protocol: CloudFront = HTTP/HTTPS only. Global Accelerator = any TCP or UDP.
- Use case: CloudFront = cacheable web content (images, videos, APIs). Global Accelerator = non-web or non-cacheable traffic (gaming servers, VoIP, IoT, financial trading, multiplayer game state).
- IP addresses: CloudFront = changing set of CloudFront IPs per distribution. Global Accelerator = 2 fixed anycast IPs (great for corporate firewalls that require IP allowlists).
- Caching: CloudFront caches content at the edge. Global Accelerator does not cache; it only accelerates routing.
- Failover: Both support regional failover; Global Accelerator shifts traffic away from unhealthy endpoints in under a minute.
AWS Direct Connect — Dedicated Private Connectivity
AWS Direct Connect is a dedicated physical network link from your on-premises datacenter (or colocation facility) into the AWS network, terminating at a Direct Connect location. It bypasses the public internet entirely.
Connection Types
- Dedicated Connection: 1 Gbps, 10 Gbps, or 100 Gbps physical port allocated to you.
- Hosted Connection: 50 Mbps to 10 Gbps provisioned through an AWS Direct Connect Partner; faster to set up than a dedicated connection.
Virtual Interfaces (VIFs)
Over a Direct Connect link you create VIFs:
- Private VIF: reaches a specific Amazon VPC (via Virtual Private Gateway or Transit Gateway).
- Public VIF: reaches AWS public services (S3, DynamoDB, etc.) over the dedicated link, not the internet.
- Transit VIF: reaches a Direct Connect Gateway for multi-VPC access at scale.
Provisioning Reality
Ordering a new dedicated Direct Connect can take weeks to months because fiber has to be cross-connected in a physical colo. This is a CLF-C02 trap: if the scenario says "needs connectivity by end of the week," Direct Connect is the wrong answer — use Site-to-Site VPN first, then migrate to Direct Connect once it lights up.
Direct Connect vs VPN — The Decision Matrix
| Dimension | Direct Connect | Site-to-Site VPN |
|---|---|---|
| Medium | Dedicated fiber | Public internet |
| Encryption | Not encrypted by default (add MACsec or VPN over DX) | IPSec tunnel |
| Bandwidth | Up to 100 Gbps, consistent | Up to 1.25 Gbps per tunnel, variable |
| Latency | Low, consistent | Variable |
| Setup time | Weeks to months | Minutes |
| Cost | Port hours + data transfer | Tunnel hours + data transfer (usually cheaper) |
| Best for | Production, compliance, large data | DR, dev/test, quick start |
Direct Connect Is Not Encrypted by Default — Because Direct Connect is a private physical link, AWS does not encrypt traffic on it by default. If your compliance regime (HIPAA, PCI-DSS) requires encryption in transit, either enable MACsec (available on 10 Gbps and 100 Gbps) or run an IPSec VPN on top of the Direct Connect link. Assuming "private = encrypted" is a common exam and real-world mistake. Reference: https://docs.aws.amazon.com/directconnect/latest/UserGuide/encryption-options.html
AWS Site-to-Site VPN and AWS Client VPN
Site-to-Site VPN
Site-to-Site VPN creates an encrypted IPSec tunnel between your on-premises customer gateway device (a router or firewall that supports IPSec) and a Virtual Private Gateway (VGW) attached to your Amazon VPC, or a Transit Gateway. Each AWS Site-to-Site VPN connection includes two tunnels across two AZs for redundancy. Setup takes minutes and costs pennies per hour.
Use Site-to-Site VPN when:
- You need connectivity fast.
- Bandwidth requirements are modest (under 1.25 Gbps per tunnel).
- Cost matters more than latency predictability.
- Direct Connect is in-flight but not yet lit.
AWS Client VPN
AWS Client VPN is a managed OpenVPN-based service that lets individual end users (employees, contractors) connect their laptop or phone to your Amazon VPC over an encrypted tunnel. Authentication options include Active Directory, SAML federation, and mutual TLS. Think "corporate remote-access VPN" — different use case from Site-to-Site VPN which connects whole datacenters.
AWS VPN CloudHub
An older pattern where a single VGW terminates multiple Site-to-Site VPNs, and branch offices talk to each other via AWS. Largely superseded by Transit Gateway, but still in the CLF-C02 scope.
AWS Transit Gateway — The Network Hub
AWS Transit Gateway is a regional hub that connects Amazon VPCs, Direct Connect gateways, and Site-to-Site VPNs. Every attachment talks to the Transit Gateway; the Transit Gateway handles transit routing between them. Key properties:
- Scales to thousands of Amazon VPCs in a hub-and-spoke topology.
- Route tables per attachment let you build segmentation (for example, block prod-VPC from reaching dev-VPC even though both are attached).
- Transit Gateway Peering extends the hub across AWS Regions.
- Shared via AWS Resource Access Manager (RAM) so multiple AWS accounts can attach their VPCs to a central Transit Gateway.
Transit Gateway is the correct AWS network services answer whenever a scenario mentions multi-account, multi-region, many VPCs, or transitive routing.
Other AWS Network Services to Recognize
Even though Task 3.5 centers on VPC, Route 53, CloudFront, VPN, and Direct Connect, CLF-C02 can present these as distractors:
- Amazon API Gateway — managed service for publishing HTTP REST and WebSocket APIs. Not part of Amazon VPC plumbing, but often listed alongside.
- AWS App Mesh — service mesh for microservices; recognition-level only.
- AWS Cloud Map — service discovery for AWS cloud resources.
- AWS PrivateLink — exposes your service privately to other Amazon VPCs via an Interface Endpoint, without peering.
- AWS Network Firewall — managed stateful firewall at the VPC level (deeper than Security Groups/NACLs).
- Elastic Load Balancing (ELB) — ALB (layer 7), NLB (layer 4), GWLB (layer 3 for security appliances). Listed under AWS network services because it lives inside VPC subnets.
Side-by-Side: AWS Network Services Cheat Sheet
| Scenario | Correct AWS Network Services |
|---|---|
| Isolated virtual network in AWS | Amazon VPC |
| DNS + domain registration | Amazon Route 53 |
| Global CDN for web content | Amazon CloudFront |
| Static IPs for TCP/UDP game server | AWS Global Accelerator |
| Dedicated 10 Gbps link to datacenter | AWS Direct Connect |
| Quick encrypted tunnel to on-prem | AWS Site-to-Site VPN |
| Laptop VPN for remote employees | AWS Client VPN |
| Connect 50 VPCs in a hub | AWS Transit Gateway |
| Private API exposure cross-account | AWS PrivateLink |
| Inbound instance firewall | Security Group |
| Subnet-level ACL with deny rules | Network ACL (NACL) |
Common Exam Traps for AWS Network Services
- VPC Peering is NOT transitive — pick Transit Gateway for multi-VPC mesh.
- Security Groups are stateful, NACLs are stateless — opposites.
- Security Groups have allow-only rules; NACLs support deny — critical for blacklisting an IP.
- Direct Connect is not encrypted by default — add MACsec or IPSec VPN-over-DX.
- CloudFront for HTTP content; Global Accelerator for TCP/UDP — protocol is the quickest discriminator.
- Route 53 Alias is free and mandatory at the zone apex — standard CNAME fails at apex.
- NAT Gateway is zonal, not regional — deploy per AZ for HA.
- Elastic IPs charge when unattached — a common bill-shock path.
- Direct Connect takes weeks to provision — never the answer for "urgent."
- One subnet = one AZ — subnets never span Availability Zones.
The Big Three Network Distinctions for CLF-C02 — On exam day, if you only memorize three things about AWS network services, make them:
- VPC Peering ≠ transitive; Transit Gateway = transitive.
- Security Group = stateful/instance; NACL = stateless/subnet.
- CloudFront = HTTP edge cache; Global Accelerator = static IPs for TCP/UDP via AWS backbone. Reference: https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/introduction.html
AWS Network Services vs Global Infrastructure — The 3.5 vs 3.2 Boundary
CLF-C02 splits AWS network services across two task statements. Task 3.2 (Global Infrastructure) owns the Regions, AZs, and Edge Locations concept. Task 3.5 (AWS network services) owns the services that run on that infrastructure — Amazon VPC, Route 53, CloudFront, Direct Connect, VPN. The overlap is CloudFront: it is a service (3.5) that lives in Edge Locations (3.2). When a question centers on "where does the infrastructure live?" it is 3.2; when it asks "which service do I pick?" it is 3.5.
AWS Network Services vs Security Services — The 3.5 vs 2.4 Boundary
Amazon VPC Security Groups, NACLs, and Network Firewall are technically network services but also appear in the Security Domain (2.4). On CLF-C02, Security Groups and NACLs are most commonly tested as AWS network services (3.5), while AWS WAF, AWS Shield, and Network Firewall are more often tested under Security (2.4). If both could apply, the right domain is the one matching the task statement language.
Practice Question Patterns for AWS Network Services
Expect CLF-C02 to drill AWS network services in these shapes:
- Service-selection: "Which AWS network services provide X?" → direct recall.
- Two-option trap: "CloudFront vs Global Accelerator for a UDP game server?" → protocol discriminator.
- Stateful/stateless: "Which control allows a deny rule at subnet level?" → NACL.
- Transitive routing: "A has peer to B, B has peer to C, can A reach C?" → no, use Transit Gateway.
- Hybrid connectivity: "Urgent DR link, encrypted, low cost?" → Site-to-Site VPN, not Direct Connect.
- DNS routing policy: "Primary-secondary failover based on health check?" → Route 53 failover policy.
FAQ — AWS Network Services Top Questions
Q1: What is the difference between a Security Group and a NACL in Amazon VPC?
A Security Group is a stateful firewall attached to individual resources (EC2 instances, ENIs, RDS) and supports allow rules only; return traffic is automatically permitted. A NACL is a stateless firewall attached to an entire subnet, supports both allow and deny rules, and requires explicit rules for return traffic. Security Groups are the primary defense; NACLs are a secondary subnet-wide filter and the place to blacklist a specific IP.
Q2: When should I choose AWS Direct Connect over AWS Site-to-Site VPN?
Choose Direct Connect when you need consistent bandwidth above roughly 1 Gbps, predictable low latency, compliance that forbids the public internet, or sustained high data transfer volumes where DX egress pricing beats VPN. Choose Site-to-Site VPN when you need connectivity in minutes, bandwidth under 1.25 Gbps, or as a cheap redundant backup to Direct Connect. A common production pattern is DX primary + VPN secondary.
Q3: Is Amazon CloudFront the same as AWS Global Accelerator?
No. CloudFront is a CDN that caches HTTP/HTTPS content at edge locations; Global Accelerator provides two static anycast IPs that route TCP and UDP traffic over the AWS backbone without caching. Use CloudFront for cacheable web content, static assets, and APIs. Use Global Accelerator for real-time non-HTTP workloads like gaming, IoT, VoIP, and any scenario requiring fixed IPs for firewall allowlists.
Q4: Why is VPC Peering called non-transitive, and how do I get around it?
VPC Peering only forwards packets between the two directly peered VPCs. If VPC-A peers with VPC-B, and VPC-B peers with VPC-C, VPC-A cannot reach VPC-C through VPC-B — AWS will not forward transit traffic. To enable transitive routing at scale, use AWS Transit Gateway as a central hub; every VPC attaches once, and traffic routes transitively through the hub's route tables.
Q5: What Route 53 routing policy should I pick for global disaster recovery?
Use the failover routing policy with a Route 53 health check on the primary endpoint. The primary record (for example, an ALB in us-east-1) serves traffic until its health check fails; Route 53 then shifts DNS responses to the secondary record (an ALB in eu-west-1). For more than two regions or latency optimization, combine failover with latency-based or weighted policies via nested records.
Q6: Do I need to put CloudFront in front of my S3 static website?
Strongly yes. CloudFront gives you free AWS Shield Standard DDoS protection, global edge caching (faster for users, cheaper for you on origin egress), free ACM TLS certificates with auto-rotation, and Origin Access Control to lock the S3 bucket so only CloudFront can read it. Serving S3 directly over the public S3 website endpoint misses every one of those benefits.
Q7: What is AWS PrivateLink and how does it compare to VPC Peering?
PrivateLink exposes a specific service from one VPC to another using an Interface Endpoint (an ENI with a private IP) without any peering or route-table changes. It is unidirectional (service-consumer model) and scales to thousands of consumers without exploding route tables. VPC Peering is bidirectional, exposes the entire CIDR range, and does not scale as cleanly. Use PrivateLink for SaaS-style service exposure; use peering or Transit Gateway for general-purpose VPC-to-VPC connectivity.
Further Reading
- AWS VPC Connectivity Options Whitepaper
- Amazon Route 53 Developer Guide (all chapters on routing policies)
- Amazon CloudFront Developer Guide (Getting Started and Security sections)
- AWS Direct Connect Resiliency Recommendations Whitepaper
- AWS Transit Gateway Design Best Practices Whitepaper
- AWS Well-Architected Framework — Reliability and Security Pillars
Master these AWS network services — Amazon VPC, Route 53, CloudFront, AWS Global Accelerator, AWS Direct Connect, AWS Site-to-Site VPN, AWS Client VPN, and AWS Transit Gateway — and Task 3.5 of the CLF-C02 exam becomes a reliable scoring zone rather than a minefield. The canonical AWS network services traps (VPC peering non-transitivity, Security Groups vs NACLs, CloudFront vs Global Accelerator, Direct Connect vs VPN) are recurring questions; prepare the mental models now and you will recognize them on sight. Good luck on your CLF-C02 AWS network services questions.